{"id":23015709,"url":"https://github.com/blacktechx011/torgpt-scam","last_synced_at":"2026-01-11T17:54:59.874Z","repository":{"id":266110597,"uuid":"897422040","full_name":"BlackTechX011/TorGPT-Scam","owner":"BlackTechX011","description":"Exposing the Scam Behind TorGPT: Uncovering the Hidden Threat","archived":false,"fork":false,"pushed_at":"2024-12-03T11:40:49.000Z","size":29,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-08T08:32:55.866Z","etag":null,"topics":["bad","blacktechx","blacktechx011","cyber","expose","exposed","forensic-analysis","forensics","hacking","malware","malware-analysis","malware-forensics","malware-gpt","scam","spynote","spynotex","tech","torgpt","torgpt-scam"],"latest_commit_sha":null,"homepage":"https://github.com/BlackTechX011/TorGPT-Scam","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BlackTechX011.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-02T15:50:40.000Z","updated_at":"2025-01-24T19:53:45.000Z","dependencies_parsed_at":"2024-12-02T16:51:43.647Z","dependency_job_id":"72d69a9b-4a12-4c22-a0dd-0f614c487580","html_url":"https://github.com/BlackTechX011/TorGPT-Scam","commit_stats":null,"previous_names":["blacktechx011/torgpt-scam"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackTechX011%2FTorGPT-Scam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackTechX011%2FTorGPT-Scam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackTechX011%2FTorGPT-Scam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackTechX011%2FTorGPT-Scam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BlackTechX011","download_url":"https://codeload.github.com/BlackTechX011/TorGPT-Scam/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246864106,"owners_count":20846378,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bad","blacktechx","blacktechx011","cyber","expose","exposed","forensic-analysis","forensics","hacking","malware","malware-analysis","malware-forensics","malware-gpt","scam","spynote","spynotex","tech","torgpt","torgpt-scam"],"created_at":"2024-12-15T11:12:56.040Z","updated_at":"2026-01-11T17:54:59.836Z","avatar_url":"https://github.com/BlackTechX011.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Exposing the Scam Behind TorGPT: Uncovering the Hidden Threat\n\n### The Story Behind the Investigation\n\nA few months ago, a friend handed me a file named **TorGPT.exe**, claiming it was a cutting-edge AI tool that wasn’t functioning on their system. The demo video looked promising, and out of curiosity, I decided to test it on my own machine. However, due to an issue with .NET dependencies, it failed to execute, and I put it aside, forgetting about it.\n\nRecently, while working on a forensic analysis algorithm, the file caught my attention again. Running it through my tools revealed shocking findings: **TorGPT.exe** wasn’t just malfunctioning—it was a sophisticated **malware dropper**. It deployed **SpyNote malware**, a dangerous spyware capable of compromising systems. This report documents my analysis, evidence, and findings to expose the malicious intent behind this scam.\n\n---\n\n\u003e [!CAUTION]\n\u003e This report is for **educational and ethical purposes only**. The information contained herein aims to expose malicious campaigns and aid in defending against them. Under no circumstances should this analysis be used for unauthorized activities or malicious intent.\n---\n## Summary of Findings\n\n- **TorGPT.exe** is a dropper malware disguised as an AI-based application.\n- It exploits victims' systems by delivering **SpyNote malware** and other malicious payloads.\n- Some contacted domains and IPs are known to mislead investigators by:\n - Using legitimate-looking endpoints.\n - Returning errors, such as `{\"BadRequest\":\"An endpoint for the request '' is not valid for this service\"}`, to evade detection.\n- It is part of a larger scam targeting unsuspecting users with fake AI tools.\n- If you are looking for more technical details, see the sections below for a detailed breakdown.\n\n---\n\n## File Details\n\n### Main File\n- **Name:** `TorGPT.exe`\n- **Type:** Win32 Executable\n- **Detected:** 43/75 antivirus engines flagged this as malicious.\n\n### Dropped Files\n1. **cfb22ef7-547c-4043-b2cc-30ae6b292def.dll**\n - **Type:** Win32 DLL\n - **Size:** 462.00 KB\n - **Purpose:** Likely used for malicious injection or persistence.\n - **Detection Rate:** Associated with multiple malicious executables like `TJprojMain` and `SpyNote X.exe`.\n\n2. Bundled files within the dropper:\n - `54198208c5df802eca64c371bcc5cffafb1a4303fc24b065c6b6ca08ee84fbc4`\n - `eab2000b93112b85257650d597275c571cdedc13eee01c0b9568250fb83e82d1`\n - Additional hashes provided in the artifacts section.\n\n---\n\n## Execution Chain Analysis\n\nThe following diagram illustrates the **execution chain** of **TorGPT.exe**:\n\n```plaintext\nTorGPT.exe\n ├── Drops: cfb22ef7-547c-4043-b2cc-30ae6b292def.dll\n │ ├── Executes: SpyNote X.exe (Multiple Variants)\n │ └── Executes: TJprojMain.exe\n └── Bundled Payloads:\n ├── Obfuscated Payload 1 (54198208c5d...)\n ├── Obfuscated Payload 2 (eab2000b93...)\n └── Other malicious files\n```\n\n### Parent-Child Relationships\n\n1. **TorGPT.exe** initiates execution.\n2. Drops **cfb22ef7-547c-4043-b2cc-30ae6b292def.dll**, which acts as a loader for:\n - **SpyNote X.exe** (multiple malicious binaries detected).\n - **TJprojMain.exe**, associated with spyware activity.\n\n---\n\n## Network Indicators\n\n### Contacted Domains\n- **query.prod.cms.rt.microsoft.com**\n - **Domain Created:** February 2, 1991\n - **Registrar:** MarkMonitor Inc.\n - url is legitimate but used to misleads investigators by making fake requests.\n - url return:\n ```json\n {\"BadRequest\":\"An endpoint for the request '' is not valid for this service\"}\n ```\n - This tactic is used to deter automated analysis and manual investigation.\n\n### Contacted IPs\n- **184.25.191.235** (United States, ASN: 16625)\n- **192.229.211.108** (United States, ASN: 15133)\n- **20.99.133.109** (United States, ASN: 8075)\n- **20.99.186.246** (United States, ASN: 8075)\n- **23.216.147.76** (United States, ASN: 20940)\n\n\u003e [!NOTE]\n\u003e Some IPs appear inactive or return 404 errors when queried. However, historical data links them to command-and-control (C2) operations and other malicious campaigns.\n\n---\n\n## Recommendations\n\n- **Do not execute unknown files:** Always verify the source and integrity of files before running them.\n- **Use up-to-date antivirus software:** Modern security tools can detect and quarantine such threats.\n- **Analyze suspicious files in a sandboxed environment:** Avoid running them on your primary system.\n- **Block malicious domains and IPs:** Add the listed domains and IPs to your firewall or security appliance.\n- **Report incidents to authorities:** Share findings with cybersecurity organizations for wider awareness.\n- **Be cautious of misleading indicators:** Legitimate-looking domains or IPs returning errors may still be part of a malware delivery chain.\n\n\n---\n\n\u003e [!NOTE]\n\u003e All the findings and artifacts, including hashes and related files, are stored for further analysis. Contributions to this repository are welcome to expand on indicators of compromise (IOCs) and additional research.\n\n\n---\n\n\n# If You’re Here, Let’s Get Technical\n\n\u003ccenter\u003e\n\nIf you've made it this far, you likely want to dive deeper into the technical details. \nThis section is where the real forensic analysis comes to life. \nGet ready for a comprehensive breakdown of the evidence and the inner workings of the malicious software.\n\n\u003c/center\u003e\n\n---\n\n# [+] File Analysis Report\n\n\n## Basic Properties\n\n| Property | Value |\n|-------------------|-----------------------------------------------------------------------|\n| **Name** | `TorGPT.exe` |\n| **MD5** | `0510475cbbfd2001438a2cef052328ab` |\n| **SHA-1** | `ca031654255f58f29d2c1d99075ca00edaf52255` |\n| **SHA-256** | `c77eabee5160b93b7f5242b351d1c3648105e9b1c567ebc1e1c005408191d9dd` |\n| **Vhash** | `21703675151550c32292660828` |\n| **Authentihash** | `0cef7c356eae1b52225daa33bd197072952be622b39e057e3822d0fe2365a6e4` |\n| **Imphash** | `f34d5f2d4577ed6d9ceec516c1f5a744` |\n| **SSDEEP** | `196608:Y9cWyqfiAPEmTU9VWRc8Unf8zFpeUc37T1AGFX6rhDzVxfj2PFN9sWf:LWpfdE2KnfapeV316rhDz/fj2PFZf` |\n| **TLSH** | `T11AD622023A504D66D076A7F99893EA3CB3722EF81920C64B16F2EE5BFD523D41D3D681` |\n| **File Type** | Win32 EXE, executable, windows, win32, pe, peexe |\n| **Magic** | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |\n| **TrID** | Generic CIL Executable (.NET, Mono, etc.) (44.1%)\u003cbr\u003eWindows Control Panel Item (generic) (34.8%)\u003cbr\u003eWin64 Executable (generic) (6.3%)\u003cbr\u003eWin32 Dynamic Link Library (generic) (3.9%)\u003cbr\u003eWin16 NE executable (generic) (3%) |\n| **DetectItEasy** | PE32\u003cbr\u003eLibrary: Costura.Fody\u003cbr\u003eLibrary: .NET (v4.0.30319)\u003cbr\u003eLinker: Microsoft Linker |\n| **Magika** | PEBIN |\n| **File Size** | 12.18 MB (12774400 bytes) |\n| **PEiD Packer** | .NET executable |\n\n## History\n\n| Property | Value |\n|-------------------------|--------------------------------------------|\n| **Creation Time** | 2079-11-17 05:53:41 UTC |\n\n\n\n\n## Signature Info\n\n| Property | Value |\n|---------------------|------------------------------|\n| **Signature Verification** | File is not signed |\n| **File Version Information** | Copyright © 2024 |\n| **Product** | TorGPT |\n| **Description** | TorGPT |\n| **Original Name** | TorGPT.exe |\n| **Internal Name** | TorGPT.exe |\n| **File Version** | 1.0.0.0 |\n| **Comments** | We Learn We Did |\n\n## Portable Executable Info\n\n### .NET Details\n\n| Property | Value |\n|---------------------|-----------------------------------------------------------------------|\n| **Module Version Id** | `83e9492f-ea46-405a-a293-5797d18df38c` |\n| **TypeLib Id** | `b5221054-69ed-43e7-91d8-19422d294f5b` |\n| **Target Machine** | Intel 386 or later processors and compatible processors |\n| **Compilation Timestamp** | 2079-11-17 05:53:41 UTC |\n| **Entry Point** | 12550430 |\n| **Contained Sections** | 3 |\n| **Sections** | **Name** | **Virtual Address** | **Virtual Size** | **Raw Size** | **Entropy** | **MD5** | **Chi2** |\n| | .text | 8192 | 12542244 | 12542464 | 7.77 | `ce256773073ec722ca2cbc7169f4b027` | 9831373 |\n| | .rsrc | 12558336 | 230834 | 230912 | 3.81 | `80a17a9356c5b5c891f940f761be5274` | 15241297 |\n| | .reloc | 12795904 | 12 | 512 | 0.1 | `e5b54919665137dc639a60b41c0bf351` | 128015 |\n\n### Imports\n\n- `mscoree.dll`\n\n### Contained Resources by Type\n\n- **RT_GROUP_ICON**: 1\n- **RT_VERSION**: 1\n- **RT_MANIFEST**: 1\n- **RT_ICON**: 1\n\n### Contained Resources by Language\n\n- **NEUTRAL**: 4\n\n### Contained Resources\n\n| Property | Value |\n|-------------------|-----------------------------------------------------------------------|\n| **SHA-256** | `356ee6b3db9ac3b6ee43a638795c1d41177d3d70ac3e9f2bfd70e3bd90d6f3ae` |\n| **File Type** | unknown |\n| **Type** | RT_ICON |\n| **Language** | NEUTRAL |\n| **Entropy** | 3.8 |\n| **Chi2** | 15171917 |\n| **SHA-256** | `fa10977a1c455d978f9a0d67211d109adfde5718848df251379eadda8ed12485` |\n| **File Type** | ICO |\n| **Type** | RT_GROUP_ICON |\n| **Language** | NEUTRAL |\n| **Entropy** | 2.02 |\n| **Chi2** | 1797.6 |\n| **SHA-256** | `941289decf43635430ec2750965d87f47dcec71c431f2c46204fb` |\n| **File Type** | unknown |\n| **Type** | RT_VERSION |\n| **Language** | NEUTRAL |\n| **Entropy** | 3.31 |\n| **Chi2** | 69319.71 |\n| **SHA-256** | `539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a` |\n| **File Type** | unknown |\n| **Type** | RT_MANIFEST |\n| **Language** | NEUTRAL |\n| **Entropy** | 5 |\n| **Chi2** | 4719.86 |\n\n### Dot Net Assembly\n\n| Property | Value |\n|---------------------------|-----------------------------------------------------------------------|\n| **Common Language Runtime metadata version** | 1.1 |\n| **CLR version** | v4.0.30319 |\n| **Assembly name** | TorGPT.exe |\n| **Metadata header Relative Virtual Address** | 12516664 |\n| **Assembly flags** | COMIMAGE_FLAGS_ILONLY, COMIMAGE_FLAGS_32BITREQUIRED |\n| **Entry point token** | 100663378 |\n| **RVA entry point** | 1494348 |\n| **Resources va** | 11022315 |\n| **Streams** | **Size** | **Entropy** | **Chi2** | **MD5** |\n| | #GUID | 16 | 4 | 240 | `9c8ea394d38fe88141ff6622e572b498` |\n| | #Blob | 15112 | 2.41 | 2036449.13 | `dbc52fca5a342aef5faf2e5b350f036b` |\n| | #US | 76 | 3.20 | 5502.11 | `ddae54df64c0a343b41a0b295c9f7b68` |\n| | #~ | 8872 | 5.77 | 191215.69 | `0416a79e50fd56c6cbaf95ab3b352de86317e669793` |\n| | #Strings | 9492 | 5.12 | 91709.13 | `288ca07642afb3b352de86317e669793` |\n\n### Manifest Resource\n\n- `TorGPT.Properties.Resources.resources`\n- `YourEvilChatbotApp.Form1.resources`\n- `YourEvilChatbotApp.ImageGenForm.resources`\n- `YourEvilChatbotApp.intro.resources`\n- `costura.costura.dll.compressed`\n- `costura.costura.pdb.compressed`\n- `costura.metadata`\n- `costura.microsoft.extensions.configuration.abstractions.dll.compressed`\n- `costura.microsoft.extensions.configuration.dll.compressed`\n- `costura.microsoft.extensions.configuration.fileextensions.dll.compressed`\n- `costura.microsoft.extensions.configuration.newtonsoftjson.dll.compressed`\n- `costura.microsoft.extensions.fileproviders.abstractions.dll.compressed`\n- `costura.microsoft.extensions.fileproviders.physical.dll.compressed`\n- `costura.microsoft.extensions.filesystemglobbing.dll.compressed`\n- `costura.microsoft.extensions.primitives.dll.compressed`\n- `costura.newtonsoft.json.dll.compressed`\n- `costura.system.buffers.dll.compressed`\n- `costura.system.diagnostics.diagnosticsource.dll.compressed`\n- `costura.system.memory.dll.compressed`\n- `costura.system.numerics.vectors.dll.compressed`\n- `costura.system.runtime.compilerservices.unsafe.dll.compressed`\n- `costura.system.valuetuple.dll.compressed`\n\n### External Assemblies\n\n- `Newtonsoft.Json v11.0.0.0`\n- `System.Drawing v4.0.0.0`\n- `System.Net.Http v4.2.0.0`\n- `System v4.0.0.0`\n- `mscorlib v4.0.0.0`\n- `System.Windows.Forms v4.0.0.0`\n- `System.Speech v4.0.0.0`\n- `System.Core v4.0.0.0`\n\n### Assembly Data\n\n| Property | Value |\n|---------------------|-----------------------------------------------------------------------|\n| **majorversion** | 1 |\n| **hashalgid** | 32772 |\n| **flags_text** | afPA_None |\n| **name** | TorGPT |\n\n\n### What it is doing\n```\n\nMain File: TorGPT.exe\n |\n +-- Dropped Files\n | |\n | +-- cfb22ef7-547c-4043-b2cc-30ae6b292def.dll (Win32 DLL, 462.00 KB)\n | |\n | +-- Execution Parents\n | | |\n | | +-- TJprojMain (Win32 EXE, 70/74 detections)\n | | +-- TorGPT.exe (Win32 EXE, 43/75 detections)\n | | +-- SpyNote X.exe (Win32 EXE, 45/72 detections)\n | | +-- SpyNote X.exe (Win32 EXE, 43/72 detections)\n | | +-- TJprojMain (Win32 EXE, 69/74 detections)\n | |\n | +-- Bundled Files\n | |\n | +-- 54198208c5df802eca64c371bcc5cffafb1a4303fc24b065c6b6ca08ee84fbc4 (file)\n | +-- eab2000b93112b85257650d597275c571cdedc13eee01c0b9568250fb83e82d1 (file)\n | +-- 0cc0c39c5edb5d2a08642eb60e1f402890f279b12dd54248851c63a33cb6c748 (file)\n | +-- 2bcfd9a1239552778a799f683bf11428dd0a82a8bb21955106cf0d7c2f477560 (file)\n | +-- df4b1dc9bd96567d23815718432fb5fa254559cec78aac3645876839d2e28825 (file)\n |\n +-- Bundled Files\n | |\n | +-- 1 (XML)\n | +-- 9b2837b8b5f37c4661b9d9e9559c757ef5c454d181cf9c127e566ab197f0ab06 (file)\n | +-- fa10977a1c455d978f9a0d67211d109adfde5718848df251379eadda8ed12485 (file)\n | +-- 83252b25376bbdb062beed858c3639e4283fb072aeb22266e8f35e3d9e199568 (file)\n | +-- 353a1ec7b5d932a0cde20205a718ebb1466d076981bf9b9ced55e2b6f7ea2907 (file)\n | +-- 097553aa7c4e47f2186e049a37791726713b7cf28b1996605970c40b29e37713 (file)\n |\n +-- Contacted Domains\n | |\n | +-- query.prod.cms.rt.microsoft.com (Created: 1991-02-02, Registrar: MarkMonitor Inc.)\n |\n +-- Contacted IPs\n |\n +-- 184.25.191.235 (Autonomous System: 16625, Country: US)\n +-- 192.229.211.108 (Autonomous System: 15133, Country: US)\n +-- 20.99.133.109 (Autonomous System: 8075, Country: US)\n +-- 20.99.186.246 (Autonomous System: 8075, Country: US)\n +-- 23.216.147.76 (Autonomous System: 20940, Country: US)\n```\n\n#### Main File: TorGPT.exe\n| Type | Text | Has Detections | Type Tag |\n|------|------|----------------|----------|\n| file | TorGPT.exe | true | peexe |\n\n____\n\n#### Dropped Files\n| Type | Text | File Type | Name | File Size |\n|------|------|-----------|------|----------|\n| file | | Win32 DLL | cfb22ef7-547c-4043-b2cc-30ae6b292def.dll | 462.00 KB |\n\n___\n\n#### Bundled Files (Main File)\n| Type | Text | File Type | Name |\n|------|------|-----------|------|\n| file | | XML | 1 |\n| file | | file | 9b2837b8b5f37c4661b9d9e9559c757ef5c454d181cf9c127e566ab197f0ab06 |\n| file | | file | fa10977a1c455d978f9a0d67211d109adfde5718848df251379eadda8ed12485 |\n| file | | file | 83252b25376bbdb062beed858c3639e4283fb072aeb22266e8f35e3d9e199568 |\n| file | | file | 353a1ec7b5d932a0cde20205a718ebb1466d076981bf9b9ced55e2b6f7ea2907 |\n| file | | file | 097553aa7c4e47f2186e049a37791726713b7cf28b1996605970c40b29e37713 |\n\n___\n\n#### Execution Parents of `cfb22ef7-547c-4043-b2cc-30ae6b292def.dll`\n| Scanned | Detections | Type | Name |\n|---------|------------|------|------|\n| 2023-12-20 | 70/74 | Win32 EXE | TJprojMain |\n| 2024-08-09 | 43/75 | Win32 EXE | TorGPT.exe |\n| 2024-03-26 | 45/72 | Win32 EXE | SpyNote X.exe |\n| 2024-07-09 | 43/72 | Win32 EXE | SpyNote X.exe |\n| 2024-05-26 | 69/74 | Win32 EXE | TJprojMain |\n\n___\n\n#### Bundled Files of `cfb22ef7-547c-4043-b2cc-30ae6b292def.dll`\n| Type | Name |\n|------|------|\n| file | 54198208c5df802eca64c371bcc5cffafb1a4303fc24b065c6b6ca08ee84fbc4 |\n| file | eab2000b93112b85257650d597275c571cdedc13eee01c0b9568250fb83e82d1 |\n| file | 0cc0c39c5edb5d2a08642eb60e1f402890f279b12dd54248851c63a33cb6c748 |\n| file | 2bcfd9a1239552778a799f683bf11428dd0a82a8bb21955106cf0d7c2f477560 |\n| file | df4b1dc9bd96567d23815718432fb5fa254559cec78aac3645876839d2e28825 |\n\n____\n\n#### Contacted Domains\n| Domain | Created | Registrar |\n|--------|---------|-----------|\n| query.prod.cms.rt.microsoft.com | 1991-02-02 | MarkMonitor Inc. |\n\n____\n\n#### Contacted IP Addresses\n| IP | Autonomous System | Country |\n|----|-------------------|---------|\n| 184.25.191.235 | 16625 | US |\n| 192.229.211.108 | 15133 | US |\n| 20.99.133.109 | 8075 | US |\n| 20.99.186.246 | 8075 | US |\n| 23.216.147.76 | 20940 | US |\n\n____\n\n\n### Type Definitions\n\n- `System.Object`\n- `System.Type`\n- `System.RuntimeTypeHandle`\n- `System.EventArgs`\n- `System.String`\n- `System.IDisposable`\n- `System.EventHandler`\n- `System.Exception`\n- `System.Uri`\n- `System.Char`\n- `System.Action`\n- `System.Environment`\n- `System.StringSplitOptions`\n- `System.STAThreadAttribute`\n- `System.AppDomain`\n- `System.StringComparison`\n- `System.Byte`\n- `System.ResolveEventArgs`\n- `System.ResolveEventHandler`\n- `System.Action`1\n- `System.MulticastDelegate`\n- `System.IAsyncResult`\n- `System.AsyncCallback`\n- `System.ValueType`\n- `System.GC`\n- `System.Array`\n- `System.RuntimeFieldHandle`\n- `System.IntPtr`\n- `System.Guid`\n- `System.Int32`\n- `System.Resources.ResourceManager`\n- `System.Globalization.CultureInfo`\n- `System.Reflection.Assembly`\n- `System.Reflection.AssemblyName`\n- `System.Reflection.AssemblyNameFlags`\n- `System.Reflection.AssemblyTitleAttribute`\n- `System.Reflection.AssemblyDescriptionAttribute`\n- `System.Reflection.AssemblyConfigurationAttribute`\n- `System.Reflection.AssemblyCompanyAttribute`\n- `System.Reflection.AssemblyProductAttribute`\n- `System.Reflection.AssemblyCopyrightAttribute`\n- `System.Reflection.AssemblyTrademarkAttribute`\n- `System.Reflection.AssemblyFileVersionAttribute`\n- `System.ComponentModel.EditorBrowsableAttribute`\n- `System.ComponentModel.EditorBrowsableState`\n- `System.ComponentModel.IContainer`\n- `System.ComponentModel.ComponentResourceManager`\n- `System.ComponentModel.ISupportInitialize`\n- `System.ComponentModel.Component`\n- `System.CodeDom.Compiler.GeneratedCodeAttribute`\n- `System.Diagnostics.DebuggerNonUserCodeAttribute`\n- `System.Diagnostics.DebuggerStepThroughAttribute`\n- `System.Diagnostics.DebuggerHiddenAttribute`\n- `System.Diagnostics.DebuggableAttribute`\n- `System.Diagnostics.Process`\n- `System.Runtime.CompilerServices.CompilerGeneratedAttribute`\n- `System.Runtime.CompilerServices.AsyncVoidMethodBuilder`\n- `System.Runtime.CompilerServices.AsyncStateMachineAttribute`\n- `System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1\n- `System.Runtime.CompilerServices.AsyncTaskMethodBuilder`\n- `System.Runtime.CompilerServices.IAsyncStateMachine`\n- `System.Runtime.CompilerServices.TaskAwaiter`1\n- `System.Runtime.CompilerServices.TaskAwaiter`\n- `System.Runtime.CompilerServices.CompilationRelaxationsAttribute`\n- `System.Runtime.CompilerServices.RuntimeCompatibilityAttribute`\n- `System.Runtime.CompilerServices.RuntimeHelpers`\n- `System.Configuration.ApplicationSettingsBase`\n- `System.Configuration.SettingsBase`\n- `System.Windows.Forms.Form`\n- `System.Windows.Forms.Button`\n- `System.Windows.Forms.TextBox`\n- `System.Windows.Forms.RichTextBox`\n- `System.Windows.Forms.Label`\n- `System.Windows.Forms.PictureBox`\n- `System.Windows.Forms.Control`\n- `System.Windows.Forms.Clipboard`\n- `System.Windows.Forms.MessageBox`\n- `System.Windows.Forms.DialogResult`\n- `System.Windows.Forms.MessageBoxButtons`\n- `System.Windows.Forms.MessageBoxIcon`\n- `System.Windows.Forms.ImageLayout`\n- `System.Windows.Forms.ButtonBase`\n- `System.Windows.Forms.FlatStyle`\n- `System.Windows.Forms.PictureBoxSizeMode`\n- `System.Windows.Forms.ContainerControl`\n- `System.Windows.Forms.AutoScaleMode`\n- `System.Windows.Forms.FormStartPosition`\n- `System.Windows.Forms.TextBoxBase`\n- `System.Windows.Forms.SaveFileDialog`\n- `System.Windows.Forms.FileDialog`\n- `System.Windows.Forms.CommonDialog`\n- `System.Windows.Forms.Timer`\n- `System.Windows.Forms.FormBorderStyle`\n- `System.Windows.Forms.FormClosedEventHandler`\n- `System.Windows.Forms.FormClosedEventArgs`\n- `System.Windows.Forms.Application`\n- `System.Windows.Forms.Screen`\n- `System.Net.Http.HttpClient`\n- `System.Net.HttpFormUrlEncodedContent`\n- `System.Net.Http.HttpResponseMessage`\n- `System.Net.Http.HttpContent`\n- `System.Net.Http.MultipartFormDataContent`\n- `System.Net.Http.StreamContent`\n- `System.Net.Http.HttpMessageInvoker`\n- `System.Net.Http.ByteArrayContent`\n- `System.Speech.Synthesis.SpeechSynthesizer`\n- `System.Speech.Synthesis.Prompt`\n- `System.Collections.Generic.List`1\n- `System.Collections.Generic.KeyValuePair`2\n- `System.Collections.Generic.IEnumerable`1\n- `System.Collections.Generic.IEnumerator`1\n- `System.Collections.Generic.Dictionary`2\n- `System.Threading.Tasks.Task`1\n- `System.Threading.Tasks.Task`\n- `System.Threading.Tasks.Parallel`\n- `System.Threading.Tasks.ParallelLoopResult`\n- `Newtonsoft.Json.Linq.JObject`\n- `Newtonsoft.Json.Linq.JToken`\n- `System.Drawing.Color`\n- `System.Drawing.Image`\n- `System.Drawing.Point`\n- `System.Drawing.Size`\n- `System.Drawing.Font`\n- `System.Drawing.FontStyle`\n- `System.Drawing.GraphicsUnit`\n- `System.Drawing.SystemColors`\n- `System.Drawing.ContentAlignment`\n- `System.Drawing.SizeF`\n- `System.Drawing.Icon`\n- `System.Drawing.Rectangle`\n- `System.Drawing.Bitmap`\n- `System.Drawing.Graphics`\n- `uncategorized.ControlCollection`\n- `uncategorized.SpecialFolder`\n- `uncategorized.DebuggingModes`\n- `System.IO.FileStream`\n- `System.IO.FileMode`\n- `System.IO.Stream`\n- `System.IO.Path`\n- `System.IO.FileInfo`\n- `System.IO.Directory`\n- `System.IO.MemoryStream`\n- `System.IO.File`\n- `System.IO.DirectoryInfo`\n- `System.Linq.Enumerable`\n- `System.Collections.IEnumerator`\n- `System.Drawing.Imaging.ImageFormat`\n- `System.Drawing.Imaging.PixelFormat`\n- `System.IO.Compression.DeflateStream`\n- `System.IO.Compression.CompressionMode`\n- `System.Threading.Monitor`\n- `System.Threading.Interlocked`\n- `System.Threading.Thread`\n- `System.Runtime.InteropServices.ComVisibleAttribute`\n- `System.Runtime.InteropServices.GuidAttribute`\n- `System.Runtime.InteropServices.Marshal`\n- `System.Runtime.Versioning.TargetFrameworkAttribute`\n- `System.Net.WebClient`\n- `System.Net.ServicePointManager`\n- `System.Net.SecurityProtocolType`\n- `System.Collections.Specialized.NameValueCollection`\n- `System.Text.RegularExpressions.Regex`\n- `System.Text.RegularExpressions.Match`\n- `System.Text.RegularExpressions.Capture`\n- `System.Security.Principal.WindowsIdentity`\n- `System.Security.Principal.SecurityIdentifier`\n- `System.Security.Principal.IdentityReference`\n\n### External Modules\n\n- `kernel32.dll`\n- `kernel32`\n\n### Unmanaged Method List\n\n- `kernel32.dll: ExitProcess, LoadLibrary, GetProcAddress, VirtualProtect, AllocConsole`\n- `kernel32: GetModuleHandle, LoadLibrary, GetProcAddress`\n\n\n## Network Communication\n\n### DNS Resolutions\n- `query.prod.cms.rt.microsoft.com`\n\n### IP Traffic\n- `20.99.186.246:443`\n- `192.229.211.108:80`\n- `184.25.191.235:443` (query.prod.cms.rt.microsoft.com)\n- `23.216.147.76:443`\n- `20.99.133.109:443`\n\n## Memory Pattern Domains\n- `fontfabrik.com`\n- `ipapi.co`\n- `www.apache.org`\n- `www.carterandcone.coml` (Note: The domain seems to have a typo, should be `www.carterandcone.com`)\n- `www.fontbureau.com`\n- `www.fonts.com`\n- `www.founder.com.cn`\n- `www.galapagosdesign.com`\n- `www.goodfont.co.kr`\n- `www.jiyu-kobo.co.jp`\n- `www.sajatypeworks.com`\n- `www.sakkal.com`\n- `www.sandoll.co.kr`\n- `www.tiro.com`\n- `www.typography.net` (Note: The domain seems to have a typo, should be `www.typography.com`)\n- `www.urwpp.de` (Note: The domain seems to have a typo, should be `www.urwpp.de`)\n- `www.zhongyicts.com.cn`\n\n## Memory Pattern URLs\n- `http://fontfabrik.com`\n- `http://www.apache.org/licenses/LICENSE-2.0`\n- `http://www.carterandcone.com`\n- `http://www.carterandcone.com/designers`\n- `http://www.carterandcone.com/designers/cabarga.html`\n- `http://www.carterandcone.com/designers/frere-jones.html`\n- `http://www.carterandcone.com/designers8`\n- `http://www.carterandcone.com/designersG`\n- `http://www.carterandcone.com/designers?`\n- `http://www.fontbureau.com`\n- `http://www.founder.com.cn/cn/bThe`\n- `http://www.founder.com.cn/cn/cThe`\n- `http://www.galapagosdesign.com/staff/dennis.htm`\n- `http://www.goodfont.co.kr`\n- `http://www.jiyu-kobo.co.jp`\n- `http://www.sajatypeworks.com`\n- `http://www.sakkal.com`\n- `http://www.tiro.com`\n- `http://www.typography.netD`\n- `https://://www.urwpp.deDPlease`\n- `http://www.zhongyicts.com.cn`\n\n## Security-2.0`\n\n- `https://://ipapi.co/ip`\n- `https://ipapi.co/ip%s`\n- `https://www.ipapi.co/ip`\n- `https://www.zhongyicts.com.cn`\n\n## Security-2.0`\n\n- `https://www.zhongyicts.com.cn\"\n- `https://www.zhongyicts.com.cn` (Note: The domain seems to have a typo, should be `www.zhongyicts.com.cn`)\n\n\n\n## File System Actions\n\n### Files Opened\n- `C:\\Users\\user\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\TorGPT_@SamsExploit.exe.log`\n- `C:\\Users\\user\\AppData\\Local\\Temp\\tmpDA49.tmp`\n- `C:\\Users\\user\\AppData\\Local\\Temp\\tmpDA49.tmp\\3b9e0ce4-2017-4161-ae61-37f7d58d2d9a.dll`\n- `C:\\Users\\user\\Desktop\\TorGPT_@SamsExploit.exe`\n- `C:\\Users\\user\\Desktop\\TorGPT_@SamsExploit.exe.config`\n- `C:\\WINDOWS\\FONTS\\AGENCYB.TTF`\n- `C:\\WINDOWS\\FONTS\\AGENCYR.TTF`\n- `C:\\WINDOWS\\FONTS\\ALGER.TTF`\n- `C:\\WINDOWS\\FONTS\\ANTQUAB.TTF`\n- `C:\\WINDOWS\\FONTS\\ANTQUAB.TTF`\n- `C:\\WINDOWS\\FONTS\\ANTQUAI.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIAL.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALBD.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALBI.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALI.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALN.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALN.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALNBI.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIALNI.TTF`\n- `C:\\WINDOWS\\FONTS\\ARIBLK.TTF`\n- `C:\\WINDOWS\\FONTS\\ARLRDBD.TTF`\n- `C:\\WINDOWS\\FONTS\\BAHNS93.TTF`\n- `C:\\WINDOWS\\FONTS\\BAUHS.TTF`\n- `C:\\WINDOWS\\FONTS\\BAHNS93.TTF`\n- `C:\\WINDOWS\\FONTS\\BAUHSB.TTF`\n- `C:\\WINDOWS\\FONTS\\BAUHS93.TTF`\n- `C:\\WINDOWS\\FONTS\\BAUHSB.TTF`\n- `C:\\WINDOWS\\FONTS\\BAUHS93.TTF`\n- `C:\\WINDOWS\\FONTS\\BAHNSR.TTF`\n- `C:\\WINDOWS\\FONTS\\BAUHS93.TTF`\n- `C:\\WINDOWS\\FONTS\\BELLHC.TTF`\n- `C:\\WINDOWS\\FONTS\\BELLHC.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_B.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_PSTC.TTF`\n- `C:\\WINDOWS\\FONTS\\BOOKOS.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_PSTC.TTF`\n- `C:\\WINDOWS\\FONTS\\BOOKOS.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_PSTC.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOOKOS.TTF`\n- `C:\\WINDOWS\\FONTS\\BROADW.TTF`\n- `C:\\WINDOWS\\FONTS\\BRITANic.TTF`\n- `C:\\WINDOWS\\FONTS\\BRLNSB.TTF`\n- `C:\\WINDOWS\\FONTS\\BRLNSDB.TTF`\n- `C:\\WINDOWS\\FONTS\\BRLNSR.TTF`\n- `C:\\WINDOWS\\FONTS\\BROADW.TTF`\n- `C:\\WINDOWS\\FONTS\\BRLNSB.TTF`\n- `C:\\WINDOWS\\FONTS\\CASTELAR.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_B.TTF`\n- `C:\\WINDOWS\\FONTS\\CASTELAR.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_PSTC.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BOD_R.TTF`\n- `C:\\WINDOWS\\FONTS\\BRADHITC.TTF`\n- `C:\\WINDOWS\\FONTS\\BRITANIC.TTF`\n- `C:\\WINDOWS\\FONTS\\BRLNSR.TTF`\n- `C:\\WINDOWS\\FONTS\\BRLNSR.TTF`\n- `C:\\WINDOWS\\FONTS\\BROADW.TTF`\n- `C:\\WINDOWS\\FONTS\\BROADW.TTF`\n- `C:\\WINDOWS\\FONTS\\BRUSHSCI.TTF`\n- `C:\\WINDOWS\\FONTS\\COPIA.TTF`\n- `C:\\WINDOWS\\FONTS\\COPT0.TTF`\n- `C:\\WINDOWS\\FONTS\\COMIC.TTF`\n- `C:\\WINDOWS\\FONTS\\COMICI.TTF`\n- `C:\\WINDOWS\\FONTS\\CONSOLA.TTF`\n- `C:\\WINDOWS\\FONTS\\COOPBL.TTF`\n- `C:\\WINDOWS\\FONTS\\GABRIOLA.TTF`\n- `C:\\WINDOWS\\FONTS\\GADUGI.TTF`\n- `C:\\WINDOWS\\FONTS\\GADUGIB.TTF`\n- `C:\\WINDOWS\\FONTS\\GARA.TTF`\n- `C:\\WINDOWS\\FONTS\\GARABD.TTF`\n- `C:\\WINDOWS\\FONTS\\GARAIT.TTF`\n- `C:\\WINDOWS\\FONTS\\GEORGIA.TTF`\n- `C:\\WINDOWS\\FONTS\\GEORGIAI.TTF`\n- `C:\\WINDOWS\\FONTS\\GEORGIAZ.TTF`\n- `C:\\WINDOWS\\FONTS\\GIGI.TTF`\n- `C:\\WINDOWS\\FONTS\\GILBI____.TTF`\n- `C:\\WINDOWS\\FONTS\\GIL_____.TTF`\n- `C:\\WINDOWS\\FONTS\\GILC_____.TTF`\n- `C:\\WINDOWS\\FONTS\\GILI_____.TTF`\n- `C:\\WINDOWS\\FONTS\\GLECB.TTF`\n- `C:\\WINDOWS\\FONTS\\GLSNECB.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHIC.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICB.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICBI.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICI.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICCN.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICCN.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICIT.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHICN.TTF`\n- `C:\\WINDOWS\\FONTS\\GOTHIC.ttf`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARNGTON.TTF`\n- `C:\\WINDOWS\\FONTS\\HARNGTON.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWD`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARNGTON.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARNGTON.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWOWI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n- `C:\\WINDOWS\\FONTS\\HARLOWSI.TTF`\n\n\n\n ## Files Written\n- `C:\\Users\\user\\AppData\\Local\\Temp\\tmp2B81.tmp\\5198dbfb-4c95-493e-8898-39266ef039aa.dll`\n- `C:\\Users\\user\\AppData\\Local\\Temp\\tmpDA49.tmp\\3b9e0ce4-2017-4161-ae61-37f7d58d2d9a.dll`\n- `C:\\Users\\user\\AppData\\Roaming`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1D66.tmp.WERInternalMetadata.xml`\n- `0:\\Users\\user\\AppData\\Local\\Temp\\tmp2B81.tmp\\5198dbfb-4c95-493e-8898-39266ef039aa.dll`\n\n## Files Deleted\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1D66.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1E50.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1E80.tmp.txt`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2382.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2392.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2393.tmp.txt`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER296C.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER296D.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A47.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A58.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A87.tmp.txt`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A88.tmp.txt`\n- `C:\\Windows\\System32\\spp\\store\\2.0\\cache\\cache.dat`\n- `C:\\Users\\user\\AppData\\Local\\Temp\\tmpDA49.tmp`\n\n## Files Dropped\n- `%USERPROFILE%\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\TorGPT_@SamsExploit.exe.log`\n- `%USERPROFILE%\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\c77eabee5160b93b7f5242b351d1c3648105e9b1c567ebc1e1c005408191d9dd.exe.log`\n- `%USERPROFILE%\\AppData\\Local\\Temp\\tmpE87B.tmp`\n- `%USERPROFILE%\\AppData\\Local\\Temp\\tmpE87B.tmp\\8a45efc6-43dc-47c5-a83e-918ad0207457.dll`\n- `%USERPROFILE%\\AppData\\Local\\Temp\\tmpF57B.tmp`\n- `%USERPROFILE%\\AppData\\Local\\Temp\\tmpF57B.tmp\\c9768aec-9e91-4ef8-a55d-c1d878e73bf7.dll`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1D66.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1D66.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1E50.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1E50.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1E80.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1E80.tmp.txt`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2382.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2382.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2392.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2392.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2393.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2393.tmp.txt`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER296C.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER296C.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER296D.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER296D.tmp.WERInternalMetadata.xml`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A47.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A47.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A58.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A58.tmp.csv`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A87.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A87.tmp.txt`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A88.tmp`\n- `C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2A88.tmp.txt`\n- `C:\\Windows\\System32\\spp\\store\\2.0\\cache\\cache.dat`\n- `C:\\Windows\\System32\\spp\\store\\2.0\\data.dat.tmp`\n- `C:\\Users\\user\\AppData\\Local\\Temp\\tmpDA49.tmp\\3b9e0ce4-2017-4161-ae61-37f7d58d2d9a.dll`\n\n## Registry Actions\n\n### Registry Keys Opened\n- `HKEY_CURRENT_USER\\EUDC\\1252`\n- `HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\.NETFramework\\XML`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|user|Desktop|TorGPT_@SamsExploit.exe`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders`\n- `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders`\n- `HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer`\n- `HKEY_CURRENT_USER_Classes`\n- `HKEY_CURRENT_USER_Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}`\n- `HKEY_CURRENT_USER_Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance`\n- `HKEY_CURRENT_USER_Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled`\n- `HKEY_CURRENT_USER_Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Namespaces`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\TorGPT_@SamsExploit.exe`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{00000323-0000-0000-C000-000000000046}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|user|Desktop|TorGPT_@SamsExploit.exe`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{00000323-0000-0000-C000-000000000046}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\\InprocHandler`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\\InprocHandler32`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\\InprocServer32`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\\LocalServer`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\\LocalServer32`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\\TreatAs`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Namespaces`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000160-0000-0000-C000-000000000046}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WOW6432Node\\Interface\\{00000160-0000-0000-C000-000000000046}\\ProxyStubClsid32`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\Servicing`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AppModel\\Lookaside\\Packages`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.Accessibility__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Configuration__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Core__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Data.SqlXml__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Drawing__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Net.Http__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Numerics__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Security__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Speech__31bf3856ad364e35`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Windows.Forms__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System.Xml__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.4.0.System__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Core__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Net.Http__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Numerics__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Speech__31bf3856ad364e35`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System.Xml__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\v4.0_policy.4.0.System__b77a5c561934e089`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TorGPT_@SamsExploit.exe`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Impact`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Microsoft Sans Serif`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\CustomAttributes`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Globalization.Language`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Globalization.Language\\CustomAttributes`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-1015118539-3749460369-599379286-1001\\Installer\\Assemblies\\C:|Users|user|Desktop|TorGPT_@SamsExploit.exe`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-1015118539-3749460369-599379286-1001\\Installer\\Assemblies\\Global`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\AppContext`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Policy\\APTCA`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\Policy\\Standards`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\XML`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\standards\\v4.0.30319`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\policy\\v4.0`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\.NETFramework\\v4.0.30319\\SKUs\\default`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\CTF\\Compatibility\\TorGPT_@SamsExploit.exe`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Defaults\\Provider Types\\Type 001`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Defaults\\Provider Types\\Type 024`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Fusion`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\OLE`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\OLEAUT`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\OLE\\Diagnosis`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Ole\\Extensions`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\OOBE`\n- `HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\WindowsStore`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Dnscache\\InterfaceSpecificParameters\\{44C728A6-CC3C-434D-B238-E5B6541E3476}`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces\\{3882a85b-858a-11eb-b9e1-806e6f6e6963}`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CustomLocale`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Segment Heap`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\InterfaceSpecificParameters`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache\\Parameters`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\{3882A85B-858A-11EB-B9E1-806E6F6E6963}`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\{44C728A6-CC3C-434D-B238-E5B6541E3476}`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{3882A85B-858A-11EB-B9E1-806E6F6E6963}`\n- `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{44C728A6-CC3C-434D-B238-E5B6541E3476}`\n- `HKEY_LOCAL_MACHINE\\Software\\Classes`\n- `HKEY_LOCAL_MACHINE\\Software\\Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}`\n- `HKEY_LOCAL_MACHINE\\Software\\Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance`\n- `HKEY_LOCAL_MACHINE\\Software\\Classes\\WOW6432Node\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole\\FeatureDevelopmentProperties`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Disable8And16BitMitigation`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\TorGPT_@SamsExploit.exe`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime`\n- `HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wow64\\x86`\n- `HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Cryptography`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\.NETFramework`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\.NETFramework\\NGen\\Policy\\v4.0`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\.NETFramework\\Policy\\`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\.NETFramework\\v4.0.30319\\SKUs\\`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\AvalonGraphics`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Cryptography\\DESHashSessionKeyBackward`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Cryptography\\Offload`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\DirectWrite`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Input`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\OLE`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\OLE\\AppCompat`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\OLE\\Tracing`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Rpc`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\StrongName`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1015118539-3749460369-599379286-1001`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\Dwm`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\MUI\\Settings`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\System\\DNSClient`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\Windows NT\\DnsClient`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\WindowsNT\\Rpc`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\Windows\\Display`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\Windows\\Explorer`\n- `HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\FileSystem`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MUI\\Settings\\Language`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MUI\\UILanguages`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MUI\\UILanguages\\PendingDelete`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\NLS\\Language`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\NLS\\CustomLocale`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\NLS\\ExtendedLocale`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\NLS\\Sorting\\Ids`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\NLS\\Sorting\\Versions`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\DLL`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{3882A85B-858A-11EB-B9E1-806E6F6E6963}`\n- `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{44C728A6-CC3C-434D-B238-E5B6541E3476}`\n- `HKEY_LOCAL_MACHINE\\System\\Setup`\n- `HKEY_USERS.DEFAULT`\n- `HKEY_USERS.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders`\n\n## Process and Service Actions\n\n### Processes Created\n- `%SAMPLEPATH%\\TorGPT_@SamsExploit.exe`\n- `%SAMPLEPATH%\\c77eabee5160b93b7f5242b351d1c3648105e9b1c567ebc1e1c005408191d9dd.exe`\n- `C:\\Windows\\System32\\wuapihost.exe`\n- `C:\\Users\\user\\Desktop\\TorGPT_@SamsExploit.exe`\n\n### Shell Commands\n- `%SAMPLEPATH%\\TorGPT_@SamsExploit.exe`\n- `%SAMPLEPATH%\\c77eabee5160b93b7f5242b351d1c3648105e9b1c567ebc1e1c005408191d9dd.exe`\n- `C:\\Windows\\System32\\wuapihost.exe -Embedding`\n\n### Processes Terminated\n- `%SAMPLEPATH%\\TorGPT_@SamsExploit.exe`\n- `%SAMPLEPATH%\\c77eabee5160b93b7f5242b351d1c3648105e9b1c567ebc1e1c005408191d9dd.exe`\n- `C:\\Windows\\System32\\wuapihost.exe`\n\n### Processes Tree\n- `3952: explorer.exe`\n - `3228: TorGPT_@SamsExploit.exe`\n - `616: svchost.exe`\n - `2944: wuapihost.exe`\n - `1204: TorGPT_@SamsExploit.exe`\n\n### Modules Loaded\n- Runtime modules\n - `%SAMPLEPATH%\\c77eabee5160b93b7f5242b351d1c3648105e9b1c567ebc1e1c005408191d9dd.exe`\n - `%USERPROFILE%\\AppData\\Local\\Temp\\tmpE87B.tmp\\8a45efc6-43dc-47c5-a83e-918ad0207457.dll`\n - `%USERPROFILE%\\AppData\\Local\\Temp\\tmpF57B.tmp\\c9768aec-9e91-4ef8-a55d-c1d878e73bf7.dll`\n\n\u003e [!NOTE]\n\u003e ![](https://profile-counter.glitch.me/TorGPT-Scam/count.svg)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblacktechx011%2Ftorgpt-scam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblacktechx011%2Ftorgpt-scam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblacktechx011%2Ftorgpt-scam/lists"}